diff --git a/03-UnrealEngine/逆向/魔改RenderDoc截帧PC端《鸣潮》.md b/03-UnrealEngine/逆向/魔改RenderDoc截帧PC端《鸣潮》.md new file mode 100644 index 0000000..ae7dea5 --- /dev/null +++ b/03-UnrealEngine/逆向/魔改RenderDoc截帧PC端《鸣潮》.md @@ -0,0 +1,187 @@ +--- +title: 未命名 +date: 2026-03-25 21:43:14 +excerpt: +tags: +rating: ⭐ +--- +![](https://pic4.zhimg.com/v2-c88b1dc29371ae1cfb4a788f6cd5fee3_1440w.jpg) + +## 前言 + +之前写过一些截帧的文章,主要是通过模拟器来绕过加密系统,但是现在想想有可能两个游戏在移动端和PC端上用的Shader不一样,现在想用[RenderDoc](https://zhida.zhihu.com/search?content_id=271977473&content_type=Article&match_order=1&q=RenderDoc&zhida_source=entity)来截取PC环境下两个游戏的Shader + +![](https://pic2.zhimg.com/v2-4a50acd406d90146397cda94ce7eac1f_1440w.jpg) + +## 《鸣潮》是如何检测到RenderDoc的? + +如果你是直接下载的打包好的RenderDoc,那么无论你是否从RenderDoc启动游戏还是是否有任何注入,都会显示启用了黑客工具 + +![](https://pic1.zhimg.com/v2-3e8c32ba0d80dcf93e3e067553f032e8_1440w.jpg) + +此外,《鸣潮》采用了[CrashSight](https://zhida.zhihu.com/search?content_id=271977473&content_type=Article&match_order=1&q=CrashSight&zhida_source=entity) 检测,所以在做的时候不但要修改RenderDoc的特征码,还需要修改注入方式 + +## 前期准备 + +RenderDoc的工具集是[VS2015](https://zhida.zhihu.com/search?content_id=271977473&content_type=Article&match_order=1&q=VS2015&zhida_source=entity)的[v140](https://zhida.zhihu.com/search?content_id=271977473&content_type=Article&match_order=1&q=v140&zhida_source=entity)版本,我用的是VS2022所以需要额外下载v140组件,或者是可以到源码里面手动更新平台工具集 + +[https://github.com/baldurk/renderdoc/tree/v1.xgithub.com/baldurk/renderdoc/tree/v1.x](https://link.zhihu.com/?target=https%3A//github.com/baldurk/renderdoc/tree/v1.x) + +## 一,修改RenderDoc的特征来绕过第一步检测 + +### 核心 DLL — [Replay Marker](https://zhida.zhihu.com/search?content_id=271977473&content_type=Article&match_order=1&q=Replay+Marker&zhida_source=entity) 符号 + + + +|文件路径|行号|修改类型|修改前|修改后| +|---|---|---|---|---| +|renderdoc/api/replay/renderdoc_replay.h|52|函数名修改|renderdoc__replay__marker()|rendertest__replay__marker()| + + + +> _说明:这是最核心的修改。`REPLAY_PROGRAM_MARKER()`_ _宏定义所有 RenderDoc 可执行文件导出的符号,DLL 通过动态查找该符号判断当前是 replay 环境还是目标游戏进程。若 DLL 期望_ _`rendertest__replay__marker`_ _但 EXE 导出的是_ _`renderdoc__replay__marker`,DLL 将误判为游戏进程并注入 GPU 钩子,导致 UI 崩溃。_ + +### 进程创建与注入 — 可执行文件路径硬编码 + + + +|文件路径|行号|修改类型|修改前|修改后| +|---|---|---|---|---| +|renderdoc/os/win32/win32_process.cpp|933|字符串替换|L"\\Win32\\Development\\renderdoccmd.exe"|L"\\Win32\\Development\\rendertestcmd.exe"| +|renderdoc/os/win32/win32_process.cpp|946|字符串替换|L"\\Win32\\Release\\renderdoccmd.exe"|L"\\Win32\\Release\\rendertestcmd.exe"| +|renderdoc/os/win32/win32_process.cpp|961|字符串替换|L"\\x86\\renderdoccmd.exe"|L"\\x86\\rendertestcmd.exe"| +|renderdoc/os/win32/win32_process.cpp|973|字符串替换|L"\\x64\\Development\\renderdoccmd.exe"|L"\\x64\\Development\\rendertestcmd.exe"| +|renderdoc/os/win32/win32_process.cpp|986|字符串替换|L"\\x64\\Release\\renderdoccmd.exe"|L"\\x64\\Release\\rendertestcmd.exe"| +|renderdoc/os/win32/win32_process.cpp|1006|字符串替换|L"\\renderdoccmd.exe"|L"\\rendertestcmd.exe"| + + +## [Shim DLL](https://zhida.zhihu.com/search?content_id=271977473&content_type=Article&match_order=1&q=Shim+DLL&zhida_source=entity) 路径硬编码 + +### Shim DLL 路径硬编码 + + + +|文件路径|行号|修改类型|修改前|修改后| +|---|---|---|---|---| +|renderdoc/os/win32/win32_process.cpp|1783|字符串拼接|"\\renderdocshim64.dll"|"\\rendertestshim64.dll"| +|renderdoc/os/win32/win32_process.cpp|1792|字符串拼接|"\\Win32\\Development\\renderdocshim32.dll"|"\\Win32\\Development\\rendertestshim32.dll"| +|renderdoc/os/win32/win32_process.cpp|1803|字符串拼接|"\\Win32\\Release\\renderdocshim32.dll"|"\\Win32\\Release\\rendertestshim32.dll"| +|renderdoc/os/win32/win32_process.cpp|1811|字符串拼接|"\\x86\\renderdocshim32.dll"|"\\x86\\rendertestshim32.dll"| +|renderdoc/os/win32/win32_process.cpp|1818|字符串拼接|"\\renderdocshim32.dll"| + + + +### [进程白名单](https://zhida.zhihu.com/search?content_id=271977473&content_type=Article&match_order=1&q=%E8%BF%9B%E7%A8%8B%E7%99%BD%E5%90%8D%E5%8D%95&zhida_source=entity) — 避免注入到 RenderTest 自身 + + + +|文件路径|行号|修改类型|修改前|修改后| +|---|---|---|---|---| +|renderdoc/os/win32/sys_win32_hooks.cpp|342|字符串替换|"renderdoccmd.exe" \| app.contains("qrenderdoc.exe")|"rendertestcmd.exe" \| app.contains("qrendertest.exe")| +|renderdoc/os/win32/sys_win32_hooks.cpp|351|字符串替换|"renderdoccmd.exe" \| cmd.contains("qrenderdoc.exe")|"rendertestcmd.exe" \| cmd.contains("qrendertest.exe")| + + + +### 崩溃处理 — 命名内核对象 + + + +|文件路径|行号|修改类型|修改前|修改后| +|---|---|---|---|---| +|renderdoccmd/renderdoccmd_win32.cpp|603|字符串替换|"RENDERDOC_CRASHHANDLE"|"RENDERTEST_CRASHHANDLE"| +|renderdoccmd/renderdoccmd_win32.cpp|818|字符串替换|GetModuleHandleA("renderdoc.dll")|GetModuleHandleA("rendertest.dll")| +|core/crash_handler.h|62|字符串拼接|"RenderDoc\\dumps\\a"|"RenderTest\\dumps\\a"| +|core/crash_handler.h|168|字符串拼接|"RenderDocBreakpadServer%llu"|"RenderTestBreakpadServer%llu"| + + + +### 表格 6:文件路径与注册表 + + + +|文件路径|行号|修改类型|修改前|修改后| +|---|---|---|---|---| +|renderdoc/os/win32/win32_stringio.cpp|289|字符串拼接|"/qrenderdoc.exe"|"/qrendertest.exe"| +|renderdoc/os/win32/win32_stringio.cpp|300|字符串拼接|"/../qrenderdoc.exe"|"/../qrendertest.exe"| +|renderdoc/os/win32/win32_stringio.cpp|316|注册表路径|L"RenderDoc.RDCCapture.1\\DefaultIcon"|L"RenderTest.RDCCapture.1\\DefaultIcon"| +|renderdoc/os/win32/win32_stringio.cpp|358|日志路径|L"RenderDoc\\%ls_..."|L"RenderTest\\%ls_..."| +|renderdoc/os/win32/win32_stringio.cpp|367|日志路径|L"RenderDoc\\%ls_..."|L"RenderTest\\%ls_..."| + + + +### OpenGL 窗口类名 + + + +|文件路径|行号|修改类型|修改前|修改后| +|---|---|---|---|---| +|driver/gl/wgl_platform.cpp|28|宏定义|L"renderdocGLclass"|L"rendertestGLclass"| + + + +### [全局 Hook 共享内存名称](https://zhida.zhihu.com/search?content_id=271977473&content_type=Article&match_order=1&q=%E5%85%A8%E5%B1%80+Hook+%E5%85%B1%E4%BA%AB%E5%86%85%E5%AD%98%E5%90%8D%E7%A7%B0&zhida_source=entity) + + + +|文件路径|行号|修改类型|修改前|修改后| +|---|---|---|---|---| +|renderdocshim/renderdocshim.h|36|宏定义|"RenderDocGlobalHookData64"|"RenderTestGlobalHookData64"| +|renderdocshim/renderdocshim.h|39|宏定义|"RenderDocGlobalHookData32"|"RenderTestGlobalHookData32"| + + + +### 资源文件 + + + +|文件路径|行号|修改类型|修改前|修改后| +|---|---|---|---|---| +|data/renderdoc.rc|87|资源字符串|"Core DLL for RenderDoc"|"Core DLL for RenderTest"| +|data/renderdoc.rc|92|资源字符串|"ProductName", "RenderDoc"|"ProductName", "RenderTest"| + + + +### Qt UI 层 + + + +|文件路径|行号|修改类型|修改前|修改后| +|---|---|---|---|---| +|qrenderdoc/renderdocui_stub.cpp|62|字符串拼接|L"qrenderdoc.exe"|L"qrendertest.exe"| +|qrenderdoc/Code/qrenderdoc.cpp|173|Qt 翻译上下文|"qrenderdoc"|"qrendertest"| +|qrenderdoc/Code/qrenderdoc.cpp|198|日志输出|"QRenderDoc initialising."|"QRenderTest initialising."| +|qrenderdoc/Code/qrenderdoc.cpp|267|会话名|"QRenderDoc"|"QRenderTest"| +|qrenderdoc/Code/qrenderdoc.cpp|330|描述文本|"Qt UI for RenderDoc"|"Qt UI for RenderTest"| +|qrenderdoc/Code/qrenderdoc.cpp|393|版本输出|"QRenderDoc v%s"|"QRenderTest v%s"| +|qrenderdoc/Windows/MainWindow.cpp|1217|窗口标题|"RenderDoc "|"RenderTest "| + + + +### VS 项目文件(编译输出名 + UAC 提权) + + + +|文件路径|属性|修改类型|修改前|修改后| +|---|---|---|---|---| +|qrenderdoc/renderdocui_stub.vcxproj|RootNamespace|修改|renderdocui_stub|rendertestui_stub| +|qrenderdoc/renderdocui_stub.vcxproj|ProjectName|修改|renderdocui_stub|rendertestui_stub| +|qrenderdoc/renderdocui_stub.vcxproj|PrimaryOutput|新增|(无)|rendertestui| +|qrenderdoc/renderdocui_stub.vcxproj|TargetName|新增|(无)|rendertestui| +|qrenderdoc/renderdocui_stub.vcxproj|UACExecutionLevel|新增|(无)|RequireAdmini| + + + +## CrashSight检测 + +这里可以在Hook的时候采用SetThreadContext注入 + +修改文件:renderdoc/os/win32/win32_process.cpp + +```text + uintptr_t loc = FindRemoteDLL(pi.dwProcessId, STRINGIZE(RDOC_BASE_NAME) ".dll"); + CloseHandle(hProcess); + hProcess = NULL; + if(loc != 0) +``` + +编辑于 2026-03-25 11:37・重庆 \ No newline at end of file diff --git a/07-Other/AI/AI Agent/工作计划.md b/07-Other/AI/AI Agent/工作计划.md index 4d3eff7..bebc2cc 100644 --- a/07-Other/AI/AI Agent/工作计划.md +++ b/07-Other/AI/AI Agent/工作计划.md @@ -116,3 +116,4 @@ POPO失忆: - [ ] 【🚀OpenClaw高级进阶技巧分享!模型精选策略+记忆系统优化经验+深度搜索集成+Gateway崩溃自动修复!Claude Code自动读日志修Bug重启验证】 https://www.bilibili.com/video/BV1pefHB1ENJ/?share_source=copy_web&vd_source=fe8142e8e12816535feaeabd6f6cdc8e - [ ] 【🚀【OpenClaw教程】OpenClaw高级玩法:记忆蒸馏+Skill固化+模型降级!Token成本直降40%,效率倍增!便宜模型也能完成复杂任务!龙虾教程】 https://www.bilibili.com/video/BV1WbPTzHEaa/?share_source=copy_web&vd_source=fe8142e8e12816535feaeabd6f6cdc8e - [ ] 【🚀OpenClaw最强大脑:GPT-5.4深度实测!Agent能力强到离谱!自主完成多轮长链路复杂任务!实测可全自动为其他设备部署小龙虾!OpenClaw教程】 https://www.bilibili.com/video/BV1PdPHzFEFJ/?share_source=copy_web&vd_source=fe8142e8e12816535feaeabd6f6cdc8e + - [ ] 【Claude Code 内部实践:Skill 编写的 9 个最佳实践-哔哩哔哩】 https://b23.tv/0Brym4l