Note: If you read this article, you are interested in our software, please go to our homepage www.vrbrothers.com. Note: In order to save space, this article is directly used by some computer terms without a detailed explanation. If the reader is unfamiliar, it is recommended to refer to Tsinghua University Press, Zhou Mingde's "Microcomputer System Principles and Application" The corresponding chapter on the 8253/8254 timer and X86 protection mode. "Variable speed gear" research is might as I am ignoring, saying that you are not afraid of you, and I have been five days ago, I have been five days ago, I have been heard in February 28, 2001. I have a few students like to play graphic MUD. I have seen "mud" technology together all day. I didn't have much interest in MUD itself, but I happened to listen to them that morning, I said that a MUD site is clearly used. It is strictly forbidden to use "gears", which is curious about what they are "gears". Others tell me, "Gear" is a software that accelerates the game under Windows, they rely on this software for cheating when playing MUD. This is not banned to let me breath, let the Windows game change speed, amazing! I have always been very interested in technology, I have heard that there is such a magical software, of course, I want to think about it. This software does not complicate, I originally thought that it was a good self-study, but I thought of several lessons, I have never collected. It is also ingenious, and our semester has a must-have a couch is a Linux kernel analysis. In the past few days, he just learned the process schedule. The teacher said that when a clock is interrupted, the operating system should do a lot of things, such as retreat if necessary. The scheduling process is to achieve a multi-task, but also update the system clock ... Slow, I am very dedication, if the clock is broken faster, what happens? We have learned the course of "Microcomputer Principles", I know that it is more difficult to make clock breaks, I used to write such a program in the assembly language under DOS, which is our job. But I used to run under Windows, but I can't accelerate the Windows system. It is clear that Windows 9X is compatible with the X86 virtual machine. My program can only change the virtual machine, that is the black The clock interruption of the window. So I tried to move the previous DOS program to the 32-bit environment. It is appropriate to use VC embedding to do this, but add __asm in a VC program framework, and then use the previous assembler to put it in. I am full of hoping monsters, as a result, a "the program implemented illegal operation", my experiment, ended. Later, calm down, think about it, this failure is obvious. Windows acts as a complex 32-bit operating system, if you let you operate hardware, then you can't run a few programs. But how do you bypass the operating system to operate hardware? I first thought of VXD, write a driver, I definitely manipulate hardware, but it is a pity that I will not design a driver. So I thought of the source code of the CIH that I saw. CIH didn't write VXD, but I can operate hardware to burn the BIOS. Chen Yinghao is too great. His procedure is exquisite. I have remembered.
So I imitated his technology, modify the IDT table, create an interrupt door, then an interrupt, enter Ring0, now I can do anything, in the previous DOS program, write a control word in the 8253 timer, and then divide Two new clock interruptions occur frequent frequency, everything goes well! (For detailed technology, please refer to my "Brothers" source code) I see the cursor of the VC editing area crazy flashing; double-click has been invalid, because Windows thinks that I double-click the time interval too long; Windows taskbar right is fast I have already said that I have succeeded. At the time, I thought of the principle of "shifting gear", but when I copied the "gear" from the classmate and studied, I found that Windows clock did not change, and the game speed can be added, that is, said , "Gear" uses different technologies that are different from my procedures, what technology is it? I decided to continue research. I visited the "shifting gear" home page. There is a section "You ask me" on this homepage. Mr. Wang Rong, who is "gear", is conducting technical support. I have tried to find some technical details about "gears", but it is a pity that I didn't find that Mr. Wang Rong just told everyone that this program cannot be written in VB and other problems. It is not easy to see a foreign country. People can not publish source code, in fact, this is also what I want to ask, but Mr. Wang Rong clearly said that this is not banned. I also want to write to the original code, maybe he does not announce to foreigners, and the Chinese may not necessarily. But our "stinky old nine" loves a face, I really can't ask. At this time, it was already 10 o'clock in the evening, I decided to sacrifice Softice, study his procedure with one night. The tools used at the time were Softice, WD32ASM, and VC. Two reference books were the "microcomputer system principle and application" and "Linux operating system kernel analysis" (all our textbooks, huh, huh). At first, a file called hook.dll version of "Variable Speed Gear" 0.2 version has greatly attracted my attention, I doubt that he uses the Windows message hook to speed, the message hook, I am very familiar, but I put the MSDN About hooks The introduction has been seen for a long time, nor did it come and change it and change. At this time, I looked at the "Variable Speed Gear" version 0.1 obtained on Mr. Wang Rong. Only did not have this document in the old version, also That is, I only need to disassemble his main program, so I don't say that I will be dismantled by WD32ASM first, and the code code is more than 5,000, it is not much. I am from the import function of this program. It is used for Timing for Timer, TimegetTime, TimeSetEvent, and see where they are quoted. I found that these functions have appeared, and most In this form: * Reference to: Winmm.TimegetTime, Ord: 0098H: 00401F3E 8B0D64424000 MOV ECX, DWORD PTR [00401F44 8B11 MOV EDX, DWORD PTR [ECX] That is, he did not call these functions. Just get the entry address of the function, saved in ECX, and then gets a function of the function in the EDX according to this entry address, saved in the EDX.
This makes me think of the principle of the Hook API discussed above 9CBS and others. At the time, I also requested a hook API routine. If I want hook, I want TimegetTime, modify the address in ECX or modify EDX. Several heads of the heads are in line, write with assembly language, similar to this code seen above. In order to test the "gear", it is a TimegetTime who wants to hook. I wrote a very simple applet, call TimegetTime, and display a number every second. After acceleration with "gears", it really shows more speed. Follow this TimegetTime function with Softice, the first instruction becomes a jump, which fully illustrates that "gears" really hook these APIs, it is not difficult to guess, he wants to change the return value of the function, that is, in TimegetTime At the end, I also jumped into the "gear" itself, patience and followed, I found it back to the TimegetTime hit, so that when TimeGetTime returned, first returned "Gear" code first ( This thought is indeed very clever), and the return value has jumped back to my app after processing. As for how to deal with this return value, it is simple, changed to the original twice, and the application speed has increased by 2 times. Looking back and then watching the WD32ASM disassembled code, I found that the SGDT command and two SLDT instructions in front of the Hook API, which is the unique directive of the x86 protection mode for obtaining a global descriptor table, further get Partial descriptor table, this code has caused my interest, followed by Softice, take a few steps down, and guess it, roughly sorted out such ideas: 1. Create a memory map, map your code map To 0x80000000 or more, under Win9X, this virtual memory is shared by all processes. 2. First get the address of the local descriptor table, then use this table to modify the privilege level of the code segment. 3. Create a call door with the local descriptor table, and enter RING0 in X86 must be performed by the door. CiH is done with the interrupt door, where the callimeter is completed, and the same intersection is used. 4. Save the first six bytes of several key functions, change to a jump instruction, jump to the code that has been mapped to the high-end. 5. When a function call is invoked, enter its own code, and enter the Ring0 through the call gate, the return value is changed. It was already 5 o'clock in the morning. Since the main thoughts have been mastered, I have not seen this code, and I have to go to class at 8 o'clock and go to sleep. Looking back, I think that Mr. Wang Rong's code is worth the scrutiny: 1. If you want hook API, do you want to change the first instruction of the function? If you only change the entry address of the function, isn't it easy to compile? 2. Even if you want to change the first instruction of the function, be sure to enter RING0? 3. Even if you want to enter Ring0, use the interrupt door not more convenient than using the calling door? Of course, according to Mr. Wang Rong's statement on his homepage, "Variable Speed Gear" 0.1 is he written in 1997 three years ago. At that time, Windows95 had just come out for two years, and there is such a technology that it is difficult, here I am sincere admiration to Mr. Wang Rong's drilling spirit.
