能力值:
( LV7,RANK:110 )
10 楼
游戏代码的主要的crc检测特征值是:
53 56 57 89 65 e8 c7 45 e4 ff ff ff
直接搜索,会搜索出来2个一个是动态的一个是静态的。
搜索出的地地址的前面一点就是函数头,不过不能直接ret过crc因为其它地方会对这个函数代码进行检测的。而且这个函数也需要返回一个值。
函数原型:
020C3023 8BEC mov ebp,esp
020C3025 6A FF push -0x1
020C3027 68 B0C91302 push 0x213C9B0
020C302C 68 76BC0E02 push 0x20EBC76
020C3031 64:A1 00000000 mov eax,dword ptr fs:[0]
020C3037 50 push eax
020C3038 64:8925 0000000>mov dword ptr fs:[0],esp
020C303F 83C4 D0 add esp,-0x30
// 我就是用的这里做特征值的。
020C3042 53 push ebx
020C3043 56 push esi
020C3044 57 push edi
020C3045 8965 E8 mov dword ptr ss:[ebp-0x18],esp
020C3048 C745 E4 FFFFFFF>mov dword ptr ss:[ebp-0x1C],-0x1
020C304F 837D 08 00 cmp dword ptr ss:[ebp+0x8],0x0
020C3053 75 08 jnz X020C305D
020C3055 8B45 E4 mov eax,dword ptr ss:[ebp-0x1C]
020C3058 E9 60010000 jmp 020C31BD
020C305D C745 FC 0000000>mov dword ptr ss:[ebp-0x4],0x0
020C3064 C745 E0 F22E0C0>mov dword ptr ss:[ebp-0x20],0x20C2EF2
020C306B 8B45 E0 mov eax,dword ptr ss:[ebp-0x20]
020C306E 8945 E0 mov dword ptr ss:[ebp-0x20],eax
020C3071 8B4D 08 mov ecx,dword ptr ss:[ebp+0x8]
020C3074 51 push ecx
020C3075 FF55 E0 call dword ptr ss:[ebp-0x20]
020C3078 83C4 04 add esp,0x4
020C307B 8945 DC mov dword ptr ss:[ebp-0x24],eax
020C307E 837D DC 00 cmp dword ptr ss:[ebp-0x24],0x0
020C3082 0F84 12010000 je 020C319A
020C3088 8B55 08 mov edx,dword ptr ss:[ebp+0x8]
020C308B 8B42 08 mov eax,dword ptr ds:[edx+0x8]
020C308E 8945 D8 mov dword ptr ss:[ebp-0x28],eax
020C3091 C745 CC 0000000>mov dword ptr ss:[ebp-0x34],0x0
020C3098 8B4D DC mov ecx,dword ptr ss:[ebp-0x24]
020C309B 894D D0 mov dword ptr ss:[ebp-0x30],ecx
020C309E 8B55 D8 mov edx,dword ptr ss:[ebp-0x28]
020C30A1 C1EA 02 shr edx,0x2
020C30A4 8955 D4 mov dword ptr ss:[ebp-0x2C],edx
020C30A7 C745 C8 0000000>mov dword ptr ss:[ebp-0x38],0x0
020C30AE EB 12 jmp X020C30C2
020C30B0 8B45 D0 mov eax,dword ptr ss:[ebp-0x30]
020C30B3 83C0 04 add eax,0x4
020C30B6 8945 D0 mov dword ptr ss:[ebp-0x30],eax
020C30B9 8B4D C8 mov ecx,dword ptr ss:[ebp-0x38]
020C30BC 83C1 01 add ecx,0x1
020C30BF 894D C8 mov dword ptr ss:[ebp-0x38],ecx
020C30C2 8B55 C8 mov edx,dword ptr ss:[ebp-0x38]
020C30C5 3B55 D4 cmp edx,dword ptr ss:[ebp-0x2C]
020C30C8 73 45 jnb X020C310F
020C30CA 8B45 C8 mov eax,dword ptr ss:[ebp-0x38]
020C30CD 83E0 01 and eax,0x1
020C30D0 85C0 test eax,eax
020C30D2 75 18 jnz X020C30EC
020C30D4 8B4D CC mov ecx,dword ptr ss:[ebp-0x34]
020C30D7 C1E1 07 shl ecx,0x7
020C30DA 8B55 D0 mov edx,dword ptr ss:[ebp-0x30]
020C30DD 330A xor ecx,dword ptr ds:[edx]
020C30DF 8B45 CC mov eax,dword ptr ss:[ebp-0x34]
020C30E2 C1E8 03 shr eax,0x3
020C30E5 33C8 xor ecx,eax
020C30E7 894D C4 mov dword ptr ss:[ebp-0x3C],ecx
020C30EA EB 18 jmp X020C3104
020C30EC 8B4D CC mov ecx,dword ptr ss:[ebp-0x34]
020C30EF C1E1 0B shl ecx,0xB
020C30F2 8B55 D0 mov edx,dword ptr ss:[ebp-0x30]
020C30F5 330A xor ecx,dword ptr ds:[edx]
020C30F7 8B45 CC mov eax,dword ptr ss:[ebp-0x34]
020C30FA C1E8 05 shr eax,0x5
020C30FD 33C8 xor ecx,eax
020C30FF F7D1 not ecx
020C3101 894D C4 mov dword ptr ss:[ebp-0x3C],ecx
020C3104 8B4D CC mov ecx,dword ptr ss:[ebp-0x34]
020C3107 334D C4 xor ecx,dword ptr ss:[ebp-0x3C]
020C310A 894D CC mov dword ptr ss:[ebp-0x34],ecx
020C310D ^ EB A1 jmp X020C30B0
020C310F C745 C8 0000000>mov dword ptr ss:[ebp-0x38],0x0
020C3116 EB 12 jmp X020C312A
020C3118 8B55 D0 mov edx,dword ptr ss:[ebp-0x30]
020C311B 83C2 01 add edx,0x1
020C311E 8955 D0 mov dword ptr ss:[ebp-0x30],edx
020C3121 8B45 C8 mov eax,dword ptr ss:[ebp-0x38]
020C3124 83C0 01 add eax,0x1
020C3127 8945 C8 mov dword ptr ss:[ebp-0x38],eax
020C312A 8B45 D8 mov eax,dword ptr ss:[ebp-0x28]
020C312D 33D2 xor edx,edx
020C312F B9 04000000 mov ecx,0x4
020C3134 F7F1 div ecx
020C3136 3955 C8 cmp dword ptr ss:[ebp-0x38],edx
020C3139 73 4D jnb X020C3188
020C313B 8B55 C8 mov edx,dword ptr ss:[ebp-0x38]
020C313E 83E2 01 and edx,0x1
020C3141 85D2 test edx,edx
020C3143 75 1C jnz X020C3161
020C3145 8B45 CC mov eax,dword ptr ss:[ebp-0x34]
020C3148 C1E0 07 shl eax,0x7
020C314B 8B4D D0 mov ecx,dword ptr ss:[ebp-0x30]
020C314E 33D2 xor edx,edx
020C3150 8A11 mov dl,byte ptr ds:[ecx]
020C3152 33C2 xor eax,edx
020C3154 8B4D CC mov ecx,dword ptr ss:[ebp-0x34]
020C3157 C1E9 03 shr ecx,0x3
020C315A 33C1 xor eax,ecx
020C315C 8945 C0 mov dword ptr ss:[ebp-0x40],eax
020C315F EB 1C jmp X020C317D
020C3161 8B55 CC mov edx,dword ptr ss:[ebp-0x34]
020C3164 C1E2 0B shl edx,0xB
020C3167 8B45 D0 mov eax,dword ptr ss:[ebp-0x30]
020C316A 33C9 xor ecx,ecx
020C316C 8A08 mov cl,byte ptr ds:[eax]
020C316E 33D1 xor edx,ecx
020C3170 8B45 CC mov eax,dword ptr ss:[ebp-0x34]
020C3173 C1E8 05 shr eax,0x5
020C3176 33D0 xor edx,eax
020C3178 F7D2 not edx
020C317A 8955 C0 mov dword ptr ss:[ebp-0x40],edx
020C317D 8B4D CC mov ecx,dword ptr ss:[ebp-0x34]
020C3180 334D C0 xor ecx,dword ptr ss:[ebp-0x40]
020C3183 894D CC mov dword ptr ss:[ebp-0x34],ecx
020C3186 ^ EB 90 jmp X020C3118
020C3188 8B55 CC mov edx,dword ptr ss:[ebp-0x34]
020C318B 81E2 FFFFFF7F and edx,0x7FFFFFFF
020C3191 8955 CC mov dword ptr ss:[ebp-0x34],edx
020C3194 8B45 CC mov eax,dword ptr ss:[ebp-0x34]
020C3197 8945 E4 mov dword ptr ss:[ebp-0x1C],eax
020C319A C745 FC FFFFFFF>mov dword ptr ss:[ebp-0x4],-0x1
020C31A1 EB 17 jmp X020C31BA
020C31A3 B8 01000000 mov eax,0x1
020C31A8 C3 retn
020C31A9 8B65 E8 mov esp,dword ptr ss:[ebp-0x18]
020C31AC C745 E4 FFFFFFF>mov dword ptr ss:[ebp-0x1C],-0x1
020C31B3 C745 FC FFFFFFF>mov dword ptr ss:[ebp-0x4],-0x1
020C31BA 8B45 E4 mov eax,dword ptr ss:[ebp-0x1C]
020C31BD 8B4D F0 mov ecx,dword ptr ss:[ebp-0x10]
020C31C0 64:890D 0000000>mov dword ptr fs:[0],ecx
020C31C7 5F pop edi
020C31C8 5E pop esi
020C31C9 5B pop ebx
020C31CA 8BE5 mov esp,ebp
020C31CC 5D pop ebp
020C31CD C3 retn
当然地址肯定不对了,但函数没变特征值也没变。