Variable speed gears have been changed by modifying the API functions GetTickCount and TimegetTime deceived games and programs caused by game and program speeds. The following is analyzed as an example: The original GetTickCount assembly:
Kernel32! GettickCount Mov GS, [bffcaea18]
MOV Eax, GS: [00000000]
Sub EDX, EDX
MOV GS, DX
RET
GetTickCount compilation after the change gear modified:
KERNEL32! GettickCount
Here is the key -> JMP 840500D9 (840500D9 is not absolute)
Add [EAX], Al
Add [ECX 00000000], AH
Sub EDX, EDX
MOV GS, DX
RET
It can be seen that the shifting gear modifies the code of GetTickCount, which automatically jumps to 840500d9 when the game and program use GetTickCount. Look at the code assembly at 840500d9:
840500D9: CLI
Push EBP
MOV EBP, ESP
Push EBX
Push ECX
Push Edx
PUSH ESI
Push EDI
Call 840500E7
840500E7: POP EDI
XOR DI, DI
MOV ESI, EDI
Add ESI, 00402051
SUB ESI, 00401F0B
PUSH ESI
Call Edi
Call 84050101
84050101: POP EDI
XOR DI, DI
Call [EDI 0000fef0]
Call 84050110
84050110: Sub Eax, [EDI 0000FF30]
Mul DWord, PTR [EDI 0000FF30]
Mov EBX, 00100000
Div EBX
Add Eax, [EDI 0000fe20]
Push EAX
Mov Eax, 00402072
SUB EAX, 00401F08
Add Eax, EDI
Push EAX
Call Edi
POP EAX
POP EDI
POP ESI
POP EDX
POP ECX
POP EBX
POP EBP
SIL
RET
The above is the core of the variable speed gear shift. (GetTickCount is returned by EAX you can track EAX)
The method of the shift gear mount API is said: First, the shift gear applies for a memory in the MMF area (Win9X / ME), moves the above code from the program to the memory. Use the modified descriptor to jump from the application level to the core level (Specific View "Computer Programming Skills and Maintenance" 2000 No. 6 34) Modify the code at the beginning of the getTickCount to make it point to the first address of the application. . The above is my analysis of the variable speed gear. If you have any opinions or want to view the detailed original code, please contact me, my email: rwjgpget@sohu.com I will give you a reply as soon as possible.
