前几天有个朋友让我帮忙看看一个叫"HookDll.dll"的dll里面的函数该怎么调用.

他把dll的导出表截图我看了一下:

后来才知道,原来这个hookdll.dll是某游戏浏览器里面的一个文件,而他的主要作用就是用作Flash加速...

看上去貌似挺不错的,如果自己写一个小程序,也可以加速Flash那就好玩了.现在我们就来看看这几个dll怎么调用.需要传什么参数?

直接IDA

IDA载入进来Imagebase是 0x400000

StartHook,EndHook,SetSpeed,SoundHook的RVA加上0x400000即他们对应代码的位置了.

StartHook:

CODE:004124E4                 public StartHook
CODE:004124E4 StartHook       proc near
CODE:004124E4                 push    ebp
CODE:004124E5                 mov     ebp, esp
CODE:004124E7                 call    sub_412434
CODE:004124EC                 call    sub_4121EC
CODE:004124F1                 mov     ds:dword_41488C, eax
CODE:004124F7                 mov     ds:dword_414890, edx
CODE:004124FD                 mov     eax, ds:dword_41488C
CODE:00412503                 mov     ds:dword_414884, eax
CODE:00412509                 mov     eax, ds:dword_414890
CODE:0041250F                 mov     ds:dword_414888, eax
CODE:00412515                 call    sub_412374
CODE:0041251A                 pop     ebp
CODE:0041251B                 retn    4
CODE:0041251B StartHook       endp

通过上面的代码我们可以看出 StartHook的函数定义应该是 void StartHook(void);

继续看EndHook和StartHook类似,定义 void EndHook(void);

SoundHook定义 void SoundHook(void);

SetSpeed:

CODE:00412538                 public SetSpeed
CODE:00412538 SetSpeed        proc near
CODE:00412538
CODE:00412538 arg_0           = dword ptr  8
CODE:00412538 arg_4           = dword ptr  0Ch
CODE:00412538
CODE:00412538                 push    ebp
CODE:00412539                 mov     ebp, esp
CODE:0041253B                 mov     eax, [ebp+arg_0]
CODE:0041253E                 mov     dword ptr ds:dbl_414898, eax
CODE:00412544                 mov     eax, [ebp+arg_4]
CODE:00412547                 mov     dword ptr ds:dbl_414898+4, eax
CODE:0041254D                 pop     ebp
CODE:0041254E                 retn    8
CODE:0041254E SetSpeed        endp

通过上面的代码我们可以看出SetSpeed需要传入两个dword类型的参数,函数定义为 void SetSpeed(dword dw1,dword dw2);

好了,现在我们相当于有了这个Hookdll的基本sdk了,可是SetSpeed这两个dword参数该传什么值呢?

直接OllyDbg附加上了某游戏浏览器,查看一上HookDll被加载的基址,同理加上RVA得到代码的地址,然后F2下个断点,拖动一下加速条,SetSpeed则被断下来了.

这里是加速接近2000%时传入的数值,0xCCCCCCCD,0x4033CCCC.

具体这个数值我们就不研究了,我们来调用看看是否有效果.

C++ code:[仅调用SetSpeed]

typedef void (CALLBACK *lpFnSetSpeed)(DWORD,DWORD);

int _tmain(int argc, _TCHAR* argv[])
{
 HMODULE hMd=::LoadLibraryA("hookdll.dll");
 if(hMd==NULL)
 {
  printf("未找到 hookdll.dll");
  getchar();
  return 0;
 }
 lpFnSetSpeed fnSetSpeed=(lpFnSetSpeed)GetProcAddress(hMd,"SetSpeed");
 (*fnSetSpeed)(100,100);

printf("调用成功!");

getchar();
 return 0;
}

上面我们看不到效果,mfc里的网页控件也有用过,但是不熟悉了,还是直接上.net的代码吧

public class FlashSpeed
    {
        [DllImport("hookdll.dll", EntryPoint = "StartHook", CharSet = CharSet.Ansi)]
        public static extern void StartHook();

[DllImport("hookdll.dll", EntryPoint = "EndHook", CharSet = CharSet.Ansi)]
        public static extern void EndHook();

[DllImport("hookdll.dll", EntryPoint = "SoundHook", CharSet = CharSet.Ansi)]
        public static extern void SoundHook();

[DllImport("hookdll.dll", EntryPoint = "SetSpeed", CharSet = CharSet.Ansi)]
        public static extern void SetSpeed(int arg1, int arg2);
    }
    public partial class Form1 : Form
    {
        public Form1()
        {
            InitializeComponent();
        }
        private void Form1_Load(object sender, EventArgs e)
        {
           //某Flash游戏地址
           this.webBrowser1.Navigate("http://wpnm.91mangrandi.com/flash/mcdt/index.html?agent_id=54286&placeid=26752&type=4&game_id=102&aid=mcdt&rand=1&ref=26752.html&t=0.9260381994779965");
        }
        private void BtnSpeed_Click(object sender, EventArgs e)
        {
            FlashSpeed.StartHook();
            FlashSpeed.SetSpeed(0x43333333, 0x40333333);
            FlashSpeed.EndHook();
        }
    }

Now,现在我们就实现自己的Flash加速器了:)

以上只是娱乐,有兴趣的可以自己尝试一下~ hookdll是别人的东西,请忽商用,后果自负:)