|
[原创]分享以前的資料 絲路原動力內外掛破解
Send Packet Patch II 004103C0 . /E9 DF590200 jmp 00435DA4 ; Send Packet JMP Patch 004103C5 |90 nop 004103C6 |90 nop 0041065E . /E9 5C570200 jmp 00435DBF ; Re send Packet JMP Patch 00410663 |90 nop <JMP Patch> 00435DA4 00435DA4 > \83EC 64 sub esp, 64 00435DA7 . 8B4424 68 mov eax, dword ptr [esp+68] 00435DAB . 50 push eax 00435DAC . 51 push ecx 00435DAD . 52 push edx 00435DAE . 53 push ebx 00435DAF . E8 27000000 call 00435DDB 00435DB4 . 5B pop ebx 00435DB5 . 5A pop edx 00435DB6 . 59 pop ecx 00435DB7 . 58 pop eax 00435DB8 .^ E9 0AA6FDFF jmp 004103C7 00435DBD 00 db 00 00435DBE 00 db 00 00435DBF > 8D96 B04E0000 lea edx, dword ptr [esi+4EB0] 00435DC5 . 50 push eax 00435DC6 . 51 push ecx 00435DC7 . 52 push edx 00435DC8 . 53 push ebx 00435DC9 . 8BC2 mov eax, edx 00435DCB . E8 0B000000 call 00435DDB 00435DD0 . 5B pop ebx 00435DD1 . 5A pop edx 00435DD2 . 59 pop ecx 00435DD3 . 58 pop eax 00435DD4 .^ E9 8BA8FDFF jmp 00410664 00435DD9 00 db 00 00435DDA 00 db 00 00435DDB /$ 66:8178 0A 01>cmp word ptr [eax+A], 101 00435DE1 |. 74 08 je short 00435DEB 00435DE3 |. 66:8178 0A 07>cmp word ptr [eax+A], 107 00435DE9 |. 75 27 jnz short 00435E12 00435DEB |> B9 00506800 mov ecx, 00685000 ; 發送封包指標 00435DF0 |. 33D2 xor edx, edx 00435DF2 |. 33DB xor ebx, ebx 00435DF4 |> 83FB 08 /cmp ebx, 8 00435DF7 |. 74 0E |je short 00435E07 00435DF9 |. 83FB 0A |cmp ebx, 0A 00435DFC |. 74 09 |je short 00435E07 00435DFE |. 83FB 47 |cmp ebx, 47 00435E01 |. 74 0F |je short 00435E12 00435E03 |. 8A11 |mov dl, byte ptr [ecx] 00435E05 |. 8810 |mov byte ptr [eax], dl 00435E07 |> 83C0 01 |add eax, 1 00435E0A |. 83C1 01 |add ecx, 1 00435E0D |. 83C3 01 |add ebx, 1 00435E10 |.^ EB E2 \jmp short 00435DF4 00435E12 \> C3 retn ======================== 004103C0 E9 DF 59 02 00 90 90 0041065E E9 5C 57 02 00 90 00435DA4 83 EC 64 8B 44 24 68 50 51 52 53 E8 27 00 00 00 5B 5A 59 58 E9 0A A6 FD FF 00 00 8D 96 B0 4E 00 00 50 51 52 53 8B C2 E8 0B 00 00 00 5B 5A 59 58 E9 8B A8 FD FF 00 00 66 81 78 0A 01 01 74 08 66 81 78 0A 07 01 75 27 B9 00 69 44 00 33 D2 33 DB 83 FB 08 74 0E 83 FB 0A 74 09 83 FB 47 74 0F 8A 11 88 10 83 C0 01 83 C1 01 83 C3 01 EB E2 C3 ======================== 102 & 108 Packet Patch II 0040E724 call 00435E15 <Call Patch> 0040E8C6 call 00435E15 <Call Patch> <Call Patch> 00435E15 $ 50 push eax 00435E16 . 51 push ecx 00435E17 . 52 push edx 00435E18 . 56 push esi 00435E19 . 33D2 xor edx, edx 00435E1B . 33C0 xor eax, eax 00435E1D . B9 50506800 mov ecx, 00685050 ; 接收封包指標 00435E22 > 83FA 08 cmp edx, 8 00435E25 . 74 0E je short 00435E35 00435E27 . 83FA 0A cmp edx, 0A 00435E2A . 74 09 je short 00435E35 00435E2C . 83FA 2D cmp edx, 2D 00435E2F . 74 0F je short 00435E40 00435E31 . 8A01 mov al, byte ptr [ecx] 00435E33 . 8806 mov byte ptr [esi], al 00435E35 > 83C2 01 add edx, 1 00435E38 . 83C1 01 add ecx, 1 00435E3B . 83C6 01 add esi, 1 00435E3E .^ EB E2 jmp short 00435E22 00435E40 > 5E pop esi 00435E41 . 5A pop edx 00435E42 . 59 pop ecx 00435E43 . 58 pop eax 00435E44 .^ E9 779CFDFF jmp 0040FAC0 ======================== 0040E724 E8 EC 76 02 00 0040E8C6 E8 4A 75 02 00 00435E15 50 51 52 56 33 D2 33 C0 B9 50 69 44 00 83 FA 08 74 0E 83 FA 0A 74 09 83 FA 2D 74 0F 8A 01 88 06 83 C2 01 83 C1 01 83 C6 01 EB E2 5E 5A 59 58 E9 77 9C FD FF ======================== send packet 00685000 7C 22 47 00 00 00 00 00 00 00 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 64 65 76 69 6C 69 73 6D 00 00 00 00 00 00 00 00 00 00 00 00 00 6D 7A 9E A6 1B DB 70 2D recv packet 00685050 6D 53 2D 00 00 00 00 00 00 00 02 01 00 14 BE 03 00 65 68 03 00 1B DB 70 2D 64 65 76 69 6C 69 73 6D 00 00 00 00 00 00 00 00 00 00 00 00 發送與接收封包全寫在 .tls 區段 |
|
[原创]分享以前的資料 絲路原動力內外掛破解
SRO.EXE(脫機掛主程式) Patch 分析 一 發送封包寫入 A 方式一 ********************************************************* 搜尋字串 dl send data %x,%d,TICK:%d 往上找代碼的頭 找到 004103C0 . 83EC 64 sub esp, 64 ; 這裡 NOP 改 JMP <Patch> 004103C3 . 8B4424 68 mov eax, dword ptr [esp+68] ; 這裡 NOP <封包指標傳到 EAX> 004103C7 . 53 push ebx ; <Patch> Run 完跳回這裡 004103C8 . 55 push ebp 004103C9 . 8B6C24 74 mov ebp, dword ptr [esp+74] ; <封包大小傳到 EBP> 004103CD . 8BD9 mov ebx, ecx 004103CF . 8BCD mov ecx, ebp 004103D1 . 56 push esi 004103D2 . 8BD1 mov edx, ecx 004103D4 . 57 push edi 004103D5 . 8BF0 mov esi, eax 004103D7 . 8DBB B04E0000 lea edi, dword ptr [ebx+4EB0] 004103DD . C1E9 02 shr ecx, 2 004103E0 . F3:A5 rep movs dword ptr es:[edi], dword p> 004103E2 . 8BCA mov ecx, edx 004103E4 . 83E1 03 and ecx, 3 004103E7 . F3:A4 rep movs byte ptr es:[edi], byte ptr> 004103E9 . 8B8B B48E0000 mov ecx, dword ptr [ebx+8EB4] 004103EF . 89AB B06E0000 mov dword ptr [ebx+6EB0], ebp 004103F5 . 85C9 test ecx, ecx 004103F7 . 0F84 0D010000 je 0041050A 004103FD . 81FD E8030000 cmp ebp, 3E8 略...................... 0041049A . 8983 BC8E0000 mov dword ptr [ebx+8EBC], eax 004104A0 . 50 push eax ; /<%d> 004104A1 . 33C0 xor eax, eax ; | 004104A3 . 55 push ebp ; |<%d> 004104A4 . 66:8B46 0A mov ax, word ptr [esi+A] ; | 004104A8 . 8D4C24 18 lea ecx, dword ptr [esp+18] ; | 004104AC . 50 push eax ; |<%x> 004104AD . 68 D4844400 push 004484D4 ; |format = "dl send data %x,%d,TICK:%d" 004104B2 . 51 push ecx ; |s 004104B3 . FF15 3C6D4300 call dword ptr [436D3C] ; \sprintf 改為 004103C0 . /E9 DF590200 jmp 00435DA4 ; 這裡 NOP 改 JMP <dl send data Patch> 004103C5 |90 nop 004103C6 |90 nop 004103C7 > |53 push ebx ; <Patch> Run 完跳回這裡 004103C8 . |55 push ebp 004103C9 . |8B6C24 74 mov ebp, dword ptr [esp+74] ; <封包大小傳到 EBP> ********************************************************* 搜尋字串 re send data %x,%d 找到 00410630 /$ 83EC 64 sub esp, 64 00410633 |. 56 push esi 00410634 |. 8BF1 mov esi, ecx 00410636 |. 8B86 B48E0000 mov eax, dword ptr [esi+8EB4] 0041063C |. 85C0 test eax, eax 0041063E |. 74 65 je short 004106A5 00410640 |. 8B86 B88E0000 mov eax, dword ptr [esi+8EB8] 00410646 |. 8B96 B06E0000 mov edx, dword ptr [esi+6EB0] ; 移動大小到 EDX 0041064C |. 8B8E C48E0000 mov ecx, dword ptr [esi+8EC4] 00410652 |. 40 inc eax 00410653 |. 6A 00 push 0 00410655 |. 52 push edx ; EDX 大小 00410656 |. 8986 B88E0000 mov dword ptr [esi+8EB8], eax 0041065C |. 8B01 mov eax, dword ptr [ecx] 0041065E |. 8D96 B04E0000 lea edx, dword ptr [esi+4EB0] ; 指標移到 DEX <這裡NOP 改為 JMP Patch> 00410664 |. 52 push edx ; EDX 指標 <Patch 代碼跑完跳回這裡> 00410665 |. FF50 20 call dword ptr [eax+20] ; Call MFC42.#CAsyncSocket::Send_5796 00410668 |. E8 51D92000 call 0061DFBE 0041066D |. 90 nop 0041066E |. 8986 BC8E0000 mov dword ptr [esi+8EBC], eax 00410674 |. 8B86 B06E0000 mov eax, dword ptr [esi+6EB0] 0041067A |. 33C9 xor ecx, ecx 0041067C |. 50 push eax ; /<%d> 0041067D |. 66:8B8E BA4E0>mov cx, word ptr [esi+4EBA] ; | 00410684 |. 8D5424 08 lea edx, dword ptr [esp+8] ; | 00410688 |. 51 push ecx ; |<%x> 00410689 |. 68 14854400 push 00448514 ; |format = "re send data %x,%d" 0041068E |. 52 push edx ; |s 0041068F |. FF15 3C6D4300 call dword ptr [436D3C] ; \sprintf 改為 0041065E . /E9 54570200 jmp 00435DB7 ; 這裡 NOP 改為 JMP <re send data Patch> 00410663 |90 nop 00410664 > |52 push edx ; <Patch 代碼跑完跳回這裡> ********************************************************* <Patch> 00435DA4 > \83EC 64 sub esp, 64 ; <dl send data Patch> 00435DA7 . 8B4424 68 mov eax, dword ptr [esp+68] 00435DAB . E8 1D000000 call 00435DCD ; <Packet Patch> 00435DB0 .^ E9 12A6FDFF jmp 004103C7 ; 跳回到原來代碼 00435DB5 00 db 00 00435DB6 00 db 00 00435DB7 > 8D96 B04E00 lea edx, dword ptr [esi+4EB0] ; <re send data Patch> 00435DBD . 50 push eax 00435DBE . 8BC2 mov eax, edx 00435DC0 . E8 08000000 call 00435DCD ; <Packet Patch> 00435DC5 . 58 pop eax 00435DC6 .^ E9 99A8FDFF jmp 00410664 ; 跳回到原來代碼 00435DCB 00 db 00 00435DCC 00 db 00 00435DCD /$ 66:8178 0A cmp word ptr [eax+A], 101 00435DD3 |. 74 08 je short 00435DDD 00435DD5 |. 66:8178 0A cmp word ptr [eax+A], 107 00435DDB |. 75 40 jnz short 00435E1D 00435DDD |> 66:C700 CD56 mov word ptr [eax], 56CD ; 封包頭 Key <長度4個位元組> 00435DE2 |. 66:C740 0A mov word ptr [eax+A], 101 ; Case 00435DE8 |. C640 26 02 mov byte ptr [eax+26], 2 ; 掛機種類 01=內掛 02=脫機 00435DEC |. C740 2A 7361 mov dword ptr [eax+2A], 69666173 ; 動力認證遊戲帳號 <最多20個位元組> 00435DF3 |. C740 2E 6E61 mov dword ptr [eax+2E], 6F63616E 00435DFA |. C740 32 6F6C mov dword ptr [eax+32], 6C6F 00435E01 |. C740 36 0000 mov dword ptr [eax+36], 0 00435E08 |. C740 3A 0000 mov dword ptr [eax+3A], 0 00435E0F |. C740 3F 3FA3 mov dword ptr [eax+3F], 6E6EA33F ; 動力認證 KEY1 00435E16 |. C740 43 39C4 mov dword ptr [eax+43], ADE4C439 ; 動力認證 KEY2 00435E1D \> C3 retn ================== dl send data Patch ================== 004103C0 E9 DF 59 02 00 90 90 0041065E E9 54 57 02 00 90 00435DA4 83 EC 64 8B 44 24 68 E8 1D 00 00 00 E9 12 A6 FD FF 00 00 8D 96 B0 4E 00 00 50 8B C2 E8 08 00 00 00 58 E9 99 A8 FD FF 00 00 66 81 78 0A 01 01 74 08 66 81 78 0A 07 01 75 40 66 C7 00 CD 56 66 C7 40 0A 01 01 C6 40 26 02 C7 40 2A 73 61 66 69 C7 40 2E 6E 61 63 6F C7 40 32 6F 6C 00 00 C7 40 36 00 00 00 00 C7 40 3A 00 00 00 00 C7 40 3F 3F A3 6E 6E C7 40 43 39 C4 E4 AD C3================== B 方式二 ********************************************************* 004103C0 . /E9 DF590200 jmp 00435DA4 ; JMP to <Patch1> 004103C5 |90 nop 004103C6 |90 nop 0041065E . /E9 5C570200 jmp 00435DBF ; JMP to <Patch2> 00410663 |90 nop <Patch1> 00435DA4 > \83EC 64 sub esp, 64 00435DA7 . 8B4424 68 mov eax, dword ptr [esp+68] 00435DAB . 50 push eax 00435DAC . 51 push ecx 00435DAD . 52 push edx 00435DAE . 53 push ebx 00435DAF . E8 27000000 call 00435DDB ; Call Sand Packet Patch 00435DB4 . 5B pop ebx 00435DB5 . 5A pop edx 00435DB6 . 59 pop ecx 00435DB7 . 58 pop eax 00435DB8 .^ E9 0AA6FDFF jmp 004103C7 <Patch2> 00435DBF > \8D96 B04E0000 lea edx, dword ptr [esi+4EB0] 00435DC5 . 50 push eax 00435DC6 . 51 push ecx 00435DC7 . 52 push edx 00435DC8 . 53 push ebx 00435DC9 . 8BC2 mov eax, edx 00435DCB . E8 0B000000 call 00435DDB ; Call <Sand Packet Patch> 00435DD0 . 5B pop ebx 00435DD1 . 5A pop edx 00435DD2 . 59 pop ecx 00435DD3 . 58 pop eax 00435DD4 .^ E9 8BA8FDFF jmp 00410664 <Sand Packet Patch> 00435DDB /$ 66:8178 0A 01>cmp word ptr [eax+A], 101 ; Sand Packet Patch 00435DE1 |. 74 08 je short 00435DEB 00435DE3 |. 66:8178 0A 07>cmp word ptr [eax+A], 107 00435DE9 |. 75 1D jnz short 00435E08 ; JMP TO RETN 00435DEB |> B9 00606800 mov ecx, 00686000 00435DF0 |. 33D2 xor edx, edx 00435DF2 |. 33DB xor ebx, ebx 00435DF4 |> 83FB 47 /cmp ebx, 47 00435DF7 |. 74 0F |je short 00435E08 ; JMP TO RETN 00435DF9 |. 8A11 |mov dl, byte ptr [ecx] 00435DFB |. 8810 |mov byte ptr [eax], dl 00435DFD |. 83C0 01 |add eax, 1 00435E00 |. 83C1 01 |add ecx, 1 00435E03 |. 83C3 01 |add ebx, 1 00435E06 |.^ EB EC \jmp short 00435DF4 00435E08 \> C3 retn ================== 004103C0 E9 DF 59 02 00 90 90 0041065E E9 5C 57 02 00 90 00435DA4 83 EC 64 8B 44 24 68 50 51 52 53 E8 27 00 00 00 5B 5A 59 58 E9 0A A6 FD FF 00 00 8D 96 B0 4E 00 00 50 51 52 53 8B C2 E8 0B 00 00 00 5B 5A 59 58 E9 8B A8 FD FF 00 00 66 81 78 0A 01 01 74 08 66 81 78 0A 07 01 75 1D B9 00 60 68 00 33 D2 33 DB 83 FB 47 74 0F 8A 11 88 10 83 C0 01 83 C1 01 83 C3 01 EB EC C3 ================== 二 檢查 DL 重登時間 搜尋字串 check time relogin dl with minute error 找到 0040F476 > \8B86 90200000 mov eax, dword ptr [esi+2090] 0040F47C . 3BC3 cmp eax, ebx ; 比較 EAX 是否=0 0040F47E . 74 0E je short 0040F48E ; 0040F480 . 2BF8 sub edi, eax 0040F482 . 81FF E0930400 cmp edi, 493E0 ; 比較 EDI-EAX 是否大於 493E0 0040F488 . 0F87 49010000 ja 0040F5D7 0040F48E > 395E 48 cmp dword ptr [esi+48], ebx ; <<<這裡 Patch>>> 驗證通過時為1 0040F491 . 0F84 40010000 je 0040F5D7 ; 0則跳到預設 0040F497 . 395E 4C cmp dword ptr [esi+4C], ebx 0040F49A . 0F85 37010000 jnz 0040F5D7 ; 0則跳到預設 0040F4A0 . FFD5 call ebp 0040F4A2 . 8B56 44 mov edx, dword ptr [esi+44] 0040F4A5 . 8BF8 mov edi, eax 0040F4A7 . 8BCF mov ecx, edi 0040F4A9 . B8 D34D6210 mov eax, 10624DD3 0040F4AE . 2BCA sub ecx, edx 0040F4B0 . F7E1 mul ecx 0040F4B2 . C1EA 06 shr edx, 6 0040F4B5 . B8 89888888 mov eax, 88888889 0040F4BA . F7E2 mul edx 0040F4BC . C1EA 05 shr edx, 5 0040F4BF . 79 46 jns short 0040F507 ; 跳到第二個重登 0040F4C1 . 8D5424 10 lea edx, dword ptr [esp+10] 0040F4C5 . 68 08844400 push 00448408 ; /format = "check time relogin dl with minute error" 0040F4CA . 52 push edx ; |s 0040F4CB . FF15 3C6D4300 call dword ptr [436D3C] ; \sprintf 改為 0040F48E > \C746 48 01000>mov dword ptr [esi+48], 1 ; 這裡 Patch 0040F495 . C746 4C 00000>mov dword ptr [esi+4C], 0 0040F49C . E9 36010000 jmp 0040F5D7 0040F4A1 90 nop ================ relogin dl Patch ================ 0040F48E C7 46 48 01 00 00 00 C7 46 4C 00 00 00 00 E9 36 01 00 00 90 ================ 三 102 108 封包處理代碼 Patch 搜尋 字串 recv packet 0102 0040E706 > \8B4D 08 mov ecx, dword ptr [ebp+8] ; Case 102 of switch 0040E696 0040E709 . 68 C0814400 push 004481C0 ; ASCII "recv packet 0102" 0040E70E . 8B01 mov eax, dword ptr [ecx] 0040E710 . FF50 18 call dword ptr [eax+18] 0040E713 . 8B8C24 940400>mov ecx, dword ptr [esp+494] 0040E71A . 8D56 02 lea edx, dword ptr [esi+2] 0040E71D . 83C1 FE add ecx, -2 0040E720 . 51 push ecx 0040E721 . 52 push edx 0040E722 . 8BCD mov ecx, ebp 0040E724 . E8 97130000 call 0040FAC0 0040E729 . 33C9 xor ecx, ecx 0040E72B . 66:3B06 cmp ax, word ptr [esi] 0040E72E . BB 01000000 mov ebx, 1 0040E733 . 74 02 je short 0040E737 ; 改 JMP 0040E735 . 8BCB mov ecx, ebx 0040E737 > 8B46 15 mov eax, dword ptr [esi+15] 0040E73A . 8B95 94200000 mov edx, dword ptr [ebp+2094] 0040E740 . F7D0 not eax 0040E742 . 83C0 02 add eax, 2 0040E745 . 3BC2 cmp eax, edx 0040E747 . 74 02 je short 0040E74B ; 改 JMP 0040E749 . 8BCB mov ecx, ebx 0040E74B > 8B46 0D mov eax, dword ptr [esi+D] 0040E74E . 85C9 test ecx, ecx 0040E750 . 8945 10 mov dword ptr [ebp+10], eax 0040E753 . 74 17 je short 0040E76C ; 改 JMP 0040E755 . 8B4D 08 mov ecx, dword ptr [ebp+8] 0040E758 . 33C0 xor eax, eax 0040E75A . 8945 48 mov dword ptr [ebp+48], eax 0040E75D . 8945 10 mov dword ptr [ebp+10], eax 0040E760 . 8B01 mov eax, dword ptr [ecx] 0040E762 . 68 A4814400 push 004481A4 ; 登入動力伺服器失敗,資料錯誤 0040E767 . E9 24010000 jmp 0040E890 0040E76C > 8A46 0C mov al, byte ptr [esi+C] ; 封包+C 0040E76F . 84C0 test al, al 0040E771 . 0F85 8A000000 jnz 0040E801 ; NOP 0040E777 . 8B4E 0D mov ecx, dword ptr [esi+D] ; 封包+D 0040E77A . 895D 04 mov dword ptr [ebp+4], ebx 0040E77D . 894D 10 mov dword ptr [ebp+10], ecx 0040E780 . 8B56 11 mov edx, dword ptr [esi+11] ; 封包+11 0040E783 . 8955 40 mov dword ptr [ebp+40], edx 0040E786 . FFD7 call edi 0040E788 . 8B4D 08 mov ecx, dword ptr [ebp+8] 0040E78B . 8945 44 mov dword ptr [ebp+44], eax 0040E78E . 68 90814400 push 00448190 0040E793 . 8B01 mov eax, dword ptr [ecx] 0040E795 . FF50 1C call dword ptr [eax+1C] 0040E798 . 8B4D 40 mov ecx, dword ptr [ebp+40] 0040E79B . BB 3C000000 mov ebx, 3C 0040E7A0 . 8BC1 mov eax, ecx 0040E7A2 . 99 cdq 0040E7A3 . F7FB idiv ebx 0040E7A5 . B8 89888888 mov eax, 88888889 0040E7AA . 52 push edx ; /<%d> 0040E7AB . F7E9 imul ecx ; | 0040E7AD . 03D1 add edx, ecx ; | 0040E7AF . C1FA 05 sar edx, 5 ; | 0040E7B2 . 8BCA mov ecx, edx ; | 0040E7B4 . C1E9 1F shr ecx, 1F ; | 0040E7B7 . 03D1 add edx, ecx ; | 0040E7B9 . 52 push edx ; |<%d> 0040E7BA . 8D5424 24 lea edx, dword ptr [esp+24] ; | 0040E7BE . 68 78814400 push 00448178 ; |可使用動力%d小時%d分鐘 0040E7C3 . 52 push edx ; |s 0040E7C4 . FF15 3C6D4300 call dword ptr [<&msvcrt.sprintf>] ; \sprintf 0040E7CA . 8B4D 08 mov ecx, dword ptr [ebp+8] 0040E7CD . 83C4 10 add esp, 10 0040E7D0 . 8D5424 1C lea edx, dword ptr [esp+1C] 0040E7D4 . 8B01 mov eax, dword ptr [ecx] 0040E7D6 . 52 push edx 0040E7D7 . FF50 1C call dword ptr [eax+1C] 0040E7DA . 8A46 15 mov al, byte ptr [esi+15] 0040E7DD . 8B4D 08 mov ecx, dword ptr [ebp+8] 0040E7E0 . 8845 50 mov byte ptr [ebp+50], al 0040E7E3 . 8B11 mov edx, dword ptr [ecx] 0040E7E5 . FF52 14 call dword ptr [edx+14] 0040E7E8 . BB 01000000 mov ebx, 1 0040E7ED . 895D 48 mov dword ptr [ebp+48], ebx 0040E7F0 . FFD7 call edi 0040E7F2 . 8945 3C mov dword ptr [ebp+3C], eax 0040E7F5 . C745 4C 00000>mov dword ptr [ebp+4C], 0 0040E7FC . E9 92000000 jmp 0040E893 .... 0040E893 > \395D 1C cmp dword ptr [ebp+1C], ebx 0040E896 . 0F85 F3050000 jnz 0040EE8F ; NOP 0040E89C . C745 1C 00000>mov dword ptr [ebp+1C], 0 0040E8A3 . E9 E7050000 jmp 0040EE8F ; 跳到 Default case 搜尋 字串 recv packet 108 0040E8A8 > \8B4D 08 mov ecx, dword ptr [ebp+8] ; Case 108 of switch 0040E696 0040E8AB . 68 3C814400 push 0044813C ; ASCII "recv packet 108" 0040E8B0 . 8B11 mov edx, dword ptr [ecx] 0040E8B2 . FF52 18 call dword ptr [edx+18] 0040E8B5 . 8B8424 940400>mov eax, dword ptr [esp+494] 0040E8BC . 8D4E 02 lea ecx, dword ptr [esi+2] 0040E8BF . 83C0 FE add eax, -2 0040E8C2 . 50 push eax 0040E8C3 . 51 push ecx 0040E8C4 . 8BCD mov ecx, ebp 0040E8C6 . E8 F5110000 call 0040FAC0 0040E8CB . 66:3B06 cmp ax, word ptr [esi] 0040E8CE . 895C24 10 mov dword ptr [esp+10], ebx 0040E8D2 . B9 01000000 mov ecx, 1 0040E8D7 . 74 04 je short 0040E8DD ; 改JMP 0040E8D9 . 894C24 10 mov dword ptr [esp+10], ecx 0040E8DD > 8B46 15 mov eax, dword ptr [esi+15] 0040E8E0 . 8B95 94200000 mov edx, dword ptr [ebp+2094] 0040E8E6 . F7D0 not eax 0040E8E8 . 83C0 02 add eax, 2 0040E8EB . 3BC2 cmp eax, edx 0040E8ED . 74 04 je short 0040E8F3 ; 改JMP 0040E8EF . 894C24 10 mov dword ptr [esp+10], ecx 0040E8F3 > 8B55 28 mov edx, dword ptr [ebp+28] 0040E8F6 . 33C0 xor eax, eax 0040E8F8 . 8B5A F8 mov ebx, dword ptr [edx-8] 0040E8FB . 85DB test ebx, ebx 0040E8FD . 7E 12 jle short 0040E911 0040E8FF > 8A0C02 mov cl, byte ptr [edx+eax] 0040E902 . 384C06 19 cmp byte ptr [esi+eax+19], cl 0040E906 . 0F85 15010000 jnz 0040EA21 ; NOP 0040E90C . 40 inc eax 0040E90D . 3BC3 cmp eax, ebx 0040E90F .^ 7C EE jl short 0040E8FF 0040E911 > 8B4424 10 mov eax, dword ptr [esp+10] 0040E915 . 85C0 test eax, eax 0040E917 . 0F85 04010000 jnz 0040EA21 ; NOP 0040E91D . 8A46 0C mov al, byte ptr [esi+C] 0040E920 . 84C0 test al, al 0040E922 . 0F85 8D000000 jnz 0040E9B5 ; NOP 0040E928 . 8B56 0D mov edx, dword ptr [esi+D] 0040E92B . C745 04 01000>mov dword ptr [ebp+4], 1 0040E932 . 8955 10 mov dword ptr [ebp+10], edx 0040E935 . 8B46 11 mov eax, dword ptr [esi+11] 0040E938 . 8945 40 mov dword ptr [ebp+40], eax 0040E93B . FFD7 call edi 0040E93D . 8B4D 40 mov ecx, dword ptr [ebp+40] 0040E940 . 8945 44 mov dword ptr [ebp+44], eax 0040E943 . 8BC1 mov eax, ecx 0040E945 . BB 3C000000 mov ebx, 3C 0040E94A . 99 cdq 0040E94B . F7FB idiv ebx 0040E94D . B8 89888888 mov eax, 88888889 0040E952 . 52 push edx ; /<%d> 0040E953 . F7E9 imul ecx ; | 0040E955 . 03D1 add edx, ecx ; | 0040E957 . C1FA 05 sar edx, 5 ; | 0040E95A . 8BCA mov ecx, edx ; | 0040E95C . C1E9 1F shr ecx, 1F ; | 0040E95F . 03D1 add edx, ecx ; | 0040E961 . 52 push edx ; |<%d> 0040E962 . 8D5424 24 lea edx, dword ptr [esp+24] ; | 0040E966 . 68 24814400 push 00448124 ; |可使用動力%d小時%d分鐘 0040E96B . 52 push edx ; |s 0040E96C . FF15 3C6D4300 call dword ptr [<&msvcrt.sprintf>] ; \sprintf 0040E972 . 8B4D 08 mov ecx, dword ptr [ebp+8] 0040E975 . 83C4 10 add esp, 10 0040E978 . 8D5424 1C lea edx, dword ptr [esp+1C] 0040E97C . 8B01 mov eax, dword ptr [ecx] 0040E97E . 52 push edx 0040E97F . FF50 1C call dword ptr [eax+1C] 0040E982 . 8A46 15 mov al, byte ptr [esi+15] 0040E985 . 8845 50 mov byte ptr [ebp+50], al 0040E988 . 8A4E 15 mov cl, byte ptr [esi+15] 0040E98B . 884D 50 mov byte ptr [ebp+50], cl 0040E98E . 8B4D 08 mov ecx, dword ptr [ebp+8] 0040E991 . 8B11 mov edx, dword ptr [ecx] 0040E993 . FF52 14 call dword ptr [edx+14] 0040E996 . FFD7 call edi 0040E998 . 8945 3C mov dword ptr [ebp+3C], eax 0040E99B . C745 48 01000>mov dword ptr [ebp+48], 1 0040E9A2 . C745 4C 00000>mov dword ptr [ebp+4C], 0 0040E9A9 . C745 1C 00000>mov dword ptr [ebp+1C], 0 0040E9B0 . E9 DA040000 jmp 0040EE8F ; 跳到 Default case 0040EA21 mov dword ptr [ebp+48], 0改為 0040EA21 mov dword ptr [ebp+48], 1 ========================== recv packet 0102 MEM Patch ========================== 0040E733 EB 0040E747 EB 0040E753 EB 0040E771 90 90 90 90 90 90 0040E896 90 90 90 90 90 90 ========================== ========================= recv packet 108 MEM Patch ========================= 0040E8D7 EB 0040E8ED EB 0040E917 90 90 90 90 90 90 0040E922 90 90 90 90 90 90 0040EA21 C7 45 48 01 ========================= +++++++++++++++++++++++++++++++++++++++++++++++++++ 四 102 108 Packet Patch <非必要> A 方式一 搜尋字串 recv packet 0102 找到下面第一個 Call 0040E709 . 68 C0814400 push 004481C0 ; ASCII "recv packet 0102" 0040E70E . 8B01 mov eax, dword ptr [ecx] 0040E710 . FF50 18 call dword ptr [eax+18] 0040E713 . 8B8C24 940400>mov ecx, dword ptr [esp+494] 0040E71A . 8D56 02 lea edx, dword ptr [esi+2] 0040E71D . 83C1 FE add ecx, -2 0040E720 . 51 push ecx 0040E721 . 52 push edx 0040E722 . 8BCD mov ecx, ebp 0040E724 E8 F7760200 call 00435E20 ; 這裡改為 Call Patch 搜尋字串 recv packet 108 找到下面第一個 Call 0040E8AB . 68 3C814400 push 0044813C ; ASCII "recv packet 108" 0040E8B0 . 8B11 mov edx, dword ptr [ecx] 0040E8B2 . FF52 18 call dword ptr [edx+18] 0040E8B5 . 8B8424 940400>mov eax, dword ptr [esp+494] 0040E8BC . 8D4E 02 lea ecx, dword ptr [esi+2] 0040E8BF . 83C0 FE add eax, -2 0040E8C2 . 50 push eax 0040E8C3 . 51 push ecx 0040E8C4 . 8BCD mov ecx, ebp 0040E8C6 E8 55750200 call 00435E20 ; 這裡改為 Call Patch <Patch> 00435E20 66:C706 C4A7 mov word ptr [esi], 0A7C4 ; 封包頭 Key <長度4個位元組> 00435E25 C646 0C 00 mov byte ptr [esi+C], 0 ; 0=認證通過 1=資料比對錯誤 2=帳號到期 00435E29 C746 0D 28C00 mov dword ptr [esi+D], 3C028 ; 動力註冊序號 00435E30 C746 11 84270 mov dword ptr [esi+11], 92784 ; 剩餘可用時間 以分鐘計16進位 00435E37 C746 15 39C4E mov dword ptr [esi+15], ADE4C439 ; 動力認證 KEY2 00435E3E C746 19 73616 mov dword ptr [esi+19], 69666173 ; 動力認證遊戲帳號 <最多20個位元組> 00435E45 C746 1D 6E616 mov dword ptr [esi+1D], 6F63616E 00435E4C C746 21 6F6C0 mov dword ptr [esi+21], 6C6F 00435E53 C746 25 00000 mov dword ptr [esi+25], 0 00435E5A C746 29 00000 mov dword ptr [esi+29], 0 00435E61 ^ E9 5A9CFDFF jmp 0040FAC0 ========================== 102 & 108 Packet MEM Patch ========================== 0040E724 E8 F7 76 02 00 0040E8C6 E8 55 75 02 00 00435E20 [CODE]66 C7 06 C4 A7 C6 46 0C 00 C7 46 0D 28 C0 03 00 C7 46 11 84 27 09 00 C7 4615 39 C4 E4 AD C7 46 19 73 61 66 69 C7 46 1D 6E 61 63 6F C7 46 21 6F 6C 00 00 C7 46 25 00 00 00 00 C7 46 29 00 00 00 00 E9 5A 9C FD FF[/CODE] +++++++++++++++++++++++++++++++++++++++++++++++++++ B 方式二 <Patch> 00435E20 50 push eax 00435E21 51 push ecx 00435E22 52 push edx 00435E23 56 push esi 00435E24 33D2 xor edx, edx 00435E26 33C0 xor eax, eax 00435E28 B9 50606800 mov ecx, 00686050 00435E2D 83FA 08 cmp edx, 8 00435E30 74 0E je short 00435E40 00435E32 83FA 0A cmp edx, 0A 00435E35 74 09 je short 00435E40 00435E37 83FA 2D cmp edx, 2D 00435E3A 74 0F je short 00435E4B 00435E3C 8A01 mov al, byte ptr [ecx] 00435E3E 8806 mov byte ptr [esi], al 00435E40 83C2 01 add edx, 1 00435E43 83C1 01 add ecx, 1 00435E46 83C6 01 add esi, 1 00435E49 ^ EB E2 jmp short 00435E2D 00435E4B 5E pop esi 00435E4C 5A pop edx 00435E4D 59 pop ecx 00435E4E 58 pop eax 00435E4F ^ E9 6C9CFDFF jmp 0040FAC0 50 51 52 56 33 D2 33 C0 B9 50 60 68 00 83 FA 08 74 0E 83 FA 0A 74 09 83 FA 2D 74 0F 8A 01 88 06 83 C2 01 83 C1 01 83 C6 01 EB E2 5E 5A 59 58 E9 6C 9C FD FF ====================== SRO.dll Patch ====================== 一 認證帳號修改 Patch 搜尋字串 %sconf\%s.cfg 找到 20040150 /$ 56 push esi 20040151 |. 8B7424 08 mov esi, dword ptr [esp+8] 20040155 |. 57 push edi 20040156 |. 56 push esi 20040157 |. E8 44FEFFFF call 2003FFA0 2004015C |. 8B7C24 14 mov edi, dword ptr [esp+14] 20040160 |. 68 C0070920 push 200907C0 20040165 |. 57 push edi 20040166 |. FF15 10260820 call dword ptr [20082610] 2004016C |. 83C4 0C add esp, 0C 2004016F |. 85C0 test eax, eax 20040171 |. 57 push edi 20040172 |. 56 push esi 20040173 |. 75 12 jnz short 20040187 20040175 |. 68 186A0920 push 20096A18 ; ASCII "%sconf\%s.cfg" 2004017A |. 56 push esi 2004017B |. FF15 34260820 call dword ptr [20082634] 20040181 |. 83C4 10 add esp, 10 20040184 |. 5F pop edi 20040185 |. 5E pop esi 20040186 |. C3 retn 20040187 |> 68 7C440920 push 2009447C ; ASCII "%sconf\%s" 2004018C |. 56 push esi 2004018D |. FF15 34260820 call dword ptr [20082634] 20040193 |. 83C4 10 add esp, 10 20040196 |. 5F pop edi 20040197 |. 5E pop esi 20040198 \. C3 retn 往回找來源的第一個 Call 找到 20026350 >/$ 6A FF push -1 20026352 |. 68 B8F10720 push 2007F1B8 ; SE 處理程序安裝 20026357 |. 64:A1 00000000 mov eax, dword ptr fs:[0] 2002635D |. 50 push eax 2002635E |. 64:8925 000000>mov dword ptr fs:[0], esp 20026365 |. 81EC 24050000 sub esp, 524 2002636B |. 55 push ebp 2002636C |. 56 push esi 2002636D |. 57 push edi 2002636E |. 8BF1 mov esi, ecx 20026370 |. E8 826B0500 call 2007CEF7 20026375 |. 50 push eax 20026376 |. 8D4C24 18 lea ecx, dword ptr [esp+18] 2002637A |. E8 DD670500 call 2007CB5C 2002637F |. 33ED xor ebp, ebp 20026381 |. C74424 1C F443>mov dword ptr [esp+1C], 200843F4 20026389 |. 89AC24 3805000>mov dword ptr [esp+538], ebp 20026390 |. 896C24 20 mov dword ptr [esp+20], ebp 20026394 |. 896C24 2C mov dword ptr [esp+2C], ebp 20026398 |. 896C24 28 mov dword ptr [esp+28], ebp 2002639C |. 896C24 24 mov dword ptr [esp+24], ebp 200263A0 |. 8D4C24 0C lea ecx, dword ptr [esp+C] 200263A4 |. C68424 3805000>mov byte ptr [esp+538], 1 200263AC |. E8 E1640500 call 2007C892 200263B1 |. 8B86 28590100 mov eax, dword ptr [esi+15928] 200263B7 |. 8D8E 28590100 lea ecx, dword ptr [esi+15928] 200263BD |. C68424 3805000>mov byte ptr [esp+538], 2 200263C5 |. 3968 F8 cmp dword ptr [eax-8], ebp 200263C8 |. 0F84 D2000000 je 200264A0 200263CE |. 55 push ebp 200263CF |. E8 D4660500 call 2007CAA8 200263D4 |. 8D8C24 3001000>lea ecx, dword ptr [esp+130] 200263DB |. 50 push eax ; 驗證帳號指標 200263DC |. 51 push ecx 200263DD |. E8 6E9D0100 call 20040150 在此處 Call Patch ; 進入 %sconf\%s.cfg 代碼 =============================== 200263DD 改為 call 20081298 =============================== Call Patch 代碼 20081298 $ 50 push eax ; 將通過動力認證的帳號字串寫入 EAX 指標位置 20081299 . 52 push edx 2008129A . 51 push ecx 2008129B . B9 C0120820 mov ecx, 200812C0 ; 要寫入的帳號存放指標(帳號必須原動力註冊用戶) 200812A0 > 8A11 mov dl, byte ptr [ecx] 200812A2 . 84D2 test dl, dl 200812A4 . 74 0A je short 200812B0 200812A6 . 8810 mov byte ptr [eax], dl 200812A8 . 83C0 01 add eax, 1 200812AB . 83C1 01 add ecx, 1 200812AE .^ EB F0 jmp short 200812A0 200812B0 > C600 00 mov byte ptr [eax], 0 200812B3 . 59 pop ecx 200812B4 . 5A pop edx 200812B5 . 58 pop eax 200812B6 .^ E9 95EEFBFF jmp 20040150 ; 跳回 %sconf\%s.cfg 代碼 200812BB 90 nop 200812BC 90 nop 200812BD 90 nop 200812BE 90 nop 200812BF 90 nop 200812C0 . 64 65 76 69 6>ascii "devilism",0 ; 帳號字串 (必須與SRO.EXE的Ptach字串一樣) 50 52 51 B9 C0 12 08 20 8A 11 84 D2 74 0A 88 10 83 C0 01 83 C1 01 EB F0 C6 00 00 59 5A 58 E9 95 EE FB FF 90 90 90 90 90 64 65 76 69 6C 69 73 6D 00 二 開始掛機按鈕 Patch 搜尋 cmp eax,2D 確認 登入認證指標 2004EDDE |> \83F8 2D cmp eax, 2D 2004EDE1 |. 75 57 jnz short 2004EE3A 2004EDE3 |. 8B86 54040000 mov eax, dword ptr [esi+454] ; 認證指標 1=通過 0=不通過; Case 2D ('-') of switch 2004EDE9 |. 85C0 test eax, eax 2004EDEB |. 74 11 je short 2004EDFE 2004EDED |. 8B46 14 mov eax, dword ptr [esi+14] 2004EDF0 |. 5E pop esi 2004EDF1 |. C780 24D60000>mov dword ptr [eax+D624], 1 ; 開始掛機記號 1=開始掛機 0=停止掛機 2004EDFB |. C2 0400 retn 4 登入認證代碼為 [e??+454] HEX 54 04 00 00 ================================= 找到輸出表 # 47 2002B400 >/$ 53 push ebx ; #47 2002B401 |. 56 push esi 2002B402 |. 8BF1 mov esi, ecx 2002B404 |. 57 push edi 2002B405 |. 66:83BE 48390>cmp word ptr [esi+3948], 0 2002B40D |. 0F84 75040000 je 2002B888 2002B413 |. E8 986A0000 call #249 2002B418 |. 85C0 test eax, eax 2002B41A |. 0F85 68040000 jnz 2002B888 2002B420 |. 8B46 1C mov eax, dword ptr [esi+1C] 2002B423 |. 8B88 54040000 mov ecx, dword ptr [eax+454] ; 改為 mov dword ptr [eax+454],1 2002B429 |. 85C9 test ecx, ecx ; NOP 2002B42B |. 0F84 57040000 je 2002B888 ; NOP 2002B431 |. FF15 44200820 call dword ptr [20082044] ================================= 搜尋 push 0C30 20065AD0 /$ 6A 01 push 1 20065AD2 |. 68 300C0000 push 0C30 20065AD7 |. E8 D86F0100 call 2007CAB4 20065ADC |. 8BC8 mov ecx, eax 20065ADE |. E8 25700100 call 2007CB08 20065AE3 \. C3 retn 往回找來源的 Call 找到 200655A0 . 8B81 54040000 mov eax, dword ptr [ecx+454] ; 改為 mov dword ptr [ecx+454],1 200655A6 . 85C0 test eax, eax ; nop 200655A8 . 74 07 je short 200655B1 ; nop 200655AA > 8BCD mov ecx, ebp 200655AC . E8 1F050000 call 20065AD0 ; 進入 push 0C30 |
|
[分享]Hying 脫殼 IAT 亂序修復
重新寫一下修復 IAT 的 Patch 004840EC 77EFAD13 gdi32.CreateDIBitmap 004840F0 77EFB83B gdi32.SetPixel 004840F4 00000000 004840F8 003F0000 004840FC 003F0020 00484100 003F0040 00484104 003F0060 ..... 0048434C 7D5F21D6 shell32.Shell_NotifyIconA 00484350 7D610E25 shell32.ShellExecuteExA 00484354 00000000 00484358 00A60000 0048435C 00A60020 00484360 00A60040 00484364 00A60060 00484368 00A60080 IAT 加密的指標為 003FXXXX 00A6XXXX 找空白處打 Patch 00483909 60 pushad 0048390A 9C pushfd 0048390B BA F8404800 mov edx, 004840F8 ; 加密 IAT 開始的位址,或者 IAT 開始位址。 00483910 33DB xor ebx, ebx 00483912 8B32 mov esi, dword ptr [edx] 00483914 8B7A 04 mov edi, dword ptr [edx+4] 00483917 3BF7 cmp esi, edi ; IAT 表結束通常有 8Byte 的00,各取4Byte來比較是否結束。 00483919 74 33 je short 0048394E ; IAT 結束則跳 0048391B 66:8B5A 02 mov bx, word ptr [edx+2] 0048391F 66:81FB 3F00 cmp bx, 3F ; IAT 加密指標 003FXXXX 00483924 74 07 je short 0048392D 00483926 66:81FB A600 cmp bx, 0A6 ; IAT 加密指標 00A6XXXX 0048392B 75 1C jnz short 00483949 0048392D 8B0A mov ecx, dword ptr [edx] ; 模擬殼存取記憶體空間的 IAT 指標 0048392F 8B79 02 mov edi, dword ptr [ecx+2] 00483932 8B71 06 mov esi, dword ptr [ecx+6] 00483935 3137 xor dword ptr [edi], esi 00483937 8B0F mov ecx, dword ptr [edi] 00483939 3137 xor dword ptr [edi], esi 0048393B 8039 68 cmp byte ptr [ecx], 68 ; 比較是否是特殊加密IAT 0048393E 74 04 je short 00483944 00483940 8BC1 mov eax, ecx ; 特殊加密 Push 1/2 位址 移到 EAX 準備寫入IAT 00483942 EB 03 jmp short 00483947 00483944 8B41 01 mov eax, dword ptr [ecx+1] ; 3E0000 空間指標 Push IAT 的值,移到 EAX。 00483947 8902 mov dword ptr [edx], eax ; 寫入 IAT 00483949 83C2 04 add edx, 4 0048394C ^ EB C4 jmp short 00483912 0048394E 9D popfd 0048394F 61 popad 00483950 ^ E9 0C85FDFF jmp 0045BE61 ; 返回 OEP 60 9C BA F8 40 48 00 33 DB 8B 32 8B 7A 04 3B F7 74 33 66 8B 5A 02 66 81 FB 3F 00 74 07 66 81 FB A6 00 75 1C 8B 0A 8B 79 02 8B 71 06 31 37 8B 0F 31 37 80 39 68 74 04 8B C1 EB 03 8B 41 01 89 02 83 C2 04 EB C4 9D 61 E9 0C 85 FD FF 無法修復的 IAT 00484160 7C801A28 kernel32.CreateFileA 00484164 00394472 00484168 7C812B6E kernel32.GetVersionExA ..... 004841C4 7C80AC6E kernel32.FreeLibrary 004841C8 0039446B 004841CC 7C832B6E kernel32.GetPrivateProfileStringA 00394472 6A 02 push 2 00394474 E9 FF000000 jmp 00394578 0039446B 6A 01 push 1 0039446D E9 06010000 jmp 00394578 看到 Push 1 就知道是 kernel32.LoadLibraryA Push 2 就是 kernel32.GetProcAddress |
|
[分享]Hying 脫殼 IAT 亂序修復
無法修復的加密 IAT 分析 00484164 003F0360 003F0360 8135 7C033F00 6>xor dword ptr [3F037C], 22D4C16F 003F036A FF35 7C033F00 push dword ptr [3F037C] 003F0370 8135 7C033F00 6>xor dword ptr [3F037C], 22D4C16F 003F037A C3 retn 00394457 6A 02 push 2 00394459 E9 FF000000 jmp 0039455D 00394560 68 C2100000 push 10C2 00394565 E8 01000000 call 0039456B 0039456B 68 24080E68 push 680E0824 00394570 68 90908344 push 44839090 00394575 FFE4 jmp esp 0012FFAC 90 nop 0012FFAD 90 nop 0012FFAE 834424 08 0E add dword ptr [esp+8], 0E 0012FFB3 68 6A453900 push 39456A 0012FFB8 C2 1000 retn 10 00394578 E8 03000000 call 00394580 00394580 58 pop eax ; 0039457D 00394581 EB 01 jmp short 00394584 00394584 83C0 07 add eax, 7 00394587 50 push eax 00394588 C3 retn 00394584 83C0 07 add eax, 7 00394587 50 push eax 00394588 C3 retn 0039458B 58 pop eax ; 這裡開始 0039458C 83F8 01 cmp eax, 1 0039458F 0F85 D9000000 jnz 0039466E 0039466E 83F8 02 cmp eax, 2 00394671 0F85 19020000 jnz 00394890 00394677 50 push eax ; Push 2 從這裡 00394678 60 pushad 00394679 E8 00000000 call 0039467E 0039467E 5D pop ebp ; 堆疊 [0012FF74]=0039467E (0039467E) 0039467F 81ED 2A2C4000 sub ebp, 402C2A ; 減後 EBP = FFF91A54 00394685 8B4424 28 mov eax, dword ptr [esp+28] 00394689 3D 78787878 cmp eax, 78787878 0039468E 0F85 DD000000 jnz 00394771 00394771 3D 69696969 cmp eax, 69696969 00394776 75 0D jnz short 00394785 00394785 8B4424 2C mov eax, dword ptr [esp+2C] 00394789 3D 00000080 cmp eax, 80000000 0039478E 0F83 E5000000 jnb 00394879 00394794 8A08 mov cl, byte ptr [eax] 00394796 80F9 01 cmp cl, 1 00394799 75 5F jnz short 003947FA 003947FA 80F9 02 cmp cl, 2 003947FD 75 44 jnz short 00394843 00394843 80F9 03 cmp cl, 3 00394846 75 17 jnz short 0039485F 0039485F 80F9 04 cmp cl, 4 00394862 75 15 jnz short 00394879 00394879 8B85 46304000 mov eax, dword ptr [ebp+403046] ; ss:[00394A9A]=7C80AE30 (kernel32.GetProcAddress) 0039487F 894424 20 mov dword ptr [esp+20], eax 00394883 61 popad 00394884 83C4 04 add esp, 4 00394887 FF6424 FC jmp dword ptr [esp-4] 結果就是 0039467E 5D pop ebp ; 堆疊 [0012FF74]=0039467E (0039467E) 0039467F 81ED 2A2C4000 sub ebp, 402C2A ; 減後 EBP = FFF91A54 00394879 8B85 46304000 mov eax, dword ptr [ebp+403046] ; ss:[00394A9A]=7C80AE30 (kernel32.GetProcAddress) 004841C8 003F0680 003F0680 8135 9C063F00 B>xor dword ptr [3F069C], 63991EB0 003F068A FF35 9C063F00 push dword ptr [3F069C] 003F0690 8135 9C063F00 B>xor dword ptr [3F069C], 63991EB0 003F069A C3 retn 00394450 6A 01 push 1 00394452 E9 06010000 jmp 0039455D 00394560 68 C2100000 push 10C2 00394565 E8 01000000 call 0039456B 0039456B 68 24080E68 push 680E0824 00394570 68 90908344 push 44839090 00394575 FFE4 jmp esp 0012FFAC 90 nop 0012FFAD 90 nop 0012FFAE 834424 08 0E add dword ptr [esp+8], 0E 0012FFB3 68 6A453900 push 39456A 0012FFB8 C2 1000 retn 10 00394578 E8 03000000 call 00394580 00394580 58 pop eax ; 0039457D 00394581 EB 01 jmp short 00394584 00394584 83C0 07 add eax, 7 00394587 50 push eax 00394588 C3 retn 00394584 83C0 07 add eax, 7 00394587 50 push eax 00394588 C3 retn 0039458B 58 pop eax ; 這裡開始 0039458C 83F8 01 cmp eax, 1 0039458F 0F85 D9000000 jnz 0039466E 00394595 50 push eax ; Push 1 從這裡 00394596 60 pushad 00394597 E8 00000000 call 0039459C 0039459C 5D pop ebp ; 堆疊 [0012FF74]=0039459C (0039459C) 0039459D 81ED 482B4000 sub ebp, 402B48 ; 減後 EBP = FFF91A54 003945A3 8B4424 28 mov eax, dword ptr [esp+28] 003945A7 50 push eax 003945A8 8D85 8B324000 lea eax, dword ptr [ebp+40328B] ; 位址=00394CDF, (ASCII "XDLL.DLL") 003945AE 50 push eax ; eax=00394CDF, (ASCII "XDLL.DLL") 003945AF FF95 5A314000 call dword ptr [ebp+40315A] ; ss:[00394BAE]=7C80BB31 (kernel32.lstrcmpiA) 003945B5 0BC0 or eax, eax 003945B7 75 0D jnz short 003945C6 003945C6 8B4424 28 mov eax, dword ptr [esp+28] 003945CA 66:8B08 mov cx, word ptr [eax] 003945CD 66:83F9 01 cmp cx, 1 003945D1 75 1E jnz short 003945F1 003945F1 66:83F9 02 cmp cx, 2 003945F5 75 1C jnz short 00394613 00394613 66:83F9 03 cmp cx, 3 00394617 75 1E jnz short 00394637 00394637 66:83F9 04 cmp cx, 4 0039463B 75 1A jnz short 00394657 00394657 8B85 4E304000 mov eax, dword ptr [ebp+40304E] ; ss:[00394AA2]=7C801D7B (kernel32.LoadLibraryA) 0039465D 894424 20 mov dword ptr [esp+20], eax 00394661 61 popad 00394662 83C4 04 add esp, 4 00394665 FF6424 FC jmp dword ptr [esp-4] 結果就是 0039459C 5D pop ebp ; 堆疊 [0012FF74]=0039459C (0039459C) 0039459D 81ED 482B4000 sub ebp, 402B48 ; 減後 EBP = FFF91A54 00394657 8B85 4E304000 mov eax, dword ptr [ebp+40304E] ; ss:[00394AA2]=7C801D7B (kernel32.LoadLibraryA) 下面這段 Push XDLL.DLL 的代碼 根本是在干擾分析 來亂的... 003945A8 8D85 8B324000 lea eax, dword ptr [ebp+40328B] ; 位址=00394CDF, (ASCII "XDLL.DLL") 003945AE 50 push eax ; eax=00394CDF, (ASCII "XDLL.DLL") 003945AF FF95 5A314000 call dword ptr [ebp+40315A] ; ss:[00394BAE]=7C80BB31 (kernel32.lstrcmpiA) Push 1 與 Push 2 這兩個共通點就是 0039459C 5D pop ebp ; 堆疊 [0012FF74]=0039459C (0039459C) 0039459D 81ED 482B4000 sub ebp, 402B48 ; 減後 EBP = FFF91A54 pop ebp 指令的位址減掉 殼自訂的值 不管是 Push 1 或是 Push 2 相減後 EBP 都會是 FFF91A54 那麼特殊加密的IAT位址就是 [EBP+殼自訂位址常量] 所以好像沒辦法在走到 OEP 後打 PATCH 修補 ˇ ˇ 所以乾脆手動跟一次再補上IAT 分析過很多個 Hying 7X 幾乎 Push 1 就是 kernel32.LoadLibraryA Push 2 就是 kernel32.GetProcAddress |
|
现在貌似VM无敌了吧,脱壳已经无意义了
絲路原動力.............. 不過我改的地方 沒VM ˇ ˇ http://bbs.pediy.com/showthread.php?t=99592 但你可以放心 新版加VM 照破不誤... 重點加VM 可以在代碼前或代碼後 Patch 嘛 ˇ ˇ 愛加給他去加....誰叫他蠢 舊版本不加密.....現在網路上都能下載就版本來分析 然後去猜測加VM的代碼.... 就算猜不出來 還有一個他漏掉了..........遊戲外掛怎麼認證的...當然是封包囉 新版我VM連動都沒動 玩他的封包而已 連程度最低的菜鳥都能 Crack 或許作者 早已經猜到我怎麼去破解新版了 只是他要針對我一個人 可能要對不起全部付費的用戶 我知道大陸外掛開發人 很多都會來這裡 所以就賣關子了=_= |
|
|
|
[求助]未知的殼
themida 沒錯了.... 奇怪.....你們怎麼都在一值強調我要拖殼機....=_= 腳本也可以阿 IAT 加密難搞而已 Call dword ptr [XXXXXXXX] 被改為 Call XXXXXXXX 這個最難搞 他解密的過程 先把IAT 加密的部分還原到 rdata 段 然後再回復text 段的代碼 原本 Call dword ptr [XXXXXXXX] 的地方 都是 nop nop nop... 最後再按照 IAT 加密的指標 把 text 代碼段 的 Nop Nop.... 改為 Call XXXXXXXX 我知道的就這樣=_= 不然有沒有恢復 代碼段的 Call dword ptr [XXXXXXXX] 跟 JMP dword ptr [XXXXXXXX] 的腳本也可以..... 差點忘了說 我看很多腳本都是 VC6 VC7 的 AION 的程序是 VC++8.0 的=_= |
|
[求助]未知的殼
我測試跑這個 themida 的腳本 http://bbs.pediy.com/showthread.php?t=101304&highlight=Themida 可以到OEP 但是 IAT 無法修復=_= |
|
|
|
[原创]絲路原動力內掛/脫機 TO 免驗證版 Crack
==================================================== 追加 SRO.DLL 501 與 502 封包處理代碼 Patch ==================================================== 大致上脫機版 Sro.dll 修改方式也如上..... 搜尋輸出表 # 444 與 # 443 # 444 等同 silk.dll Case 501 # 443 等同 silk.dll Case 502 由於這兩段代碼 Call 來自 Sro.exe 本身, 不在 DLL 內. 故改為免驗證版,避免程序RUN到此處.程式會跳掉.故必須在這兩段代碼的頭改為 retn 8 20040BE0 >/$ 53 push ebx ; # 444 技能資料表封包解密 (此處改 retn 8) 20040BE1 |. 8B5C24 08 mov ebx, dword ptr [esp+8] 20040BE5 |. 56 push esi 20040BE6 |. 57 push edi 20040BE7 |. 8B7C24 14 mov edi, dword ptr [esp+14] 20040BEB |. 8BF1 mov esi, ecx 20040BED |. 57 push edi 20040BEE |. 53 push ebx 20040BEF |. E8 CCFFFFFF call #102 ; 接收的封包解密 20040BF4 |. 8B46 10 mov eax, dword ptr [esi+10] 20040BF7 |. 57 push edi 20040BF8 |. 53 push ebx 20040BF9 |. 8B88 A04B0100 mov ecx, dword ptr [eax+14BA0] 20040BFF |. E8 FC77FDFF call 20018400 ; 進入 Game.dat 第4段技能資料表處理 20040C04 |. 8B4E 10 mov ecx, dword ptr [esi+10] 20040C07 |. C786 10050000>mov dword ptr [esi+510], 1 20040C11 |. E8 4AA6FEFF call 2002B260 20040C16 |. 8B4E 10 mov ecx, dword ptr [esi+10] 20040C19 |. E8 C244FEFF call #54 20040C1E |. 5F pop edi 20040C1F |. 5E pop esi 20040C20 |. 5B pop ebx 20040C21 \. C2 0800 retn 8 20040C30 >/$ 53 push ebx ; # 443 怪物ID資料表解密 (此處改 retn 8) 20040C31 |. 8B5C24 08 mov ebx, dword ptr [esp+8] 20040C35 |. 56 push esi 20040C36 |. 57 push edi 20040C37 |. 8B7C24 14 mov edi, dword ptr [esp+14] 20040C3B |. 8BF1 mov esi, ecx 20040C3D |. 57 push edi 20040C3E |. 53 push ebx 20040C3F |. E8 7CFFFFFF call #102 ; 接收的封包解密 20040C44 |. 8B46 10 mov eax, dword ptr [esi+10] 20040C47 |. 57 push edi 20040C48 |. 53 push ebx 20040C49 |. 8B88 A04B0100 mov ecx, dword ptr [eax+14BA0] 20040C4F |. E8 0C79FDFF call 20018560 ; 進入 Game.dat 第7段怪物ID資料表處理 20040C54 |. 8B4E 10 mov ecx, dword ptr [esi+10] 20040C57 |. E8 54A6FEFF call 2002B2B0 20040C5C |. 5F pop edi 20040C5D |. 5E pop esi 20040C5E |. 5B pop ebx 20040C5F \. C2 0800 retn 8 ==================================================== 其他項目 ==================================================== SRO.dll 或者 Silk.dll 脫殼後如無法啟動(運行). 則脫殼後再以脫殼文件重定位一次即可. 國際版與台服舊版,目前有此問題. ==================================================== 非必要項目 ==================================================== 以下先前的筆記.....丟了可惜=_= SRO.exe themida 帶殼修改資源 先使用freeRes釋放資源 將此釋放資源後的EXE備份起來 暫稱為A.exe 然後使用FixRes重新修復一個原始SRO.exe的資源 暫稱為B.exe 此時B.exe的資源區段內容 不會被建立 themida 殼內壓縮的資源部分也會被清除 在使用 FixRes Dump A.exe 的資源來修復 b.exe 重新建立一個新的資源區段 這時運行B.exe會出錯 用OD載入Shift+F9會顯示出錯的位址 例如出錯的位址為 00843A20 則重新載入下斷 HE 00843A20 代碼如下 (此段代碼是由themida的殼自身解壓出來的代碼) 00843A1B B9 00150000 mov ecx,1500 00843A20 F3:A4 rep movs byte ptr es:[edi],byte ptr ds:> 00843A22 B8 414B0000 mov eax,4B41 看到 00843A20 F3:A4 rep movs byte ptr es:[edi],byte ptr ds:> 這個地方是綁住資源區段的地方 由於原本themida區段內的壓縮資源已被之前FixRes修復命令清除 所以運行到 00843A20 rep movs byte 這裡會出錯 現在必須讓00843A20處不執行 rep movs byte 這段代碼 改變方式如這幾樣 把 00843A20 改為NOP或不跳轉的代碼如 jbe jle 之類的 如下 00843A1B B9 00150000 mov ecx,1500 00843A20 ^ 76 B4 jbe short Remote.008439D6 00843A22 B8 414B0000 mov eax,4B41 00843A1B B9 00150000 mov ecx,1500 00843A20 ^ 7E 86 jle short Remote.008439A8 00843A22 B8 414B0000 mov eax,4B41 接著重新載入 下斷在前一個位元組偏移處 HW 00843A1F 則會來到這個地方 005EB117 8A06 mov al,byte ptr ds:[esi] ; ds:[006F347B]=8F 來源 005EB119 46 inc esi 005EB11A 8807 mov byte ptr ds:[edi],al ; al=DF ds:[00843A20]=00 寫入目標 005EB11C 47 inc edi ; 00843A1F 到這裡下斷 005EB11D BB 02000000 mov ebx,2 005EB122 02D2 add dl,dl 005EB124 75 05 jnz short SRO.005EB12B ; Y 跳 005EB126 8A16 mov dl,byte ptr ds:[esi] 005EB128 46 inc esi 005EB129 12D2 adc dl,dl 005EB12B ^ 73 EA jnb short SRO.005EB117 ; Y 循環 下斷前一個位元組偏移來到005EB11C上 接著F8到005EB117 會顯示代碼的來源 如上面VA 006F347B 位元組為8F 這個[006F347B]=8F已經算是00843A20要解密的代碼了 然後可以打開LordPE使用FLC計算VA的實際偏移位址 例如得到Offset為0012E478 則用WinHEX開啟SRO檔案 在偏移0012E478看到為8F 接著以WinHEX試著修改數值0012E478的數值 然後用OD載入SRO 下硬體執行斷點在綁定代碼處 HE 00843A20 看每次修改數值後代碼的變化如何 直到變為你想要的數值為止 比如說改為不跳轉指令 只要將 00843A20 處的 F3 改為 76 7E 變為jbe或jle等不跳轉指令即可 |
|
|
|
[原创]絲路原動力內掛/脫機 TO 免驗證版 Crack
==================================================== 二 技能資料表&怪物ID資料表破解 ==================================================== 技能資料表與怪物ID, 存放在 Game.dat 第4段與第7段. 用 Ollydgb 打開 Srobot.exe 搜尋 game.dat 發現第4段與第7段雙重加密 00402010 /$ 81EC 00010000 sub esp, 100 ; 這裡下斷 00402016 |. 8D4424 00 lea eax, dword ptr [esp] 0040201A |. 53 push ebx 0040201B |. 55 push ebp 0040201C |. 56 push esi 0040201D |. 57 push edi 0040201E |. 8BE9 mov ebp, ecx 00402020 |. 50 push eax 00402021 |. E8 4A040000 call 00402470 00402026 |. BF 34E24000 mov edi, 0040E234 ; ASCII "game.dat" 0040202B |. 83C9 FF or ecx, FFFFFFFF 0040202E |. 33C0 xor eax, eax 00402030 |. 8D5424 14 lea edx, dword ptr [esp+14] 00402034 |. F2:AE repne scas byte ptr es:[edi] 00402036 |. F7D1 not ecx 00402038 |. 2BF9 sub edi, ecx 0040203A |. 68 30E24000 push 0040E230 ; /mode = "rb" 0040203F |. 8BF7 mov esi, edi ; | 00402041 |. 8BD9 mov ebx, ecx ; | 00402043 |. 8BFA mov edi, edx ; | 00402045 |. 83C9 FF or ecx, FFFFFFFF ; | 00402048 |. F2:AE repne scas byte ptr es:[edi] ; | 0040204A |. 8BCB mov ecx, ebx ; | 0040204C |. 4F dec edi ; | 0040204D |. C1E9 02 shr ecx, 2 ; | 00402050 |. F3:A5 rep movs dword ptr es:[edi], dword p>; | 00402052 |. 8BCB mov ecx, ebx ; | 00402054 |. 8D4424 18 lea eax, dword ptr [esp+18] ; | 00402058 |. 83E1 03 and ecx, 3 ; | 0040205B |. 50 push eax ; |path 0040205C |. F3:A4 rep movs byte ptr es:[edi], byte ptr>; | 0040205E |. 90 nop ; | 0040205F |. E8 ACCF8077 call msvcrt.fopen ; \fopen 00402064 |. 8B35 1CC34000 mov esi, dword ptr [40C31C] ; msvcrt.fseek 0040206A |. 8BF8 mov edi, eax 0040206C |. 6A 02 push 2 ; /whence = SEEK_END 0040206E |. 6A 00 push 0 ; |offset = 0 00402070 |. 57 push edi ; |stream 00402071 |. FFD6 call esi ; \fseek 00402073 |. 57 push edi ; /stream 00402074 |. 90 nop ; | 00402075 |. E8 FAF48077 call msvcrt.ftell ; \ftell 0040207A |. 6A 00 push 0 0040207C |. 6A 00 push 0 0040207E |. 57 push edi 0040207F |. 8BD8 mov ebx, eax 00402081 |. FFD6 call esi 00402083 |. 53 push ebx 00402084 |. E8 8D8E0000 call 0040AF16 00402089 |. 57 push edi ; /stream 0040208A |. 8BF0 mov esi, eax ; | 0040208C |. 6A 01 push 1 ; |n = 1 0040208E |. 53 push ebx ; |size 0040208F |. 56 push esi ; |ptr 00402090 |. 90 nop ; | 00402091 |. E8 65F18077 call msvcrt.fread ; \fread 00402096 |. 57 push edi ; /stream 00402097 |. 90 nop ; | 00402098 |. E8 14EA8077 call msvcrt.fclose ; \fclose 0040209D |. 8B0D 20E04000 mov ecx, dword ptr [40E020] ; Srobot.0040E12C 004020A3 |. 83C4 40 add esp, 40 004020A6 |. 51 push ecx 004020A7 |. 53 push ebx 004020A8 |. 56 push esi 004020A9 |. 8BCD mov ecx, ebp 004020AB |. E8 C04D0000 call 00406E70 ; Game.dat 解密 004020B0 |. 56 push esi ; READ 第1段 004020B1 |. E8 7A160000 call 00403730 004020B6 |. 8BF8 mov edi, eax 004020B8 |. 83C7 04 add edi, 4 004020BB |. 8D1437 lea edx, dword ptr [edi+esi] 004020BE |. 52 push edx ; READ 第2段 004020BF |. E8 6C160000 call 00403730 004020C4 |. 8D7C07 04 lea edi, dword ptr [edi+eax+4] 004020C8 |. 8D0437 lea eax, dword ptr [edi+esi] 004020CB |. 50 push eax ; READ 第3段 004020CC |. E8 5F160000 call 00403730 004020D1 |. 8D7C07 04 lea edi, dword ptr [edi+eax+4] 004020D5 |. 8D0C37 lea ecx, dword ptr [edi+esi] 004020D8 |. 51 push ecx ; READ 第4段(技能資料表) 004020D9 |. E8 52160000 call 00403730 004020DE |. 8D7C07 04 lea edi, dword ptr [edi+eax+4] 004020E2 |. 8D1437 lea edx, dword ptr [edi+esi] 004020E5 |. 52 push edx ; READ 第5段 004020E6 |. E8 45160000 call 00403730 004020EB |. 8D7C07 04 lea edi, dword ptr [edi+eax+4] 004020EF |. 8D0437 lea eax, dword ptr [edi+esi] 004020F2 |. 50 push eax ; READ 第6段 004020F3 |. E8 38160000 call 00403730 004020F8 |. 8D7C07 04 lea edi, dword ptr [edi+eax+4] 004020FC |. 8D0C37 lea ecx, dword ptr [edi+esi] 004020FF |. 51 push ecx ; READ 第7段(怪物ID) 00402100 |. E8 2B160000 call 00403730 00402105 |. 8D7C07 04 lea edi, dword ptr [edi+eax+4] 00402109 |. 8D1437 lea edx, dword ptr [edi+esi] 0040210C |. 52 push edx ; READ 第8段 0040210D |. E8 1E160000 call 00403730 00402112 |. 8D7C07 04 lea edi, dword ptr [edi+eax+4] 00402116 |. 8D0437 lea eax, dword ptr [edi+esi] 00402119 |. 50 push eax ; READ 第9段 0040211A |. E8 11160000 call 00403730 0040211F |. 8D7C07 04 lea edi, dword ptr [edi+eax+4] 00402123 |. 8D0C37 lea ecx, dword ptr [edi+esi] 00402126 |. 51 push ecx ; READ 第10段 00402127 |. E8 04160000 call 00403730 0040212C |. 8D7C07 04 lea edi, dword ptr [edi+eax+4] 00402130 |. 8D1437 lea edx, dword ptr [edi+esi] 00402133 |. 52 push edx ; READ 第11段 00402134 |. E8 F7150000 call 00403730 00402139 |. 8D7C07 04 lea edi, dword ptr [edi+eax+4] 0040213D |. 03FE add edi, esi 0040213F |. 57 push edi ; READ 第12段 (silk.dll 覆寫) 00402140 |. E8 EB150000 call 00403730 00402145 |. 83C4 30 add esp, 30 00402148 |. 83C7 04 add edi, 4 0040214B |. 8BCD mov ecx, ebp 0040214D |. 50 push eax 0040214E |. 57 push edi 0040214F |. E8 1C000000 call 00402170 ; jmp mfc42.#operator new_823 00402154 |. 56 push esi 00402155 |. E8 B68D0000 call 0040AF10 ; jmp mfc42.#operator delete_825 0040215A |. 83C4 04 add esp, 4 0040215D |. 5F pop edi 0040215E |. 5E pop esi 0040215F |. 5D pop ebp 00402160 |. 5B pop ebx 00402161 |. 81C4 00010000 add esp, 100 00402167 \. C3 retn ------------------------------ 解 game.dat 第4段與第7段的方法 ------------------------------ 打開 Srobot.exe 搜尋字串 Game.dat 發現有三個 第二個字串處代碼後面進入VM 這裡是技能資料表解密的地方 第三個字串處代碼後面進入VM 這裡是怪物ID料表解密的地方 先RUN一次, 在 004020B0 push esi(READ 第1段) 這裡下斷點 把第一次解密的Game.dat DUMP出來, 並紀錄第4段與第7段在記憶體(內存)的指標(指針). A.第7段解密 在沒加VM的地方 00402010 sub esp, 100 下斷點. 在第二個Game.dat字串代碼頭 004021C0 push ebp 的地方 新建EIP. 然後在dat解密的 Call 裡面 00406E70 下斷點 然後按 F9 RUN 解密 Game.dat 第二次又斷在 00406E70 解密第4段技能資料表 第4段解壓縮大小=000003E8 B.第7段解密 在沒加VM的地方 00402010 sub esp, 100 下斷點. 在第三個Game.dat字串代碼頭 00402300 push ebp 的地方 新建EIP. 然後在dat解密的 Call 裡面 00406E70 下斷點 然後按 F9 RUN 解密 Game.dat 第二次又斷在 00406E70 解密第7段怪物ID資料表 第7段解壓縮大小=00001A38 00406E70 /$ 8B5424 08 mov edx, dword ptr [esp+8] ; 這裡下斷 EDX=大小 00406E74 |. 8B4424 04 mov eax, dword ptr [esp+4] ; EAX=Game.dat解壓縮存放指標 00406E78 |. B9 01000000 mov ecx, 1 00406E7D |. 3BD1 cmp edx, ecx 00406E7F |. 8D4410 FF lea eax, dword ptr [eax+edx-1] 00406E83 |. 76 1E jbe short 00406EA3 00406E85 |. 53 push ebx 00406E86 |. 56 push esi 00406E87 |. 8B7424 14 mov esi, dword ptr [esp+14] 00406E8B |> 33DB /xor ebx, ebx 00406E8D |. 8A58 FF |mov bl, byte ptr [eax-1] 00406E90 |. 8A1C33 |mov bl, byte ptr [ebx+esi] 00406E93 |. 3218 |xor bl, byte ptr [eax] 00406E95 |. 32D9 |xor bl, cl 00406E97 |. 32DA |xor bl, dl 00406E99 |. 8818 |mov byte ptr [eax], bl 00406E9B |. 48 |dec eax 00406E9C |. 41 |inc ecx 00406E9D |. 3BCA |cmp ecx, edx 00406E9F |.^ 72 EA \jb short 00406E8B 00406EA1 |. 5E pop esi ; 這裡按F4解壓成功 看EAX 指標內的數據 00406EA2 |. 5B pop ebx 00406EA3 \> C2 0C00 retn 0C 將第4段與第7段解密的數據複製起來,在用HEX編輯工具如WinHEX,寫到Game.dat第1次Dump的文件. 完全解密的 Game.dat 大公告成... --------------------------- Case 501 分析 --------------------------- 跟蹤 recv 到 Case 501封包處理代碼 10018B3D |> \8D46 02 lea eax, dword ptr [esi+2] ; Case 501 of switch 10018A9B 10018B40 |. 50 push eax 10018B41 |. E8 6A170000 call 1001A2B0 10018B46 |. 8B4F 08 mov ecx, dword ptr [edi+8] 10018B49 |. 25 FFFF0000 and eax, 0FFFF 10018B4E |. 83C4 04 add esp, 4 10018B51 |. 83C0 FC add eax, -4 10018B54 |. 83C6 04 add esi, 4 10018B57 |. 50 push eax 10018B58 |. 56 push esi 10018B59 |. E8 C2530200 call 1003DF20 ; 進入501封包處理 進入 Call 1003DF20 來到 1003DF20 /$ 53 push ebx 1003DF21 |. 8B5C24 08 mov ebx, dword ptr [esp+8] 1003DF25 |. 56 push esi 1003DF26 |. 57 push edi 1003DF27 |. 8B7C24 14 mov edi, dword ptr [esp+14] 1003DF2B |. 8BF1 mov esi, ecx 1003DF2D |. 57 push edi 1003DF2E |. 53 push ebx 1003DF2F |. E8 CCFFFFFF call 1003DF00 ; 解密501封包資料 1003DF34 |. 8B46 10 mov eax, dword ptr [esi+10] 1003DF37 |. 57 push edi 1003DF38 |. 53 push ebx 1003DF39 |. 8B88 A04B0100 mov ecx, dword ptr [eax+14BA0] 1003DF3F |. E8 8C8EFDFF call 10016DD0 ; 解壓縮Game.dat 並寫入第4段解密資料 1003DF44 |. 8B4E 10 mov ecx, dword ptr [esi+10] 1003DF47 |. C786 10050000 0100>mov dword ptr [esi+510], 1 1003DF51 |. E8 7ABDFEFF call 10029CD0 1003DF56 |. 8B4E 10 mov ecx, dword ptr [esi+10] 1003DF59 |. E8 A260FEFF call 10024000 1003DF5E |. 5F pop edi 1003DF5F |. 5E pop esi 1003DF60 |. 5B pop ebx 1003DF61 \. C2 0800 retn 8 再進入 call 10016DD0 來到 10016DD0 /$ 81EC 08010000 sub esp, 108 10016DD6 |. 53 push ebx 10016DD7 |. 55 push ebp 10016DD8 |. 56 push esi 10016DD9 |. 8D4424 14 lea eax, dword ptr [esp+14] 10016DDD |. 57 push edi 10016DDE |. 8BE9 mov ebp, ecx 10016DE0 |. 50 push eax 10016DE1 |. 896C24 14 mov dword ptr [esp+14], ebp 10016DE5 |. E8 86100000 call 10017E70 10016DEA |. BF 48670510 mov edi, 10056748 ; ASCII "game.dat" 10016DEF |. 83C9 FF or ecx, FFFFFFFF 10016DF2 |. 33C0 xor eax, eax 10016DF4 |. 8D5424 1C lea edx, dword ptr [esp+1C] 10016DF8 |. F2:AE repne scas byte ptr es:[edi] 10016DFA |. F7D1 not ecx 10016DFC |. 2BF9 sub edi, ecx 10016DFE |. 68 A8630510 push 100563A8 ; /mode = "rb" 10016E03 |. 8BF7 mov esi, edi ; | 10016E05 |. 8BD9 mov ebx, ecx ; | 10016E07 |. 8BFA mov edi, edx ; | 10016E09 |. 83C9 FF or ecx, FFFFFFFF ; | 10016E0C |. F2:AE repne scas byte ptr es:[edi] ; | 10016E0E |. 8BCB mov ecx, ebx ; | 10016E10 |. 4F dec edi ; | 10016E11 |. C1E9 02 shr ecx, 2 ; | 10016E14 |. F3:A5 rep movs dword ptr es:[edi], dword>; | 10016E16 |. 8BCB mov ecx, ebx ; | 10016E18 |. 8D4424 20 lea eax, dword ptr [esp+20] ; | 10016E1C |. 83E1 03 and ecx, 3 ; | 10016E1F |. 50 push eax ; |path 10016E20 |. F3:A4 rep movs byte ptr es:[edi], byte p>; | 10016E22 |. FF15 04D60410 call dword ptr [1004D604] ; \fopen 10016E28 |. 8B1D E4D50410 mov ebx, dword ptr [1004D5E4] ; msvcrt.fseek 10016E2E |. 8BF0 mov esi, eax 10016E30 |. 6A 02 push 2 ; /whence = SEEK_END 10016E32 |. 6A 00 push 0 ; |offset = 0 10016E34 |. 56 push esi ; |stream 10016E35 |. FFD3 call ebx ; \fseek 10016E37 |. 56 push esi ; /stream 10016E38 |. FF15 E8D50410 call dword ptr [1004D5E8] ; \ftell 10016E3E |. 6A 00 push 0 10016E40 |. 6A 00 push 0 10016E42 |. 56 push esi 10016E43 |. 8BF8 mov edi, eax 10016E45 |. FFD3 call ebx 10016E47 |. 57 push edi 10016E48 |. E8 BD1D0300 call 10048C0A ; jmp 到 mfc42.#operator new_823 10016E4D |. 56 push esi ; /stream 10016E4E |. 8BD8 mov ebx, eax ; | 10016E50 |. 6A 01 push 1 ; |n = 1 10016E52 |. 57 push edi ; |size 10016E53 |. 53 push ebx ; |ptr 10016E54 |. FF15 ECD50410 call dword ptr [1004D5EC] ; \fread 10016E5A |. 56 push esi ; /stream 10016E5B |. FF15 0CD60410 call dword ptr [1004D60C] ; \fclose 10016E61 |. 83C4 40 add esp, 40 10016E64 |. 8BCD mov ecx, ebp 10016E66 |. 57 push edi 10016E67 |. 53 push ebx 10016E68 |. E8 C392FFFF call 10010130 ; 解壓縮 Game.dat 10016E6D |. 53 push ebx ; READ 第1段 10016E6E |. E8 BD7F0200 call 1003EE30 10016E73 |. 8BF0 mov esi, eax 10016E75 |. 83C6 04 add esi, 4 10016E78 |. 8D0C1E lea ecx, dword ptr [esi+ebx] 10016E7B |. 51 push ecx ; READ 第2段 10016E7C |. E8 AF7F0200 call 1003EE30 10016E81 |. 8D7406 04 lea esi, dword ptr [esi+eax+4] 10016E85 |. 8D141E lea edx, dword ptr [esi+ebx] 10016E88 |. 52 push edx ; READ 第3段 10016E89 |. E8 A27F0200 call 1003EE30 10016E8E |. 8D7406 04 lea esi, dword ptr [esi+eax+4] 10016E92 |. 8D2C1E lea ebp, dword ptr [esi+ebx] 10016E95 |. 55 push ebp ; READ 第4段 10016E96 |. E8 957F0200 call 1003EE30 10016E9B |. 8B8C24 30010000 mov ecx, dword ptr [esp+130] 10016EA2 |. 8BB424 2C010000 mov esi, dword ptr [esp+12C] ;解密後的資料指標移到ESI 10016EA9 |. 83C4 10 add esp, 10 10016EAC |. 83C5 04 add ebp, 4 10016EAF |. 8BFD mov edi, ebp 10016EB1 |. 8BD1 mov edx, ecx 10016EB3 |. C1E9 02 shr ecx, 2 10016EB6 |. F3:A5 rep movs dword ptr es:[edi], dword> 10016EB8 |. 8BCA mov ecx, edx 10016EBA |. 6A 00 push 0 ; /pDefaultCharUsed = NULL 10016EBC |. 99 cdq ; | 10016EBD |. 83E1 03 and ecx, 3 ; | 10016EC0 |. 2BC2 sub eax, edx ; | 10016EC2 |. F3:A4 rep movs byte ptr es:[edi], byte p>; | 10016EC4 |. 8BF0 mov esi, eax ; | 10016EC6 |. 6A 00 push 0 ; |pDefaultChar = NULL 10016EC8 |. D1FE sar esi, 1 ; | 10016ECA |. 6A 00 push 0 ; |MultiByteCount = 0 10016ECC |. 6A 00 push 0 ; |MultiByteStr = NULL 10016ECE |. 56 push esi ; |WideCharCount 10016ECF |. 55 push ebp ; |WideCharStr 10016ED0 |. 6A 00 push 0 ; |Options = 0 10016ED2 |. 6A 00 push 0 ; |CodePage = CP_ACP 10016ED4 |. FF15 6CD00410 call dword ptr [1004D06C] ; \WideCharToMultiByte 10016EDA |. 8BF8 mov edi, eax 10016EDC |. 57 push edi 10016EDD |. E8 281D0300 call 10048C0A ; jmp 到 mfc42.#operator new_823 10016EE2 |. 83C4 04 add esp, 4 10016EE5 |. 894424 14 mov dword ptr [esp+14], eax 10016EE9 |. 6A 00 push 0 ; /pDefaultCharUsed = NULL 10016EEB |. 6A 00 push 0 ; |pDefaultChar = NULL 10016EED |. 57 push edi ; |MultiByteCount 10016EEE |. 50 push eax ; |MultiByteStr 10016EEF |. 56 push esi ; |WideCharCount 10016EF0 |. 55 push ebp ; |WideCharStr 10016EF1 |. 6A 00 push 0 ; |Options = 0 10016EF3 |. 6A 00 push 0 ; |CodePage = CP_ACP 10016EF5 |. FF15 6CD00410 call dword ptr [1004D06C] ; \WideCharToMultiByte 10016EFB |. 8B7424 14 mov esi, dword ptr [esp+14] 10016EFF |. 8B4C24 10 mov ecx, dword ptr [esp+10] 10016F03 |. 57 push edi 10016F04 |. 56 push esi 10016F05 |. E8 F694FFFF call 10010400 ; 解密的資料表處理 10016F0A |. 56 push esi ; /block 10016F0B |. E8 F41C0300 call 10048C04 ; \free 10016F10 |. 53 push ebx ; /block 10016F11 |. E8 EE1C0300 call 10048C04 ; \free 10016F16 |. 83C4 08 add esp, 8 10016F19 |. 5F pop edi 10016F1A |. 5E pop esi 10016F1B |. 5D pop ebp 10016F1C |. 5B pop ebx 10016F1D |. 81C4 08010000 add esp, 108 10016F23 \. C2 0800 retn 8 紀錄下 call 10010400 ; 解密的資料表處理,後面打Patch用. --------------------------- Case 502 分析 --------------------------- 10018B17 |. 8D56 02 lea edx, dword ptr [esi+2] ; Case 502 of switch 10018A9B 10018B1A |. 52 push edx 10018B1B |. E8 90170000 call 1001A2B0 10018B20 |. 8B4F 08 mov ecx, dword ptr [edi+8] 10018B23 |. 25 FFFF0000 and eax, 0FFFF 10018B28 |. 83C4 04 add esp, 4 10018B2B |. 83C0 FC add eax, -4 10018B2E |. 83C6 04 add esi, 4 10018B31 |. 50 push eax 10018B32 |. 56 push esi 10018B33 |. E8 38540200 call 1003DF70 ; 進入502封包處理 進入 call 1003DF70 來到 1003DF70 /$ 53 push ebx 1003DF71 |. 8B5C24 08 mov ebx, dword ptr [esp+8] 1003DF75 |. 56 push esi 1003DF76 |. 57 push edi 1003DF77 |. 8B7C24 14 mov edi, dword ptr [esp+14] 1003DF7B |. 8BF1 mov esi, ecx 1003DF7D |. 57 push edi 1003DF7E |. 53 push ebx 1003DF7F |. E8 7CFFFFFF call 1003DF00 ; 解密502封包資料 1003DF84 |. 8B46 10 mov eax, dword ptr [esi+10] 1003DF87 |. 57 push edi 1003DF88 |. 53 push ebx 1003DF89 |. 8B88 A04B0100 mov ecx, dword ptr [eax+14BA0] 1003DF8F |. E8 9C8FFDFF call 10016F30 ; 解密怪物ID資料表處理 1003DF94 |. 8B4E 10 mov ecx, dword ptr [esi+10] 1003DF97 |. E8 84BDFEFF call 10029D20 1003DF9C |. 5F pop edi 1003DF9D |. 5E pop esi 1003DF9E |. 5B pop ebx 1003DF9F \. C2 0800 retn 8 進入 call 10016F30 來到 10016F30 /$ 8B4424 08 mov eax, dword ptr [esp+8] 10016F34 |. 8B5424 04 mov edx, dword ptr [esp+4] 10016F38 |. 50 push eax 10016F39 |. 52 push edx 10016F3A |. E8 71BBFFFF call 10012AB0 ; 解密的資料表處理 10016F3F \. C2 0800 retn 8 紀錄下 call 10012AB0 ; 解密的資料表處理,後面打Patch用. ------------------------------ silk.dll Game.dat Patch ------------------------------ Silk.dll Hook 遊戲客戶端後會預先載入 Game.dat 這時候他的第4段跟第7段部分,沒有做載入資料表的處理.須通過原動力server驗證有註冊的用戶, 才會接收到 501 502 的封包然後把解密資料寫入 第4段跟第7段存放的記憶體空間(內存). 所以要在Silk.dll Game.dat 預先載入的代碼裡面 在第4段與第7段處理代碼打上Patch 找到 10012430 /$ 81EC 14010000 sub esp, 114 10012436 |. 53 push ebx 10012437 |. 55 push ebp 10012438 |. 56 push esi 10012439 |. 8D4424 20 lea eax, dword ptr [esp+20] 1001243D |. 57 push edi 1001243E |. 8BD9 mov ebx, ecx 10012440 |. 50 push eax 10012441 |. E8 2A5A0000 call 10017E70 10012446 |. BF 48670510 mov edi, 10056748 ; ASCII "game.dat" 1001244B |. 83C9 FF or ecx, FFFFFFFF 1001244E |. 33C0 xor eax, eax 10012450 |. 8D5424 28 lea edx, dword ptr [esp+28] 10012454 |. F2:AE repne scas byte ptr es:[edi] 10012456 |. F7D1 not ecx 10012458 |. 2BF9 sub edi, ecx 1001245A |. 68 A8630510 push 100563A8 ; /mode = "rb" 1001245F |. 8BF7 mov esi, edi ; | 10012461 |. 8BE9 mov ebp, ecx ; | 10012463 |. 8BFA mov edi, edx ; | 10012465 |. 83C9 FF or ecx, FFFFFFFF ; | 10012468 |. F2:AE repne scas byte ptr es:[edi] ; | 1001246A |. 8BCD mov ecx, ebp ; | 1001246C |. 4F dec edi ; | 1001246D |. C1E9 02 shr ecx, 2 ; | 10012470 |. F3:A5 rep movs dword ptr es:[edi], dwo>; | 10012472 |. 8BCD mov ecx, ebp ; | 10012474 |. 8D4424 2C lea eax, dword ptr [esp+2C] ; | 10012478 |. 83E1 03 and ecx, 3 ; | 1001247B |. 50 push eax ; |path 1001247C |. F3:A4 rep movs byte ptr es:[edi], byte>; | 1001247E |. FF15 04D60410 call dword ptr [1004D604] ; \fopen 10012484 |. 8B35 E4D50410 mov esi, dword ptr [1004D5E4] ; msvcrt.fseek 1001248A |. 8BF8 mov edi, eax 1001248C |. 6A 02 push 2 ; /whence = SEEK_END 1001248E |. 6A 00 push 0 ; |offset = 0 10012490 |. 57 push edi ; |stream 10012491 |. FFD6 call esi ; \fseek 10012493 |. 57 push edi ; /stream 10012494 |. FF15 E8D50410 call dword ptr [1004D5E8] ; \ftell 1001249A |. 6A 00 push 0 1001249C |. 6A 00 push 0 1001249E |. 57 push edi 1001249F |. 8BE8 mov ebp, eax 100124A1 |. FFD6 call esi 100124A3 |. 55 push ebp 100124A4 |. E8 61670300 call 10048C0A ; jmp 到 mfc42.#operator new_823 100124A9 |. 57 push edi ; /stream 100124AA |. 8BF0 mov esi, eax ; | 100124AC |. 6A 01 push 1 ; |n = 1 100124AE |. 55 push ebp ; |size 100124AF |. 56 push esi ; |ptr 100124B0 |. FF15 ECD50410 call dword ptr [1004D5EC] ; \fread 100124B6 |. 57 push edi ; /stream 100124B7 |. FF15 0CD60410 call dword ptr [1004D60C] ; \fclose 100124BD |. 83C4 40 add esp, 40 100124C0 |. 8BCB mov ecx, ebx 100124C2 |. 55 push ebp ; 這裡NOP 100124C3 |. 56 push esi ; 這裡NOP 100124C4 |. E8 67DCFFFF call 10010130 ; 這裡NOP 解壓縮 Game.dat 100124C9 |. 56 push esi ; READ 第1段 100124CA |. E8 61C90200 call 1003EE30 100124CF |. 894424 1C mov dword ptr [esp+1C], eax 100124D3 |. 83C4 04 add esp, 4 100124D6 |. 99 cdq 100124D7 |. 2BC2 sub eax, edx 100124D9 |. 8B3D 6CD00410 mov edi, dword ptr [1004D06C] ; kernel32.WideCharToMultiByte 100124DF |. 8BE8 mov ebp, eax 100124E1 |. 6A 00 push 0 ; /pDefaultCharUsed = NULL 100124E3 |. 6A 00 push 0 ; |pDefaultChar = NULL 100124E5 |. 6A 00 push 0 ; |MultiByteCount = 0 100124E7 |. D1FD sar ebp, 1 ; | 100124E9 |. 8D46 04 lea eax, dword ptr [esi+4] ; | 100124EC |. 6A 00 push 0 ; |MultiByteStr = NULL 100124EE |. 55 push ebp ; |WideCharCount 100124EF |. 50 push eax ; |WideCharStr 100124F0 |. 6A 00 push 0 ; |Options = 0 100124F2 |. 6A 00 push 0 ; |CodePage = CP_ACP 100124F4 |. FFD7 call edi ; \WideCharToMultiByte 100124F6 |. 50 push eax 100124F7 |. 894424 14 mov dword ptr [esp+14], eax 100124FB |. E8 0A670300 call 10048C0A ; jmp 到 mfc42.#operator new_823 10012500 |. 8B4C24 14 mov ecx, dword ptr [esp+14] 10012504 |. 83C4 04 add esp, 4 10012507 |. 894424 1C mov dword ptr [esp+1C], eax 1001250B |. 6A 00 push 0 1001250D |. 6A 00 push 0 1001250F |. 51 push ecx 10012510 |. 50 push eax 10012511 |. 8D46 04 lea eax, dword ptr [esi+4] 10012514 |. 55 push ebp 10012515 |. 50 push eax 10012516 |. 6A 00 push 0 10012518 |. 6A 00 push 0 1001251A |. FFD7 call edi 1001251C |. 8B5424 10 mov edx, dword ptr [esp+10] 10012520 |. 8B6C24 1C mov ebp, dword ptr [esp+1C] 10012524 |. 52 push edx 10012525 |. 55 push ebp 10012526 |. 8BCB mov ecx, ebx 10012528 |. E8 43E4FFFF call 10010970 ; 第1段資料表處理 1001252D |. 55 push ebp ; /block 1001252E |. E8 D1660300 call 10048C04 ; \free 10012533 |. 8B4424 1C mov eax, dword ptr [esp+1C] 10012537 |. 83C0 04 add eax, 4 1001253A |. 894424 18 mov dword ptr [esp+18], eax 1001253E |. 03C6 add eax, esi 10012540 |. 50 push eax ; READ 第2段 10012541 |. E8 EAC80200 call 1003EE30 10012546 |. 8B4C24 1C mov ecx, dword ptr [esp+1C] 1001254A |. 894424 20 mov dword ptr [esp+20], eax 1001254E |. 99 cdq 1001254F |. 83C4 08 add esp, 8 10012552 |. 2BC2 sub eax, edx 10012554 |. 8BE8 mov ebp, eax 10012556 |. 8D0431 lea eax, dword ptr [ecx+esi] 10012559 |. 6A 00 push 0 1001255B |. 6A 00 push 0 1001255D |. D1FD sar ebp, 1 1001255F |. 6A 00 push 0 10012561 |. 83C0 04 add eax, 4 10012564 |. 6A 00 push 0 10012566 |. 55 push ebp 10012567 |. 50 push eax 10012568 |. 6A 00 push 0 1001256A |. 6A 00 push 0 1001256C |. 894424 40 mov dword ptr [esp+40], eax 10012570 |. FFD7 call edi 10012572 |. 50 push eax 10012573 |. 894424 14 mov dword ptr [esp+14], eax 10012577 |. E8 8E660300 call 10048C0A ; jmp 到 mfc42.#operator new_823 1001257C |. 8B5424 14 mov edx, dword ptr [esp+14] 10012580 |. 83C4 04 add esp, 4 10012583 |. 894424 1C mov dword ptr [esp+1C], eax 10012587 |. 6A 00 push 0 10012589 |. 6A 00 push 0 1001258B |. 52 push edx 1001258C |. 50 push eax 1001258D |. 8B4424 30 mov eax, dword ptr [esp+30] 10012591 |. 55 push ebp 10012592 |. 50 push eax 10012593 |. 6A 00 push 0 10012595 |. 6A 00 push 0 10012597 |. FFD7 call edi 10012599 |. 8B4C24 10 mov ecx, dword ptr [esp+10] 1001259D |. 8B6C24 1C mov ebp, dword ptr [esp+1C] 100125A1 |. 51 push ecx 100125A2 |. 55 push ebp 100125A3 |. 8BCB mov ecx, ebx 100125A5 |. E8 26E1FFFF call 100106D0 ; 第2段資料表處理 100125AA |. 55 push ebp ; /block 100125AB |. E8 54660300 call 10048C04 ; \free 100125B0 |. 8B5424 18 mov edx, dword ptr [esp+18] 100125B4 |. 8B4424 1C mov eax, dword ptr [esp+1C] 100125B8 |. 8D4402 04 lea eax, dword ptr [edx+eax+4] 100125BC |. 894424 18 mov dword ptr [esp+18], eax 100125C0 |. 03C6 add eax, esi 100125C2 |. 50 push eax ; READ 第3段 100125C3 |. E8 68C80200 call 1003EE30 100125C8 |. 894424 20 mov dword ptr [esp+20], eax 100125CC |. 83C4 08 add esp, 8 100125CF |. 99 cdq 100125D0 |. 2BC2 sub eax, edx 100125D2 |. 8B4C24 14 mov ecx, dword ptr [esp+14] 100125D6 |. 8BE8 mov ebp, eax 100125D8 |. 6A 00 push 0 100125DA |. 6A 00 push 0 100125DC |. 8D0431 lea eax, dword ptr [ecx+esi] 100125DF |. 6A 00 push 0 100125E1 |. D1FD sar ebp, 1 100125E3 |. 83C0 04 add eax, 4 100125E6 |. 6A 00 push 0 100125E8 |. 55 push ebp 100125E9 |. 50 push eax 100125EA |. 6A 00 push 0 100125EC |. 6A 00 push 0 100125EE |. 894424 40 mov dword ptr [esp+40], eax 100125F2 |. FFD7 call edi 100125F4 |. 50 push eax 100125F5 |. 894424 14 mov dword ptr [esp+14], eax 100125F9 |. E8 0C660300 call 10048C0A ; jmp 到 mfc42.#operator new_823 100125FE |. 8B5424 14 mov edx, dword ptr [esp+14] 10012602 |. 83C4 04 add esp, 4 10012605 |. 894424 1C mov dword ptr [esp+1C], eax 10012609 |. 6A 00 push 0 1001260B |. 6A 00 push 0 1001260D |. 52 push edx 1001260E |. 50 push eax 1001260F |. 8B4424 30 mov eax, dword ptr [esp+30] 10012613 |. 55 push ebp 10012614 |. 50 push eax 10012615 |. 6A 00 push 0 10012617 |. 6A 00 push 0 10012619 |. FFD7 call edi 1001261B |. 8B4C24 10 mov ecx, dword ptr [esp+10] 1001261F |. 8B6C24 1C mov ebp, dword ptr [esp+1C] 10012623 |. 51 push ecx 10012624 |. 55 push ebp 10012625 |. 8BCB mov ecx, ebx 10012627 |. E8 94020000 call 100128C0 ; 第3段資料表處理 1001262C |. 55 push ebp ; /block 1001262D |. E8 D2650300 call 10048C04 ; \free 10012632 |. 8B5424 18 mov edx, dword ptr [esp+18] 10012636 |. 8B4424 1C mov eax, dword ptr [esp+1C] 1001263A |. 8D6C02 04 lea ebp, dword ptr [edx+eax+4] ; 這裡以下NOP 改為 JMP <Patch1> 1001263E |. 8D0C2E lea ecx, dword ptr [esi+ebp] 10012641 |. 51 push ecx ; READ 第4段(技能資料表) 10012642 |. E8 E9C70200 call 1003EE30 10012647 |. 8D6C28 04 lea ebp, dword ptr [eax+ebp+4] 1001264B |. 896C24 1C mov dword ptr [esp+1C], ebp 1001264F |. 8D042E lea eax, dword ptr [esi+ebp] ; NOP到這裡****************** 10012652 |. 50 push eax ; READ 第5段 <Patch Run 完跳回這裡> 10012653 |. E8 D8C70200 call 1003EE30 10012658 |. 894424 24 mov dword ptr [esp+24], eax 1001265C |. 83C4 0C add esp, 0C 1001265F |. 99 cdq 10012660 |. 2BC2 sub eax, edx 10012662 |. 8B5424 14 mov edx, dword ptr [esp+14] 10012666 |. 8BE8 mov ebp, eax 10012668 |. 6A 00 push 0 1001266A |. 8D0432 lea eax, dword ptr [edx+esi] 1001266D |. 6A 00 push 0 1001266F |. D1FD sar ebp, 1 10012671 |. 6A 00 push 0 10012673 |. 83C0 04 add eax, 4 10012676 |. 6A 00 push 0 10012678 |. 55 push ebp 10012679 |. 50 push eax 1001267A |. 6A 00 push 0 1001267C |. 6A 00 push 0 1001267E |. 894424 40 mov dword ptr [esp+40], eax 10012682 |. FFD7 call edi 10012684 |. 50 push eax 10012685 |. 894424 14 mov dword ptr [esp+14], eax 10012689 |. E8 7C650300 call 10048C0A ; jmp 到 mfc42.#operator new_823 1001268E |. 8B4C24 14 mov ecx, dword ptr [esp+14] 10012692 |. 8B5424 24 mov edx, dword ptr [esp+24] 10012696 |. 83C4 04 add esp, 4 10012699 |. 894424 1C mov dword ptr [esp+1C], eax 1001269D |. 6A 00 push 0 1001269F |. 6A 00 push 0 100126A1 |. 51 push ecx 100126A2 |. 50 push eax 100126A3 |. 55 push ebp 100126A4 |. 52 push edx 100126A5 |. 6A 00 push 0 100126A7 |. 6A 00 push 0 100126A9 |. FFD7 call edi 100126AB |. 8B4424 10 mov eax, dword ptr [esp+10] 100126AF |. 8B6C24 1C mov ebp, dword ptr [esp+1C] 100126B3 |. 50 push eax 100126B4 |. 55 push ebp 100126B5 |. 8BCB mov ecx, ebx 100126B7 |. E8 F4DAFFFF call 100101B0 ; 第5段資料表處理 100126BC |. 55 push ebp ; /block 100126BD |. E8 42650300 call 10048C04 ; \free 100126C2 |. 8B4C24 18 mov ecx, dword ptr [esp+18] 100126C6 |. 8B5424 1C mov edx, dword ptr [esp+1C] 100126CA |. 8D4411 04 lea eax, dword ptr [ecx+edx+4] 100126CE |. 894424 18 mov dword ptr [esp+18], eax 100126D2 |. 03C6 add eax, esi 100126D4 |. 50 push eax ; READ 第6段 100126D5 |. E8 56C70200 call 1003EE30 100126DA |. 894424 20 mov dword ptr [esp+20], eax 100126DE |. 83C4 08 add esp, 8 100126E1 |. 99 cdq 100126E2 |. 2BC2 sub eax, edx 100126E4 |. 6A 00 push 0 100126E6 |. 8BE8 mov ebp, eax 100126E8 |. 8B4424 18 mov eax, dword ptr [esp+18] 100126EC |. 03C6 add eax, esi 100126EE |. 6A 00 push 0 100126F0 |. D1FD sar ebp, 1 100126F2 |. 6A 00 push 0 100126F4 |. 83C0 04 add eax, 4 100126F7 |. 6A 00 push 0 100126F9 |. 55 push ebp 100126FA |. 50 push eax 100126FB |. 6A 00 push 0 100126FD |. 6A 00 push 0 100126FF |. 894424 40 mov dword ptr [esp+40], eax 10012703 |. FFD7 call edi 10012705 |. 50 push eax 10012706 |. 894424 14 mov dword ptr [esp+14], eax 1001270A |. E8 FB640300 call 10048C0A ; jmp 到 mfc42.#operator new_823 1001270F |. 8B4C24 14 mov ecx, dword ptr [esp+14] 10012713 |. 8B5424 24 mov edx, dword ptr [esp+24] 10012717 |. 83C4 04 add esp, 4 1001271A |. 894424 1C mov dword ptr [esp+1C], eax 1001271E |. 6A 00 push 0 10012720 |. 6A 00 push 0 10012722 |. 51 push ecx 10012723 |. 50 push eax 10012724 |. 55 push ebp 10012725 |. 52 push edx 10012726 |. 6A 00 push 0 10012728 |. 6A 00 push 0 1001272A |. FFD7 call edi 1001272C |. 8B4424 10 mov eax, dword ptr [esp+10] 10012730 |. 8B6C24 1C mov ebp, dword ptr [esp+1C] 10012734 |. 50 push eax 10012735 |. 55 push ebp 10012736 |. 8BCB mov ecx, ebx 10012738 |. E8 F3E8FFFF call 10011030 ; 第6段資料表處理 1001273D |. 55 push ebp ; /block 1001273E |. E8 C1640300 call 10048C04 ; \free 10012743 |. 8B4C24 18 mov ecx, dword ptr [esp+18] 10012747 |. 8B5424 1C mov edx, dword ptr [esp+1C] 1001274B |. 8D6C11 04 lea ebp, dword ptr [ecx+edx+4] 1001274F |. 8D042E lea eax, dword ptr [esi+ebp] 10012752 |. 50 push eax ; READ 第7段 10012753 |. E8 D8C60200 call 1003EE30 10012758 |. 8D6C28 04 lea ebp, dword ptr [eax+ebp+4] ; 這裡以下NOP 改為 JMP <Patch2> 1001275C |. 896C24 1C mov dword ptr [esp+1C], ebp 10012760 |. 8D042E lea eax, dword ptr [esi+ebp] ; NOP 到這裡 10012763 |. 50 push eax ; READ 第8段 <Patch Run 完跳回這裡> 10012764 |. E8 C7C60200 call 1003EE30 技能資料表 Patch 在 1001263A 的地方開始 Patch 改為 10012627 |. E8 94020000 call 100128C0 ; 第3段資料表處理 1001262C |. 55 push ebp ; /block 1001262D |. E8 D2650300 call 10048C04 ; \free 10012632 |. 8B5424 18 mov edx, dword ptr [esp+18] 10012636 |. 8B4424 1C mov eax, dword ptr [esp+1C] 1001263A E9 599F0300 jmp 1004C598 ; 這裡以下NOP 改為 JMP <Patch1> 1001263F 90 nop 10012640 90 nop 10012641 90 nop 10012642 90 nop 10012643 90 nop 10012644 90 nop 10012645 90 nop 10012646 90 nop 10012647 90 nop 10012648 90 nop 10012649 90 nop 1001264A 90 nop 1001264B 90 nop 1001264C 90 nop 1001264D 90 nop 1001264E 90 nop 1001264F 90 nop 10012650 90 nop 10012651 90 nop 10012652 |. 50 push eax ; READ 第5段 <Patch Run 完跳回這裡> E9 59 9F 03 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 <Patch1> 1004C598 > \8D4402 04 lea eax, dword ptr [edx+eax+4] ; 技能資料表 Patch1 1004C59C . 894424 18 mov dword ptr [esp+18], eax 1004C5A0 . 03C6 add eax, esi 1004C5A2 . 50 push eax ; READ 第4段 1004C5A3 . E8 8828FFFF call 1003EE30 1004C5A8 . 8B4C24 1C mov ecx, dword ptr [esp+1C] 1004C5AC . 894424 20 mov dword ptr [esp+20], eax 1004C5B0 . 99 cdq 1004C5B1 . 83C4 08 add esp, 8 1004C5B4 . 2BC2 sub eax, edx 1004C5B6 . 8BE8 mov ebp, eax 1004C5B8 . 8D0431 lea eax, dword ptr [ecx+esi] 1004C5BB . 6A 00 push 0 1004C5BD . 6A 00 push 0 1004C5BF . D1FD sar ebp, 1 1004C5C1 . 6A 00 push 0 1004C5C3 . 83C0 04 add eax, 4 1004C5C6 . 6A 00 push 0 1004C5C8 . 55 push ebp 1004C5C9 . 50 push eax 1004C5CA . 6A 00 push 0 1004C5CC . 6A 00 push 0 1004C5CE . 894424 40 mov dword ptr [esp+40], eax 1004C5D2 . FFD7 call edi 1004C5D4 . 50 push eax 1004C5D5 . 894424 14 mov dword ptr [esp+14], eax 1004C5D9 . E8 2CC6FFFF call 10048C0A ; jmp 到 mfc42.#operator new_823 1004C5DE . 8B5424 14 mov edx, dword ptr [esp+14] 1004C5E2 . 83C4 04 add esp, 4 1004C5E5 . 894424 1C mov dword ptr [esp+1C], eax 1004C5E9 . 6A 00 push 0 1004C5EB . 6A 00 push 0 1004C5ED . 52 push edx 1004C5EE . 50 push eax 1004C5EF . 8B4424 30 mov eax, dword ptr [esp+30] 1004C5F3 . 55 push ebp 1004C5F4 . 50 push eax 1004C5F5 . 6A 00 push 0 1004C5F7 . 6A 00 push 0 1004C5F9 . FFD7 call edi 1004C5FB . 8B4C24 10 mov ecx, dword ptr [esp+10] 1004C5FF . 8B6C24 1C mov ebp, dword ptr [esp+1C] 1004C603 . 51 push ecx 1004C604 . 55 push ebp 1004C605 . 8BCB mov ecx, ebx 1004C607 . E8 F43DFCFF call 10010400 ; 501 Case 紀錄下的 Call <技能資料表處理> 1004C60C . 55 push ebp ; /block 1004C60D . E8 F2C5FFFF call 10048C04 ; \free 1004C612 . 8B5424 18 mov edx, dword ptr [esp+18] 1004C616 . 8B4424 1C mov eax, dword ptr [esp+1C] 1004C61A . 8D4402 04 lea eax, dword ptr [edx+eax+4] 1004C61E . 894424 18 mov dword ptr [esp+18], eax 1004C622 . 03C6 add eax, esi 1004C624 .^ E9 2960FCFF jmp 10012652 ; JMP TO READ 第5段 8D 44 02 04 89 44 24 18 03 C6 50 E8 88 28 FF FF 8B 4C 24 1C 89 44 24 20 99 83 C4 08 2B C2 8B E8 8D 04 31 6A 00 6A 00 D1 FD 6A 00 83 C0 04 6A 00 55 50 6A 00 6A 00 89 44 24 40 FF D7 50 89 44 24 14 E8 2C C6 FF FF 8B 54 24 14 83 C4 04 89 44 24 1C 6A 00 6A 00 52 50 8B 44 24 30 55 50 6A 00 6A 00 FF D7 8B 4C 24 10 8B 6C 24 1C 51 55 8B CB E8 F4 3D FC FF 55 E8 F2 C5 FF FF 8B 54 24 18 8B 44 24 1C 8D 44 02 04 89 44 24 18 03 C6 E9 29 60 FC FF 怪物ID 資料表 Patch 在 10012758 的地方開始 Patch 10012738 |. E8 F3E8FFFF call 10011030 ; 第6段資料表處理 1001273D |. 55 push ebp ; /block 1001273E |. E8 C1640300 call 10048C04 ; \free 10012743 |. 8B4C24 18 mov ecx, dword ptr [esp+18] 10012747 |. 8B5424 1C mov edx, dword ptr [esp+1C] 1001274B |. 8D6C11 04 lea ebp, dword ptr [ecx+edx+4] 1001274F |. 8D042E lea eax, dword ptr [esi+ebp] 10012752 |. 50 push eax ; READ 第7段 10012753 |. E8 D8C60200 call 1003EE30 10012758 E9 CE9E0300 jmp 1004C62B ; 這裡以下NOP 改為 JMP <Patch2> 1001275D 90 nop 1001275E 90 nop 1001275F 90 nop 10012760 90 nop 10012761 90 nop 10012762 90 nop 10012763 |. 50 push eax ; READ 第8段 <Patch Run 完跳回這裡> E9 CE 9E 03 00 90 90 90 90 90 90 <Patch2> 1004C62B > \83C4 08 add esp, 8 ; 怪物ID資料表 Patch2 1004C62E . 8D4C2E 04 lea ecx, dword ptr [esi+ebp+4] 1004C632 . 894424 18 mov dword ptr [esp+18], eax 1004C636 . 50 push eax 1004C637 . 51 push ecx 1004C638 . 8BCB mov ecx, ebx 1004C63A . E8 7164FCFF call 10012AB0 ; 502 Case 紀錄下的 Call <怪物ID資料表處理> 1004C63F . 8B5424 18 mov edx, dword ptr [esp+18] 1004C643 . 8D6C2A 04 lea ebp, dword ptr [edx+ebp+4] 1004C647 . 896C24 14 mov dword ptr [esp+14], ebp 1004C64B . 8D042E lea eax, dword ptr [esi+ebp] 1004C64E .^ E9 1061FCFF jmp 10012763 ; JMP TO READ 第8段 83 C4 08 8D 4C 2E 04 89 44 24 18 50 51 8B CB E8 71 64 FC FF 8B 54 24 18 8D 6C 2A 04 89 6C 24 14 8D 04 2E E9 10 61 FC FF 到這裡 Silk.dll 破解完成 完全免驗證... ==================================================== Silk.dll 被覆寫修改 ==================================================== 再來就是 Slik.dll 原始檔案放在 Game.dat 第12段 每次啟動 Srobot.exe 後 Slik.dll 都會被覆寫 所以必須修改 Srobot.exe 把覆寫的 Call NOP 或者進入 Call 在代碼頭改為 retn 8 打開 Srobot.exe 搜尋字串 \silk.dll 找到 00406EB0 /$ 81EC 04010000 sub esp, 104 ; 這裡改為 retn 8 00406EB6 |. A1 C8EC4000 mov eax, dword ptr [40ECC8] 00406EBB |. 53 push ebx 00406EBC |. 8B9C24 100100>mov ebx, dword ptr [esp+110] 00406EC3 |. 55 push ebp 00406EC4 |. 8BAC24 100100>mov ebp, dword ptr [esp+110] 00406ECB |. 56 push esi 00406ECC |. 57 push edi 00406ECD |. 50 push eax 00406ECE |. 53 push ebx 00406ECF |. 55 push ebp 00406ED0 |. E8 9BFFFFFF call 00406E70 00406ED5 |. 8B15 3CEF4000 mov edx, dword ptr [40EF3C] ; Srobot.00400000 00406EDB |. 8D4C24 14 lea ecx, dword ptr [esp+14] 00406EDF |. 68 04010000 push 104 ; /BufSize = 104 (260.) 00406EE4 |. 51 push ecx ; |PathBuffer 00406EE5 |. 52 push edx ; |hModule => 00400000 (Srobot) 00406EE6 |. 90 nop ; | 00406EE7 |. E8 7346407C call kernel32.GetModuleFileName>; \GetModuleFileNameA 00406EEC |. 8D4424 14 lea eax, dword ptr [esp+14] 00406EF0 |. 6A 5C push 5C ; /c = 5C ('\') 00406EF2 |. 50 push eax ; |s 00406EF3 |. 90 nop ; | 00406EF4 |. E8 E70C8177 call msvcrt.strrchr ; \strrchr 00406EF9 |. 8BD0 mov edx, eax 00406EFB |. BF 58EE4000 mov edi, 0040EE58 00406F00 |. 83C9 FF or ecx, FFFFFFFF 00406F03 |. 33C0 xor eax, eax 00406F05 |. 83C4 08 add esp, 8 00406F08 |. F2:AE repne scas byte ptr es:[edi] 00406F0A |. F7D1 not ecx 00406F0C |. 2BF9 sub edi, ecx 00406F0E |. 8BC1 mov eax, ecx 00406F10 |. 8BF7 mov esi, edi 00406F12 |. 8BFA mov edi, edx 00406F14 |. C1E9 02 shr ecx, 2 00406F17 |. F3:A5 rep movs dword ptr es:[edi], d> 00406F19 |. 8BC8 mov ecx, eax 00406F1B |. 33C0 xor eax, eax 00406F1D |. 83E1 03 and ecx, 3 00406F20 |. F3:A4 rep movs byte ptr es:[edi], by> 00406F22 |. BF DCEC4000 mov edi, 0040ECDC ; ASCII "\silk.dll" 00406F27 |. 83C9 FF or ecx, FFFFFFFF 00406F2A |. F2:AE repne scas byte ptr es:[edi] 00406F2C |. F7D1 not ecx 00406F2E |. 2BF9 sub edi, ecx 00406F30 |. 8BC1 mov eax, ecx 00406F32 |. 8BF7 mov esi, edi 00406F34 |. 8BFA mov edi, edx 00406F36 |. 8BD0 mov edx, eax 00406F38 |. 83C9 FF or ecx, FFFFFFFF 00406F3B |. 33C0 xor eax, eax 00406F3D |. F2:AE repne scas byte ptr es:[edi] 00406F3F |. 8BCA mov ecx, edx 00406F41 |. 4F dec edi 00406F42 |. C1E9 02 shr ecx, 2 00406F45 |. F3:A5 rep movs dword ptr es:[edi], d> 00406F47 |. 8BCA mov ecx, edx 00406F49 |. 8D4424 14 lea eax, dword ptr [esp+14] 00406F4D |. 83E1 03 and ecx, 3 00406F50 |. 50 push eax ; /FileName 00406F51 |. F3:A4 rep movs byte ptr es:[edi], by>; | 00406F53 |. 90 nop ; | 00406F54 |. E8 6CAF427C call kernel32.DeleteFileA ; \DeleteFileA 00406F59 |. 8D4C24 14 lea ecx, dword ptr [esp+14] 00406F5D |. 68 C0E24000 push 0040E2C0 ; /mode = "w+b" 00406F62 |. 51 push ecx ; |path 00406F63 |. 90 nop ; | 00406F64 |. E8 A7808077 call msvcrt.fopen ; \fopen 00406F69 |. 8BF0 mov esi, eax 00406F6B |. 83C4 08 add esp, 8 00406F6E |. 85F6 test esi, esi 00406F70 |. 74 27 je short 00406F99 00406F72 |. 56 push esi ; /stream 00406F73 |. 6A 01 push 1 ; |n = 1 00406F75 |. 53 push ebx ; |size 00406F76 |. 55 push ebp ; |ptr 00406F77 |. 90 nop ; | 00406F78 |. E8 BEA78077 call msvcrt.fwrite ; \fwrite 00406F7D |. 56 push esi ; /stream 00406F7E |. 90 nop ; | 00406F7F |. E8 2D9B8077 call msvcrt.fclose ; \fclose 00406F84 |. 83C4 14 add esp, 14 00406F87 |. B8 01000000 mov eax, 1 00406F8C |. 5F pop edi 00406F8D |. 5E pop esi 00406F8E |. 5D pop ebp 00406F8F |. 5B pop ebx 00406F90 |. 81C4 04010000 add esp, 104 00406F96 |. C2 0800 retn 8 00406F99 |> 5F pop edi 00406F9A |. 5E pop esi 00406F9B |. 5D pop ebp 00406F9C |. 33C0 xor eax, eax 00406F9E |. 5B pop ebx 00406F9F |. 81C4 04010000 add esp, 104 00406FA5 \. C2 0800 retn 8 00406EB0 的位置改為 retn 8 即可 若下載的 Srobot.exe 有加密, 如加上Themida的殼. 那方法有二 一 DUMP 下來,修復OEP代碼,修復部分輸入表的 call ,讓他可以正常運行掛載即可. 二 找舊版沒加密的 Srobot.exe 來改 |
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值