前几天有个朋友让我帮忙看看一个叫"HookDll.dll"的dll里面的函数该怎么调用.

    他把dll的导出表截图我看了一下:

   

   后来才知道,原来这个hookdll.dll是某游戏浏览器里面的一个文件,而他的主要作用就是用作Flash加速...

   

   看上去貌似挺不错的,如果自己写一个小程序,也可以加速Flash那就好玩了.现在我们就来看看这几个dll怎么调用.需要传什么参数?

   直接IDA

  

   IDA载入进来Imagebase是 0x400000

   StartHook,EndHook,SetSpeed,SoundHook的RVA加上0x400000即他们对应代码的位置了.

   StartHook:

CODE:004124E4                 public StartHook

CODE:004124E4 StartHook       proc near

CODE:004124E4                 push    ebp

CODE:004124E5                 mov     ebp, esp

CODE:004124E7                 call    sub_412434

CODE:004124EC                 call    sub_4121EC

CODE:004124F1                 mov     ds:dword_41488C, eax

CODE:004124F7                 mov     ds:dword_414890, edx

CODE:004124FD                 mov     eax, ds:dword_41488C

CODE:00412503                 mov     ds:dword_414884, eax

CODE:00412509                 mov     eax, ds:dword_414890

CODE:0041250F                 mov     ds:dword_414888, eax

CODE:00412515                 call    sub_412374

CODE:0041251A                 pop     ebp

CODE:0041251B                 retn    4

CODE:0041251B StartHook       endp

通过上面的代码我们可以看出 StartHook的函数定义应该是 void StartHook(void);

继续看EndHook和StartHook类似,定义 void EndHook(void);

SoundHook定义 void SoundHook(void);

SetSpeed:

CODE:00412538                 public SetSpeed

CODE:00412538 SetSpeed        proc near

CODE:00412538

CODE:00412538 arg_0           = dword ptr  8

CODE:00412538 arg_4           = dword ptr  0Ch

CODE:00412538

CODE:00412538                 push    ebp

CODE:00412539                 mov     ebp, esp

CODE:0041253B                 mov     eax, [ebp+arg_0]

CODE:0041253E                 mov     dword ptr ds:dbl_414898, eax

CODE:00412544                 mov     eax, [ebp+arg_4]

CODE:00412547                 mov     dword ptr ds:dbl_414898+4, eax

CODE:0041254D                 pop     ebp

CODE:0041254E                 retn    8

CODE:0041254E SetSpeed        endp

通过上面的代码我们可以看出SetSpeed需要传入两个dword类型的参数,函数定义为 void SetSpeed(dword dw1,dword dw2);

好了,现在我们相当于有了这个Hookdll的基本sdk了,可是SetSpeed这两个dword参数该传什么值呢?

直接OllyDbg附加上了某游戏浏览器,查看一上HookDll被加载的基址,同理加上RVA得到代码的地址,然后F2下个断点,拖动一下加速条,SetSpeed则被断下来了.

这里是加速接近2000%时传入的数值,0xCCCCCCCD,0x4033CCCC.

具体这个数值我们就不研究了,我们来调用看看是否有效果.

C++ code:[仅调用SetSpeed]

typedef void (CALLBACK *lpFnSetSpeed)(DWORD,DWORD);

int _tmain(int argc, _TCHAR* argv[])

{

 HMODULE hMd=::LoadLibraryA("hookdll.dll");

 if(hMd==NULL)

 {

  printf("未找到 hookdll.dll");

  getchar();

  return 0;

 }

 lpFnSetSpeed fnSetSpeed=(lpFnSetSpeed)GetProcAddress(hMd,"SetSpeed");

 (*fnSetSpeed)(100,100);

 printf("调用成功!");

 getchar();

 return 0;

}

上面我们看不到效果,mfc里的网页控件也有用过,但是不熟悉了,还是直接上.net的代码吧

    public class FlashSpeed

    {

        [DllImport("hookdll.dll", EntryPoint = "StartHook", CharSet = CharSet.Ansi)]

        public static extern void StartHook();

        [DllImport("hookdll.dll", EntryPoint = "EndHook", CharSet = CharSet.Ansi)]

        public static extern void EndHook();

        [DllImport("hookdll.dll", EntryPoint = "SoundHook", CharSet = CharSet.Ansi)]

        public static extern void SoundHook();

        [DllImport("hookdll.dll", EntryPoint = "SetSpeed", CharSet = CharSet.Ansi)]

        public static extern void SetSpeed(int arg1, int arg2);

    }

    public partial class Form1 : Form

    {

        public Form1()

        {

            InitializeComponent();

        }

        private void Form1_Load(object sender, EventArgs e)

        {

           //某Flash游戏地址

           this.webBrowser1.Navigate("");

        }

        private void BtnSpeed_Click(object sender, EventArgs e)

        {

            FlashSpeed.StartHook();

            FlashSpeed.SetSpeed(0x43333333, 0x40333333);

            FlashSpeed.EndHook();

        }

    }

Now,现在我们就实现自己的Flash加速器了:)

以上只是娱乐,有兴趣的可以自己尝试一下~ hookdll是别人的东西,请忽商用,后果自负:)