分类
游戏安全

EasyAntiCheat UserMode AntiCheat StackWalker

Dumped by 2020/3/16 apex eac usermode

2020/5/15补充一些信息
数据搜集:搜集线程起始地址 以及目标节名 目标模块信息 以及回溯线程调用
数据筛选:可执行 可读可执行 可读可写可执行 并且不位于easyanticheat反作弊区域的信息
上层

bool __usercall eAc_Callstack_Walker@<al>(_QWORD *a1@<rcx>)
{
  __int64 v1; // r15
  double v2; // st7
  struct_stackwalkBuffer *v3; // rsi
  __int64 thread_id_table_start; // rbx
  int pid; // er14
  __int64 eAc_Snap; // rax
  char gen_success; // al
  unsigned __int64 v8; // rcx
  unsigned int *thread_id_table; // r14
  unsigned int *thread_table_end; // r13
  __int64 thread_handle; // rax
  __int64 v13; // rcx
  __int64 v14; // r9
  char is_success; // r12
  __int64 v16; // rdx
  __int64 v17; // rcx
  char *CurrentEntry; // rdx
  bool v19; // si
  unsigned __int64 v20; // rcx
  __int64 v21; // [rsp+8h] [rbp-100h]
  __int64 thread_startaddress; // [rsp+28h] [rbp-E0h]
  unsigned int *thread_id_table_1; // [rsp+30h] [rbp-D8h]
  unsigned int threadid; // [rsp+38h] [rbp-D0h]
  int v25; // [rsp+3Ch] [rbp-CCh]
  __int64 v26; // [rsp+40h] [rbp-C8h]
  int v27; // [rsp+48h] [rbp-C0h]
  int v28; // [rsp+4Ch] [rbp-BCh]
  __int64 v29; // [rsp+50h] [rbp-B8h]
  __int128 v30; // [rsp+58h] [rbp-B0h]
  __int128 result_info; // [rsp+68h] [rbp-A0h]
  __int64 v32; // [rsp+78h] [rbp-90h]
  __int64 v33; // [rsp+80h] [rbp-88h]
  _QWORD thread_list[2]; // [rsp+88h] [rbp-80h]
  __int64 v35; // [rsp+98h] [rbp-70h]
  _QWORD *v36; // [rsp+A0h] [rbp-68h]
  int thread_basic_info; // [rsp+B0h] [rbp-58h]
  int v38; // [rsp+D8h] [rbp-30h]
  int v39; // [rsp+DCh] [rbp-2Ch]

  v3 = (struct_stackwalkBuffer *)a1;
  v36 = a1;
  init((__int64)a1, (_QWORD *)*a1, (_QWORD *)a1[1]);
  v3->CurrentEntry = (char *)v3->FirstEntry;
  thread_id_table_start = 0i64;
  v33 = 0i64;
  _mm_storeu_si128((__m128i *)thread_list, (__m128i)0i64);
  pid = eAc_vmcall_GetCurrentProcessId();
  eAc_vmcall_CreateToolhelp32Snapshot(4i64, 0i64);// //TH32CS_SNAPTHREAD
  if ( (_DWORD)eAc_Snap == 0xFFF88348 )
  {
    gen_success = 0;
  }
  else
  {
    gen_success = eAc_getGameThreadIdList(pid, thread_list, eAc_Snap);
    thread_id_table_start = thread_list[0];
  }
  if ( !gen_success )
  {
    if ( thread_id_table_start )
    {
      v8 = (v35 - thread_id_table_start) & 0xFFFFFFFFFFFFFFFCui64;
      if ( v8 >= 0x1000 )
      {
        v8 += 39i64;
        thread_id_table_start = *(_QWORD *)(thread_id_table_start - 8);
      }
      if ( thread_id_table_start )
        memset((void *)thread_id_table_start, 0, v8);
      ((void (__fastcall *)(_QWORD, _QWORD, __int64))*(&Eac_Table + 4))(Eac_Table, 0i64, thread_id_table_start);
    }
    return 0;
  }
  thread_id_table = (unsigned int *)thread_id_table_start;
  thread_id_table_1 = (unsigned int *)thread_id_table_start;
  thread_table_end = (unsigned int *)thread_list[1];
  v36 = (_QWORD *)thread_list[1];
  while ( thread_id_table != thread_table_end )
  {
    v25 = 0;
    v26 = 0i64;
    v27 = 0x7FFFFFFF;
    v28 = 0x7FFFFFFF;
    v29 = 0i64;
    _mm_store_si128((__m128i *)&v30, (__m128i)0i64);
    _mm_store_si128((__m128i *)&result_info, (__m128i)0i64);
    v32 = 0i64;
    threadid = *thread_id_table;
    thread_handle = eAc_vmcall_OpenThread_0(0x40i64);
    v2 = v2 * (double)*(signed int *)(thread_id_table_start + 4 * v13 - 8);
    if ( !thread_handle )
      goto LABEL_22;
    thread_startaddress = 0i64;
    if ( !eAc_NtQueryInformationThread_ThreadBasicInformation(thread_handle, (char *)&qword_18[0x12] + (_QWORD)&v21)
      || (is_success = 1,
          !eAc_NtQueryInformationThread_ThreadQuerySetWin32StartAddress(
             v1,
             (__int64 *)((char *)&qword_18[1] + (_QWORD)&v21))) )
    {
      is_success = 0;
    }
    eAc_vmcall_CloseHandle_1(v1);
    if ( is_success )
    {
      *(_DWORD *)((char *)&v21 + (_QWORD)&qword_18[3] + 4) = thread_basic_info;
      v17 = *(__int64 *)((char *)&qword_18[19] + (_QWORD)&v21);
      *(__int64 *)((char *)&qword_18[4] + (_QWORD)&v21) = v17;
      *(_DWORD *)((char *)&qword_18[5] + (_QWORD)&v21) = v38;
      *(_DWORD *)((char *)&v21 + (_QWORD)&qword_18[5] + 4) = v39;
      *(__int64 *)((char *)&qword_18[6] + (_QWORD)&v21) = thread_startaddress;
      if ( v17 )
      {
        *(__int64 *)((char *)&qword_18[7] + (_QWORD)&v21) = *(_QWORD *)(v17 + 8);
        *(__int64 *)((char *)&qword_18[8] + (_QWORD)&v21) = *(_QWORD *)(v17 + 16);
      }
      eAc_stack_Walker(*thread_id_table, v16, (struct_stackwalkBuffer *)((char *)&qword_18[9] + (_QWORD)&v21));
LABEL_22:
      CurrentEntry = v3->CurrentEntry;
      if ( v3->LastEntry == CurrentEntry )
      {
        reallocate_vector_thread_information((unsigned __int64)CurrentEntry, &v3->FirstEntry, (__int64)&threadid, v2);
      }
      else
      {
        memcpy_thread_information(v13, (__int64)CurrentEntry, (__int64)&threadid, v14);
        v3->CurrentEntry += 0x48;
      }
    }
    reset_thread_information_struct(&threadid);
    ++thread_id_table;
    thread_id_table_1 = thread_id_table;
  }
  v19 = (char *)v3->FirstEntry != v3->CurrentEntry;
  if ( thread_id_table_start )
  {
    v20 = (v35 - thread_id_table_start) & 0xFFFFFFFFFFFFFFFCui64;
    if ( v20 >= 0x1000 )
    {
      v20 += 39i64;
      thread_id_table_start = *(_QWORD *)(thread_id_table_start - 8);
    }
    if ( thread_id_table_start )
      memset((void *)thread_id_table_start, 0, v20);
    ((void (__fastcall *)(_QWORD, _QWORD, __int64))*(&Eac_Table + 4))(Eac_Table, 0i64, thread_id_table_start);
  }
  return v19;
}

实际的回溯逻辑

bool __fastcall eAc_stack_Walker(unsigned int thread_id, __int64 nouse, struct_stackwalkBuffer *stackwalkBuffer_1)
{
  struct_stackwalkBuffer *stackwalkBuffer; // rbx
  unsigned int thread_id_1; // edi
  __int64 ThreadHandle; // rax
  __int64 ThreadHandle_1; // rsi
  unsigned __int64 v7; // rdi
  _DWORD *v8; // rax
  __int64 v9; // r9
  __int64 v10; // rax
  __int64 v11; // rcx
  char v12; // t0
  unsigned int v13; // edx
  unsigned __int64 v14; // rdi
  __int64 v15; // rsi
  unsigned int v16; // edx
  unsigned __int64 v17; // rdi
  unsigned __int64 v18; // rdi
  signed int v19; // edx
  unsigned __int64 v20; // rdi
  unsigned int v21; // edx
  char *v22; // rdx
  unsigned int i; // edi
  __int64 functionTableEntry; // rax
  __int64 v25; // r9
  char *result_info; // rdx
  bool result; // al
  __int64 v28; // [rsp+38h] [rbp-590h]
  __int64 modulebase; // [rsp+40h] [rbp-588h]
  __int64 context_rip_1; // [rsp+48h] [rbp-580h]
  __int64 v31; // [rsp+50h] [rbp-578h]
  struct_stackwalkBuffer *stackwalkBuffer_1_1; // [rsp+70h] [rbp-558h]
  __int64 context; // [rsp+80h] [rbp-548h]
  char Context; // [rsp+90h] [rbp-538h]
  int v35; // [rsp+C0h] [rbp-508h]
  __int64 context_rip; // [rsp+168h] [rbp-460h]
  int v37; // [rsp+540h] [rbp-88h]
  int v38; // [rsp+544h] [rbp-84h]
  int v39; // [rsp+548h] [rbp-80h]
  int v40; // [rsp+54Ch] [rbp-7Ch]
  int v41; // [rsp+550h] [rbp-78h]
  __int128 v42; // [rsp+558h] [rbp-70h]
  int v43; // [rsp+568h] [rbp-60h]
  __int16 v44; // [rsp+56Ch] [rbp-5Ch]
  char v45; // [rsp+56Eh] [rbp-5Ah]
  __int128 v46; // [rsp+570h] [rbp-58h]
  char v47; // [rsp+580h] [rbp-48h]

  stackwalkBuffer = stackwalkBuffer_1;
  thread_id_1 = thread_id;
  stackwalkBuffer_1_1 = stackwalkBuffer_1;
  memset(&Context, 0, 0x4D0ui64);
  v35 = 1048577;
  LOBYTE(v31) = 0;
  stackwalkBuffer->CurrentEntry = (char *)stackwalkBuffer->FirstEntry;
  if ( (unsigned int)eAc_vmcall_getCurrentThreadId() == thread_id_1 )// /vmp GetCurrentThreadId
    return 0;
  ThreadHandle = eAc_vmcall_OpenThread(0x48i64, 0i64, thread_id_1);// //vmp call OpenThread
  ThreadHandle_1 = ThreadHandle;
  if ( !ThreadHandle )
    return 0;
  v7 = (unsigned int)eAc_vmcall_GetThreadContext(ThreadHandle, &context);
  v8 = (_DWORD *)eAc_vmcall_CloseHandle(ThreadHandle_1);
  --*(_DWORD *)v7;
  v10 = (unsigned int)(*v8 + (_DWORD)v8);
  *(_BYTE *)(v10 - 117) += v11;
  v12 = *(_BYTE *)(v10 + 4 * v11);
  *(_DWORD *)v10 += v10;
  *(_BYTE *)(v10 - 123) += v11;
  *(_BYTE *)v7 = __ROR1__(*(_BYTE *)v7, -124);
  if ( !LODWORD(eAc_Talbe2[26]) || !eAc_Talbe2[27] )
  {
    v37 = -248590068;
    v38 = -1389132837;
    v39 = -994849557;
    v40 = -271005371;
    v41 = 409220960;
    v13 = -323093467;
    v14 = 0i64;
    do
    {
      v13 = ~(((v13 ^ (v13 << 13)) >> 7) ^ v13 ^ (v13 << 13) ^ ((((v13 ^ (v13 << 13)) >> 7) ^ v13 ^ (v13 << 13)) << 17));
      *(int *)((char *)&v37 + v14) ^= v13;
      v14 += 4i64;
    }
    while ( v14 < 0x14 );
    v15 = eAc_getMod(&v37, 0i64);
    memset(&v37, 0, 0x14ui64);
    if ( v15 )
    {
      if ( !eAc_Talbe2[26] )
      {
        _mm_storeu_si128((__m128i *)&v42, _mm_load_si128((const __m128i *)&qword_D5AC0[234]));
        v43 = 1692400592;
        v44 = -18290;
        v45 = 77;
        v16 = 304514278;
        v17 = 0i64;
        do
        {
          *(_DWORD *)((char *)&v42 + v17) ^= v16;
          v17 += 4i64;
          v16 = __ROR4__(18788 * v16 + 6576056, 2);
        }
        while ( v17 < 0x14 );
        v18 = 20i64;
        do
        {
          *((_BYTE *)&v42 + v18) ^= v16;
          v16 >>= 8;
          ++v18;
        }
        while ( v18 < 0x17 );
        eAc_Talbe2[26] = eAc_get_Exp(v15, &v42, 0i64);
        memset(&v42, 0, 0x17ui64);
      }
      if ( !eAc_Talbe2[27] )
      {
        _mm_storeu_si128((__m128i *)&v46, _mm_load_si128((const __m128i *)&qword_D5AC0[364]));
        v47 = -91;
        v19 = 1195700990;
        v20 = 0i64;
        do
        {
          *(_DWORD *)((char *)&v46 + v20) ^= v19;
          v20 += 4i64;
          v21 = ((v19 ^ (unsigned int)(v19 << 13)) >> 7) ^ v19 ^ (v19 << 13);
          v19 = __ROL4__((v21 << 17) ^ v21, 4);
        }
        while ( v20 < 0x10 );
        v47 ^= v19;
        eAc_Talbe2[27] = eAc_get_Exp(v15, &v46, 0i64);
        memset(&v46, 0, 0x11ui64);
      }
    }
    if ( !eAc_Talbe2[26] || !eAc_Talbe2[27] )
    {
      result = 0;
      memset(&v37, 0, 0x14ui64);
      return result;
    }
    memset(&v37, 0, 0x14ui64);
    v10 = context_rip;
  }
  v28 = v10;
  v22 = stackwalkBuffer->CurrentEntry;
  if ( stackwalkBuffer->LastEntry == v22 )
  {
    allocate_mem(&stackwalkBuffer->FirstEntry, v22, &v28, v9);
  }
  else
  {
    *(_QWORD *)v22 = v10;
    stackwalkBuffer->CurrentEntry += 8;
  }
  for ( i = 0; i < 9; ++i )                     // //try count
  {
    functionTableEntry = ((__int64 (__fastcall *)(__int64, __int64 *, _QWORD))eAc_Talbe2[26])(
                           context_rip,
                           &modulebase,
                           0i64);               // /RtlLookupFunctionEntry
    if ( functionTableEntry )
    {
      ((void (__fastcall *)(_QWORD, __int64, __int64, __int64))eAc_Talbe2[27])(
        0i64,
        modulebase,
        context_rip,
        functionTableEntry);                    // //RtlVirtualUnwind
      if ( !context_rip )
        return (char *)stackwalkBuffer->FirstEntry != stackwalkBuffer->CurrentEntry;
      context_rip_1 = context_rip;
      result_info = stackwalkBuffer->CurrentEntry;
      if ( stackwalkBuffer->LastEntry == result_info )
      {
        allocate_mem(&stackwalkBuffer->FirstEntry, result_info, &context_rip_1, v25);
      }
      else
      {
        *(_QWORD *)result_info = context_rip;
        stackwalkBuffer->CurrentEntry += 8;
      }
    }
  }
  return (char *)stackwalkBuffer->FirstEntry != stackwalkBuffer->CurrentEntry;
}

筛选搜集到的信息

char __fastcall eAc_check_stack_walker_entry(__int64 a1, __int64 a2, __int64 *a3, _QWORD *a4, struct_a5 *a5)
{
  __m128i v5; // xmm0
  __int64 v6; // r12
  __int64 *v7; // r14
  struct_v8 *v8; // rdi
  char success; // si
  _QWORD *v10; // r13
  unsigned __int64 start_address; // rcx
  __int64 v12; // r8
  __int128 v13; // xmm0
  __int128 v14; // xmm1
  __int128 v15; // xmm0
  __int64 v16; // r8
  __int64 v17; // r9
  __int64 v18; // rcx
  __int64 v19; // r8
  __int64 v20; // rdx
  __int64 v21; // rax
  __int64 v22; // r8
  __int64 v23; // r9
  __int64 v24; // r9
  unsigned __int64 *Localentry; // rbx
  unsigned __int64 *CurrentEntry; // rdi
  __int64 v27; // r8
  __int128 v28; // xmm0
  __int128 v29; // xmm1
  __int128 v30; // xmm0
  __int64 v31; // r8
  struct_v34 *v32; // rcx
  __int64 *v33; // rdx
  struct_v34 *v34; // rax
  char v36; // [rsp+18h] [rbp-E8h]
  __int128 v37; // [rsp+30h] [rbp-D0h]
  __int128 v38; // [rsp+50h] [rbp-B0h]
  __int128 v39; // [rsp+60h] [rbp-A0h]
  __int128 mem_protect; // [rsp+80h] [rbp-80h]
  char v41; // [rsp+90h] [rbp-70h]
  __int128 v42; // [rsp+A0h] [rbp-60h]
  char v43; // [rsp+B0h] [rbp-50h]
  __int128 v44; // [rsp+C0h] [rbp-40h]
  __int64 v45; // [rsp+D0h] [rbp-30h]
  __int128 v46; // [rsp+D8h] [rbp-28h]
  __int128 v47; // [rsp+E8h] [rbp-18h]
  __int128 v48; // [rsp+F8h] [rbp-8h]
  char v49; // [rsp+108h] [rbp+8h]
  char v50; // [rsp+128h] [rbp+28h]

  v5 = _mm_load_si128((const __m128i *)&qword_D5A48[3]);
  v6 = a2;
  v7 = a3;
  _mm_store_si128((__m128i *)&v42, v5);
  v8 = (struct_v8 *)a1;
  _mm_store_si128((__m128i *)&v44, v5);
  success = 0;
  v10 = a4;
  memset((char *)&v37, 0, 0x30ui64);
  memset((char *)&v39, 0, 0x70ui64);
  *v10 = 0i64;
  memset(&a5->char0, 0, 0x70ui64);
  if ( sub_C1EB4(v6) || (unsigned int)sub_F03CE() == v8->dword0 )
  {
    success = 0;
    goto LABEL_39;
  }
  start_address = v8->thread_startaddress;
  if ( start_address && eac_get_memory_info(start_address, v6, (__int128 *)((char *)&v38 + 8)) )// //获取线程起始位置的内存属性
  {
    if ( (BYTE4(mem_protect) & 0x10 || BYTE4(mem_protect) & 0x20 || BYTE4(mem_protect) & 0x40)// //check page_Exec page_read_Exec page_readwrite_Exec
      && !in_Eac_or_in_module(eac_inc, v8->thread_startaddress) )//是否是eac内部反作弊的模块
    {
      v13 = *(__int128 *)((char *)&v38 + 8);
      v14 = *(__int128 *)((char *)&v39 + 8);
      success = 1;
      *v10 = v8->thread_startaddress;
      *(_OWORD *)&a5->char0 = v13;
      v15 = mem_protect;
      a5->oword10 = v14;
      a5->oword20 = v15;
      allocate((__int64)&a5[1], (__int64)&v41, v12);
      allocate((__int64)&a5[1].oword20, (__int64)&v43, v16);
      v18 = *v7;
      v19 = *((_QWORD *)&v38 + 1);
      v20 = *v7;
      v21 = *(_QWORD *)(*v7 + 8);
      while ( !*(_BYTE *)(v21 + 25) )
      {
        if ( *(_QWORD *)(v21 + 32) >= *((_QWORD *)&v38 + 1) )
        {
          v18 = v21;
          v21 = *(_QWORD *)v21;
        }
        else
        {
          v21 = *(_QWORD *)(v21 + 16);
        }
      }
      if ( v18 == v20 || *((_QWORD *)&v38 + 1) < *(_QWORD *)(v18 + 32) )
      {
        v18 = *v7;
        v20 = *v7;
      }
      if ( v18 == v20 )
      {
LABEL_18:
        v46 = *(__int128 *)((char *)&v38 + 8);
        v45 = v19;
        v48 = mem_protect;
        v47 = *(__int128 *)((char *)&v39 + 8);
        sub_2A3EC(&v49, (__int64)&v41, v19, v17);
        sub_2A3EC(&v50, (__int64)&v43, v22, v23);
        sub_C4BAC((__int64 **)v7, (__int64)&v36, &v45, v24);
        free((__int64)&v50);
        free((__int64)&v49);
        goto LABEL_39;
      }
    }
  }
  else
  {
    success = 1;
  }
  Localentry = v8->Localentry;
  CurrentEntry = v8->CurrentEntry;
  while ( Localentry != CurrentEntry )          // //这里eac检查每个线程回溯到的地址
  {
    if ( *Localentry
      && eac_get_memory_info(*Localentry, v6, (__int128 *)((char *)&v38 + 8))// //获取retaddress所属内存块的属性
      && (BYTE4(mem_protect) & 0x10 || BYTE4(mem_protect) & 0x20 || BYTE4(mem_protect) & 0x40)// //是否属于可执行位置
      && !in_Eac_or_in_module(eac_inc, *Localentry) )// //是否属于eac内部反作弊 
    {
      v28 = *(__int128 *)((char *)&v38 + 8);
      v29 = *(__int128 *)((char *)&v39 + 8);
      success = 1;
      *v10 = *Localentry;
      *(_OWORD *)&a5->char0 = v28;
      v30 = mem_protect;
      a5->oword10 = v29;
      a5->oword20 = v30;
      allocate((__int64)&a5[1], (__int64)&v41, v27);
      allocate((__int64)&a5[1].oword20, (__int64)&v43, v31);
      v32 = (struct_v34 *)*v7;
      v19 = *((_QWORD *)&v38 + 1);
      v33 = (__int64 *)*v7;
      v34 = *(struct_v34 **)(*v7 + 8);
      while ( !v34->byte19 )
      {
        if ( v34->qword20 >= *((_QWORD *)&v38 + 1) )
        {
          v32 = v34;
          v34 = (struct_v34 *)v34->int640;
        }
        else
        {
          v34 = (struct_v34 *)v34->qword10;
        }
      }
      if ( v32 == (struct_v34 *)v33 || *((_QWORD *)&v38 + 1) < v32->qword20 )
      {
        v32 = (struct_v34 *)*v7;
        v33 = (__int64 *)*v7;
      }
      if ( v32 == (struct_v34 *)v33 )
        goto LABEL_18;
    }
    ++Localentry;
  }
LABEL_39:
  free((__int64)&v43);
  free((__int64)&v41);
  return success;
}

检查是否属于eac反作弊模块

// //检查是否属于eac反作弊模块
char __fastcall in_Eac_or_in_module(__int64 eac_inc, __int64 check_address)
{
  unsigned __int64 v2; // rbx
  char credible; // si
  unsigned __int64 check_address_1; // rbp
  __int64 eac_global_data_1; // r14
  __int64 module_info; // rbx
  __int64 current_entry; // rdi
  __int64 last_entry; // r15
  unsigned __int64 anticheat_base; // rcx
  unsigned __int64 v11; // [rsp+40h] [rbp+8h]

  v11 = v2;
  credible = 0;
  check_address_1 = check_address;
  eac_global_data_1 = eac_inc;
  if ( !check_address )
    return 0;
  module_info = eac_inc + 0x84C0;
  sub_1B98B5();
  current_entry = *(_QWORD *)(module_info + 40);
  for ( last_entry = *(_QWORD *)(module_info + 48); current_entry != last_entry; current_entry += 0x28i64 )// //查找当前地址属于哪个模块区域
  {
    if ( *(_QWORD *)(current_entry + 8)
      && *(_QWORD *)(current_entry + 16)
      && v11 >= *(_QWORD *)current_entry
      && v11 < *(_QWORD *)current_entry + (unsigned __int64)*(unsigned int *)(current_entry + 32) )
    {
      break;
    }
  }
  sub_16AD61(module_info);
  if ( current_entry != last_entry              // //是否属于easyanticheat内部反作弊模块
    || (anticheat_base = *(_QWORD *)(eac_global_data_1 + 0x7488), check_address_1 >= anticheat_base)
    && check_address_1 < *(_QWORD *)(eac_global_data_1 + 0x7490) + anticheat_base )
  {
    credible = 1;
  }
  return credible;
}

**将搜集到的信息 发送到EAC反作弊服务器 位于用于某一个线程


        {
          *(_QWORD *)&data.oword10 = 0i64;
          _mm_storeu_si128((__m128i *)&data, (__m128i)0i64);
          if ( (unsigned __int8)sub_C08FC(j + 5, &data) )
            eAc_anticheat::send_packet(         // //将筛选好的数据发送到EasyAntiCheat反作弊服务器
              eac_inc,
              281i64,
              *(_QWORD *)&data.char0,
              (unsigned int)(*((_DWORD *)&data.char0 + 2) - *(_DWORD *)&data.char0));
          v21 = v3[7];
          if ( v3[8] == v21 )
          {
            sub_99454((__int64 *)v3 + 6, (__int64)v3[7], j + 5);
          }
          else
          {
            *(_OWORD *)v21 = *(_OWORD *)(j + 5);
            *((_OWORD *)v21 + 1) = *(_OWORD *)(j + 7);
            *((_OWORD *)v21 + 2) = *(_OWORD *)(j + 9);
            sub_2A3EC(v21 + 6, (__int64)(j + 11), v19, v20);
            sub_2A3EC(v21 + 10, (__int64)(j + 15), v22, v23);
            v3[7] += 14;
          }
          sub_29A08(&data);
        }
0 0 vote
文章评分

由FAKE

Через тернии к звездам,
через радость и слезы
Мы проложим дорогу

Subscribe
提醒
guest
你的昵称 用于分别你是谁
你的电子邮箱 用于被回复时通知
2 评论
Inline Feedbacks
View all comments
dragd1024
dragd1024
游客
2020年4月15日 上午3:28

如果有VT的话,EAC大部分的检测都是形同虚设。他们加入了VT时间校验之后,暂时还没发现什么很好的对抗他的方法。

话说,StackWalker具体指的是什么意思呢?