前几天有个朋友让我帮忙看看一个叫"HookDll.dll"的dll里面的函数该怎么调用.

    他把dll的导出表截图我看了一下:

   后来才知道,原来这个hookdll.dll是某游戏浏览器里面的一个文件,而他的主要作用就是用作Flash加速...

   看上去貌似挺不错的,如果自己写一个小程序,也可以加速Flash那就好玩了.现在我们就来看看这几个dll怎么调用.需要传什么参数?

   直接IDA

   IDA载入进来Imagebase是 0x400000

   StartHook,EndHook,SetSpeed,SoundHook的RVA加上0x400000即他们对应代码的位置了.

   StartHook:

CODE:004124E4                 public StartHookCODE:004124E4 StartHook       proc nearCODE:004124E4                 push    ebpCODE:004124E5                 mov     ebp, espCODE:004124E7                 call    sub_412434CODE:004124EC                 call    sub_4121ECCODE:004124F1                 mov     ds:dword_41488C, eaxCODE:004124F7                 mov     ds:dword_414890, edxCODE:004124FD                 mov     eax, ds:dword_41488CCODE:00412503                 mov     ds:dword_414884, eaxCODE:00412509                 mov     eax, ds:dword_414890CODE:0041250F                 mov     ds:dword_414888, eaxCODE:00412515                 call    sub_412374CODE:0041251A                 pop     ebpCODE:0041251B                 retn    4CODE:0041251B StartHook       endp

通过上面的代码我们可以看出 StartHook的函数定义应该是 void StartHook(void);

继续看EndHook和StartHook类似,定义 void EndHook(void);

SoundHook定义 void SoundHook(void);

SetSpeed:

CODE:00412538                 public SetSpeedCODE:00412538 SetSpeed        proc nearCODE:00412538CODE:00412538 arg_0           = dword ptr  8CODE:00412538 arg_4           = dword ptr  0ChCODE:00412538CODE:00412538                 push    ebpCODE:00412539                 mov     ebp, espCODE:0041253B                 mov     eax, [ebp+arg_0]CODE:0041253E                 mov     dword ptr ds:dbl_414898, eaxCODE:00412544                 mov     eax, [ebp+arg_4]CODE:00412547                 mov     dword ptr ds:dbl_414898+4, eaxCODE:0041254D                 pop     ebpCODE:0041254E                 retn    8CODE:0041254E SetSpeed        endp

通过上面的代码我们可以看出SetSpeed需要传入两个dword类型的参数,函数定义为 void SetSpeed(dword dw1,dword dw2);

好了,现在我们相当于有了这个Hookdll的基本sdk了,可是SetSpeed这两个dword参数该传什么值呢?

直接OllyDbg附加上了某游戏浏览器,查看一上HookDll被加载的基址,同理加上RVA得到代码的地址,然后F2下个断点,拖动一下加速条,SetSpeed则被断下来了.

这里是加速接近2000%时传入的数值,0xCCCCCCCD,0x4033CCCC.

具体这个数值我们就不研究了,我们来调用看看是否有效果.

C++ code:[仅调用SetSpeed]

typedef void (CALLBACK *lpFnSetSpeed)(DWORD,DWORD);

int _tmain(int argc, _TCHAR* argv[]){ HMODULE hMd=::LoadLibraryA("hookdll.dll"); if(hMd==NULL) {  printf("未找到 hookdll.dll");  getchar();  return 0; } lpFnSetSpeed fnSetSpeed=(lpFnSetSpeed)GetProcAddress(hMd,"SetSpeed");  (*fnSetSpeed)(100,100);

 printf("调用成功!");

 getchar(); return 0;}

上面我们看不到效果,mfc里的网页控件也有用过,但是不熟悉了,还是直接上.net的代码吧

    public class FlashSpeed    {        [DllImport("hookdll.dll", EntryPoint = "StartHook", CharSet = CharSet.Ansi)]        public static extern void StartHook();

        [DllImport("hookdll.dll", EntryPoint = "EndHook", CharSet = CharSet.Ansi)]        public static extern void EndHook();

        [DllImport("hookdll.dll", EntryPoint = "SoundHook", CharSet = CharSet.Ansi)]        public static extern void SoundHook();

        [DllImport("hookdll.dll", EntryPoint = "SetSpeed", CharSet = CharSet.Ansi)]        public static extern void SetSpeed(int arg1, int arg2);    }    public partial class Form1 : Form    {        public Form1()        {            InitializeComponent();        }        private void Form1_Load(object sender, EventArgs e)        {           //某Flash游戏地址           this.webBrowser1.Navigate("http://wpnm.91mangrandi.com/flash/mcdt/index.html?agent_id=54286&placeid=26752&type=4&game_id=102&aid=mcdt&rand=1&ref=26752.html&t=0.9260381994779965");        }        private void BtnSpeed_Click(object sender, EventArgs e)        {            FlashSpeed.StartHook();            FlashSpeed.SetSpeed(0x43333333, 0x40333333);            FlashSpeed.EndHook();        }    }

Now,现在我们就实现自己的Flash加速器了:)

以上只是娱乐,有兴趣的可以自己尝试一下~ hookdll是别人的东西,请忽商用,后果自负:)