分享一份过NGS检测！C++源码+成品DLL供调用

666999 · 发表于 2018-11-13 18:51:06

无论什么游戏只要是NGS检测全部干掉！
以下是C++源码
拿跑跑卡丁车做例子
//需加载进卡丁车,一般在卡丁车登录界面调用【BypassNexonGameSecurity】第一个参数传递BlackCipher的进程ID
//cpp源码 .
#include "stdafx.h"
#include <string>
#include <TlHelp32.h>
#include "VMProtectSDK.h"
using namespace std;
bool __stdcall BypassNexonGameSecurity(ULONG pid/*=g_BlackCipherPID*/) {

VMProtectBegin("BypassNexonGameSecurity");
//if (*(PDWORD)0xF4C127 != 0x2ADDE4BB)
//{
// MyDbgFun("notcrc,exit");
// TerminateProcess(OpenProcess(PROCESS_ALL_ACCESS, NULL, GetCurrentProcessId()), NULL);
// return false;
//}

typedef struct _MODULEINFO {
      LPVOID lpBaseOfDll;
      DWORD  SizeOfImage;
      LPVOID EntryPoint;
} MODULEINFO, *LPMODULEINFO;
typedef BOOL(WINAPI* GetModuleInformation_t)(HANDLE hProcess,
      HMODULE hModule,
      LPMODULEINFO lpmodinfo,
      DWORD  cb);

typedef DWORD(WINAPI* GetMappedFileNameW_t)(HANDLE hProcess,
      LPVOID lpv,
      LPTSTR lpFilename,
      DWORD  nSize);

typedef NTSTATUS(NTAPI *NtQueryInformationThread_)(HANDLE ThreadHandle, THREADINFOCLASS ThreadInformationClass, PVOID ThreadInformation,
      ULONG ThreadInformationLength, PULONG       ReturnLength);

typedef NTSTATUS(NTAPI* NtQueryInformationProcess_t)(HANDLE          ProcessHandle, PROCESSINFOCLASS ProcessInformationClass,
      PVOID          ProcessInformation, ULONG          ProcessInformationLength, PULONG          ReturnLength);
typedef NTSTATUS(NTAPI* NtWriteVirtualMemory_t)(HANDLE ProcessHandle, PVOID BaseAddress, PVOID Buffer, ULONG NumberOfBytesToRead, PULONG NumberOfBytesReaded);
typedef NTSTATUS(NTAPI* NtReadVirtualMemory_t)(HANDLE ProcessHandle, PVOID BaseAddress, PVOID Buffer, ULONG NumberOfBytesToRead, PULONG NumberOfBytesReaded);

static NtReadVirtualMemory_t _NtReadVirtualMemory = reinterpret_cast<NtReadVirtualMemory_t>(GetProcAddress(GetModuleHandle(TEXT("ntdll")), "NtReadVirtualMemory"));

static NtWriteVirtualMemory_t _NtWriteVirtualMemory = reinterpret_cast<NtWriteVirtualMemory_t>(GetProcAddress(GetModuleHandle(TEXT("ntdll")), "NtWriteVirtualMemory"));

static NtQueryInformationProcess_t _NtQueryInformationProcess = reinterpret_cast<NtQueryInformationProcess_t>(GetProcAddress(GetModuleHandle(TEXT("ntdll.dll")), "NtQueryInformationProcess"));

static GetMappedFileNameW_t MyGetMappedFileNameW = reinterpret_cast<GetMappedFileNameW_t>(GetProcAddress(LoadLibrary(TEXT("Psapi.dll")), "GetMappedFileNameW"));

static GetModuleInformation_t MyGetModuleInformation = reinterpret_cast<GetModuleInformation_t>(GetProcAddress(LoadLibrary(TEXT("Psapi.dll")), "GetModuleInformation"));

static NtQueryInformationThread_ MyNtQueryInformationThread = reinterpret_cast<NtQueryInformationThread_>(GetProcAddress(GetModuleHandle(TEXT("ntdll.dll")), "NtQueryInformationThread"));

HANDLE hTdSnap, hpss, hTd; LPVOID lpbaseAddress; LONG status;
PVOID startaddr = NULL;
THREADENTRY32 te32 = { 0 };
CONTEXT ctx = { 0 };
BYTE phcode[10] = { 0x68, 0x00, 0x00, 0x00, 0x10,
      0xE9, 0x00, 0x00, 0x00, 0x00 };
WCHAR sz_modulefilepath[MAX_PATH] = { 0 };
memset(&te32, 0, sizeof(te32));
te32.dwSize = sizeof(THREADENTRY32);
FARPROC lpSleep = GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "Sleep");
hpss = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
if (NULL == hpss) { return false; }
MODULEINFO pModuleInfo = { 0 };
if (!MyGetModuleInformation(hpss, NULL, &pModuleInfo, sizeof(pModuleInfo))) { return false; }
if (!pModuleInfo.EntryPoint) { return false; }
lpbaseAddress = VirtualAllocEx(hpss, NULL, 0x1000, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (NULL == lpbaseAddress) { return false; }
*(DWORD *)((DWORD)&phcode + 6) = (DWORD)lpSleep - (DWORD)lpbaseAddress - 10;
if (_NtWriteVirtualMemory(hpss, lpbaseAddress, (LPVOID)&phcode, sizeof(phcode), NULL)){ return false; }
hTdSnap = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
if (hTdSnap == INVALID_HANDLE_VALUE) { return false; }
BOOL bNext = Thread32First(hTdSnap, &te32);
while (bNext)
{
      if (te32.th32OwnerProcessID == pid)
      {
         hTd = OpenThread(THREAD_ALL_ACCESS, FALSE, te32.th32ThreadID);
         if (NULL == hTd)          {             return false;          }
         else
         {

            status = MyNtQueryInformationThread(hTd,
                  ThreadQuerySetWin32StartAddress,
                  &startaddr, sizeof(startaddr), NULL);
            if (STATUS_SUCCESS != status)
            {
                  CloseHandle(hTd);
                  return false;
            }
            else
            {
                  if (startaddr == pModuleInfo.EntryPoint)
                  {
                     MyGetMappedFileNameW(hpss, startaddr, sz_modulefilepath, MAX_PATH);
                     wstring mfpath(sz_modulefilepath);
                     if (mfpath.find(TEXT("BlackCipher.aes")) != -1)
                     {
                        SuspendThread(hTd);
                        ctx.ContextFlags = CONTEXT_ALL | CONTEXT_CONTROL;
                        GetThreadContext(hTd, &ctx);
                        if (!ctx.Dr1)
                        {
                              ctx.Dr1 = 10086;
                              ctx.Eip = (DWORD)lpbaseAddress;
                              ctx.ContextFlags = CONTEXT_ALL | CONTEXT_CONTROL;
                              SetThreadContext(hTd, &ctx);
                        }
                        ResumeThread(hTd);
                     }
                  }
            }
         }
         CloseHandle(hTd);
      }
      bNext = Thread32Next(hTdSnap, &te32);
}
CloseHandle(hTdSnap);
CloseHandle(hpss);
VMProtectEnd();
return true;
}

调用方法：

//1    BypassNexonGameSecurity             0F1E1280    0

//必须注入游戏后调用此函数

//动态调用,用完即删,不占用DLL模块。也可做内存加载

typedef bool(WINPAI *BypassNGS)(LONG pid);

HANDLE hLib=LoadLibrary(TEXT("bypassngs.dll"));

BypassNGS myfpProc=(BypassNGS)GetProcAddress(hLib,"BypassNexonGameSecurity");

if(!myfpProc(/*BlackCipherPID*/))
{
AfxMessageBox(TEXT("过检测失败"));

}

FreeLibrary(hLib);

1.这里只Sleep了一个入口线程，会卡NGS进程游戏关闭后需自己关
2.成品DLL限制国服可用,其他服全部掉线。想在台服用就自己改。
3.只要操作命名管道的线程存在其他线程都可Sleep无碍

666999 · 发表于 2018-11-13 18:52:18

觉得不错，可以顶下喔，原创作品

新乡科技 · 发表于 2019-1-14 05:39:29

大话检测能做吗

林峰 · 发表于 2019-1-15 16:57:28

觉得不错，可以顶下喔，原创作品

求软件888888 · 发表于 2019-3-22 18:38:05

找你做个东西，加q2455146梦幻SF游戏让游戏里的服务端崩溃会吗？

tymy2014 · 发表于 2019-3-30 22:17:30

找你做个东西，加q2837821179。谢谢了。

wbzloveme · 发表于 2019-4-8 04:55:41

有做NGS多开检测这块吗

魔幻手机 · 发表于 2019-5-15 01:20:24

兄弟。我加你QQ了，请教过ngs检测辅Zhu跑跑卡丁车辅Zhu，兄弟好谢谢你。

夜鬼 · 发表于 2019-5-15 10:06:52

好东西收藏了

shakesaell · 发表于 2019-5-20 17:22:47

看看老帖子了

		自动登录	找回密码
密码			注册

[C#源码] 分享一份过NGS检测！C++源码+成品DLL供调用

评分

点评

点评

点评