[原创]分享以前的資料絲路原動力內外掛破解-加壳脱壳-看雪-安全社区|安全招聘|kanxue.com

最新回复 (9)
djpvd 雪币： 320 活跃值： (104) 能力值： (RANK：180 ) 在线值：发帖 133 回帖 447 粉丝 2 关注私信	djpvd 4 2 楼 SRO.EXE(脫機掛主程式) Patch 分析一發送封包寫入 A 方式一 ******************************************************* 搜尋字串 dl send data %x,%d,TICK:%d 往上找代碼的頭找到 004103C0 . 83EC 64 sub esp, 64 ; 這裡 NOP 改 JMP <Patch> 004103C3 . 8B4424 68 mov eax, dword ptr [esp+68] ; 這裡 NOP <封包指標傳到 EAX> 004103C7 . 53 push ebx ; <Patch> Run 完跳回這裡 004103C8 . 55 push ebp 004103C9 . 8B6C24 74 mov ebp, dword ptr [esp+74] ; <封包大小傳到 EBP> 004103CD . 8BD9 mov ebx, ecx 004103CF . 8BCD mov ecx, ebp 004103D1 . 56 push esi 004103D2 . 8BD1 mov edx, ecx 004103D4 . 57 push edi 004103D5 . 8BF0 mov esi, eax 004103D7 . 8DBB B04E0000 lea edi, dword ptr [ebx+4EB0] 004103DD . C1E9 02 shr ecx, 2 004103E0 . F3:A5 rep movs dword ptr es:[edi], dword p> 004103E2 . 8BCA mov ecx, edx 004103E4 . 83E1 03 and ecx, 3 004103E7 . F3:A4 rep movs byte ptr es:[edi], byte ptr> 004103E9 . 8B8B B48E0000 mov ecx, dword ptr [ebx+8EB4] 004103EF . 89AB B06E0000 mov dword ptr [ebx+6EB0], ebp 004103F5 . 85C9 test ecx, ecx 004103F7 . 0F84 0D010000 je 0041050A 004103FD . 81FD E8030000 cmp ebp, 3E8 略...................... 0041049A . 8983 BC8E0000 mov dword ptr [ebx+8EBC], eax 004104A0 . 50 push eax ; /<%d> 004104A1 . 33C0 xor eax, eax ; \| 004104A3 . 55 push ebp ; \|<%d> 004104A4 . 66:8B46 0A mov ax, word ptr [esi+A] ; \| 004104A8 . 8D4C24 18 lea ecx, dword ptr [esp+18] ; \| 004104AC . 50 push eax ; \|<%x> 004104AD . 68 D4844400 push 004484D4 ; \|format = "dl send data %x,%d,TICK:%d" 004104B2 . 51 push ecx ; \|s 004104B3 . FF15 3C6D4300 call dword ptr [436D3C] ; \sprintf 改為 004103C0 . /E9 DF590200 jmp 00435DA4 ; 這裡 NOP 改 JMP <dl send data Patch> 004103C5 \|90 nop 004103C6 \|90 nop 004103C7 > \|53 push ebx ; <Patch> Run 完跳回這裡 004103C8 . \|55 push ebp 004103C9 . \|8B6C24 74 mov ebp, dword ptr [esp+74] ; <封包大小傳到 EBP> ***************************************************** 搜尋字串 re send data %x,%d 找到 00410630 /$ 83EC 64 sub esp, 64 00410633 \|. 56 push esi 00410634 \|. 8BF1 mov esi, ecx 00410636 \|. 8B86 B48E0000 mov eax, dword ptr [esi+8EB4] 0041063C \|. 85C0 test eax, eax 0041063E \|. 74 65 je short 004106A5 00410640 \|. 8B86 B88E0000 mov eax, dword ptr [esi+8EB8] 00410646 \|. 8B96 B06E0000 mov edx, dword ptr [esi+6EB0] ; 移動大小到 EDX 0041064C \|. 8B8E C48E0000 mov ecx, dword ptr [esi+8EC4] 00410652 \|. 40 inc eax 00410653 \|. 6A 00 push 0 00410655 \|. 52 push edx ; EDX 大小 00410656 \|. 8986 B88E0000 mov dword ptr [esi+8EB8], eax 0041065C \|. 8B01 mov eax, dword ptr [ecx] 0041065E \|. 8D96 B04E0000 lea edx, dword ptr [esi+4EB0] ; 指標移到 DEX <這裡NOP 改為 JMP Patch> 00410664 \|. 52 push edx ; EDX 指標 <Patch 代碼跑完跳回這裡> 00410665 \|. FF50 20 call dword ptr [eax+20] ; Call MFC42.#CAsyncSocket::Send_5796 00410668 \|. E8 51D92000 call 0061DFBE 0041066D \|. 90 nop 0041066E \|. 8986 BC8E0000 mov dword ptr [esi+8EBC], eax 00410674 \|. 8B86 B06E0000 mov eax, dword ptr [esi+6EB0] 0041067A \|. 33C9 xor ecx, ecx 0041067C \|. 50 push eax ; /<%d> 0041067D \|. 66:8B8E BA4E0>mov cx, word ptr [esi+4EBA] ; \| 00410684 \|. 8D5424 08 lea edx, dword ptr [esp+8] ; \| 00410688 \|. 51 push ecx ; \|<%x> 00410689 \|. 68 14854400 push 00448514 ; \|format = "re send data %x,%d" 0041068E \|. 52 push edx ; \|s 0041068F \|. FF15 3C6D4300 call dword ptr [436D3C] ; \sprintf 改為 0041065E . /E9 54570200 jmp 00435DB7 ; 這裡 NOP 改為 JMP <re send data Patch> 00410663 \|90 nop 00410664 > \|52 push edx ; <Patch 代碼跑完跳回這裡> ***************************************************** <Patch> 00435DA4 > \83EC 64 sub esp, 64 ; <dl send data Patch> 00435DA7 . 8B4424 68 mov eax, dword ptr [esp+68] 00435DAB . E8 1D000000 call 00435DCD ; <Packet Patch> 00435DB0 .^ E9 12A6FDFF jmp 004103C7 ; 跳回到原來代碼 00435DB5 00 db 00 00435DB6 00 db 00 00435DB7 > 8D96 B04E00 lea edx, dword ptr [esi+4EB0] ; <re send data Patch> 00435DBD . 50 push eax 00435DBE . 8BC2 mov eax, edx 00435DC0 . E8 08000000 call 00435DCD ; <Packet Patch> 00435DC5 . 58 pop eax 00435DC6 .^ E9 99A8FDFF jmp 00410664 ; 跳回到原來代碼 00435DCB 00 db 00 00435DCC 00 db 00 00435DCD /$ 66:8178 0A cmp word ptr [eax+A], 101 00435DD3 \|. 74 08 je short 00435DDD 00435DD5 \|. 66:8178 0A cmp word ptr [eax+A], 107 00435DDB \|. 75 40 jnz short 00435E1D 00435DDD \|> 66:C700 CD56 mov word ptr [eax], 56CD ; 封包頭 Key <長度4個位元組> 00435DE2 \|. 66:C740 0A mov word ptr [eax+A], 101 ; Case 00435DE8 \|. C640 26 02 mov byte ptr [eax+26], 2 ; 掛機種類 01=內掛 02=脫機 00435DEC \|. C740 2A 7361 mov dword ptr [eax+2A], 69666173 ; 動力認證遊戲帳號 <最多20個位元組> 00435DF3 \|. C740 2E 6E61 mov dword ptr [eax+2E], 6F63616E 00435DFA \|. C740 32 6F6C mov dword ptr [eax+32], 6C6F 00435E01 \|. C740 36 0000 mov dword ptr [eax+36], 0 00435E08 \|. C740 3A 0000 mov dword ptr [eax+3A], 0 00435E0F \|. C740 3F 3FA3 mov dword ptr [eax+3F], 6E6EA33F ; 動力認證 KEY1 00435E16 \|. C740 43 39C4 mov dword ptr [eax+43], ADE4C439 ; 動力認證 KEY2 00435E1D \> C3 retn ================== dl send data Patch ================== 004103C0 E9 DF 59 02 00 90 90 0041065E E9 54 57 02 00 90 00435DA4 83 EC 64 8B 44 24 68 E8 1D 00 00 00 E9 12 A6 FD FF 00 00 8D 96 B0 4E 00 00 50 8B C2 E8 08 00 00 00 58 E9 99 A8 FD FF 00 00 66 81 78 0A 01 01 74 08 66 81 78 0A 07 01 75 40 66 C7 00 CD 56 66 C7 40 0A 01 01 C6 40 26 02 C7 40 2A 73 61 66 69 C7 40 2E 6E 61 63 6F C7 40 32 6F 6C 00 00 C7 40 36 00 00 00 00 C7 40 3A 00 00 00 00 C7 40 3F 3F A3 6E 6E C7 40 43 39 C4 E4 AD C3 ================== B 方式二 ******************************************************* 004103C0 . /E9 DF590200 jmp 00435DA4 ; JMP to <Patch1> 004103C5 \|90 nop 004103C6 \|90 nop 0041065E . /E9 5C570200 jmp 00435DBF ; JMP to <Patch2> 00410663 \|90 nop <Patch1> 00435DA4 > \83EC 64 sub esp, 64 00435DA7 . 8B4424 68 mov eax, dword ptr [esp+68] 00435DAB . 50 push eax 00435DAC . 51 push ecx 00435DAD . 52 push edx 00435DAE . 53 push ebx 00435DAF . E8 27000000 call 00435DDB ; Call Sand Packet Patch 00435DB4 . 5B pop ebx 00435DB5 . 5A pop edx 00435DB6 . 59 pop ecx 00435DB7 . 58 pop eax 00435DB8 .^ E9 0AA6FDFF jmp 004103C7 <Patch2> 00435DBF > \8D96 B04E0000 lea edx, dword ptr [esi+4EB0] 00435DC5 . 50 push eax 00435DC6 . 51 push ecx 00435DC7 . 52 push edx 00435DC8 . 53 push ebx 00435DC9 . 8BC2 mov eax, edx 00435DCB . E8 0B000000 call 00435DDB ; Call <Sand Packet Patch> 00435DD0 . 5B pop ebx 00435DD1 . 5A pop edx 00435DD2 . 59 pop ecx 00435DD3 . 58 pop eax 00435DD4 .^ E9 8BA8FDFF jmp 00410664 <Sand Packet Patch> 00435DDB /$ 66:8178 0A 01>cmp word ptr [eax+A], 101 ; Sand Packet Patch 00435DE1 \|. 74 08 je short 00435DEB 00435DE3 \|. 66:8178 0A 07>cmp word ptr [eax+A], 107 00435DE9 \|. 75 1D jnz short 00435E08 ; JMP TO RETN 00435DEB \|> B9 00606800 mov ecx, 00686000 00435DF0 \|. 33D2 xor edx, edx 00435DF2 \|. 33DB xor ebx, ebx 00435DF4 \|> 83FB 47 /cmp ebx, 47 00435DF7 \|. 74 0F \|je short 00435E08 ; JMP TO RETN 00435DF9 \|. 8A11 \|mov dl, byte ptr [ecx] 00435DFB \|. 8810 \|mov byte ptr [eax], dl 00435DFD \|. 83C0 01 \|add eax, 1 00435E00 \|. 83C1 01 \|add ecx, 1 00435E03 \|. 83C3 01 \|add ebx, 1 00435E06 \|.^ EB EC \jmp short 00435DF4 00435E08 \> C3 retn ================== 004103C0 E9 DF 59 02 00 90 90 0041065E E9 5C 57 02 00 90 00435DA4 83 EC 64 8B 44 24 68 50 51 52 53 E8 27 00 00 00 5B 5A 59 58 E9 0A A6 FD FF 00 00 8D 96 B0 4E 00 00 50 51 52 53 8B C2 E8 0B 00 00 00 5B 5A 59 58 E9 8B A8 FD FF 00 00 66 81 78 0A 01 01 74 08 66 81 78 0A 07 01 75 1D B9 00 60 68 00 33 D2 33 DB 83 FB 47 74 0F 8A 11 88 10 83 C0 01 83 C1 01 83 C3 01 EB EC C3 ================== 二檢查 DL 重登時間搜尋字串 check time relogin dl with minute error 找到 0040F476 > \8B86 90200000 mov eax, dword ptr [esi+2090] 0040F47C . 3BC3 cmp eax, ebx ; 比較 EAX 是否=0 0040F47E . 74 0E je short 0040F48E ; 0040F480 . 2BF8 sub edi, eax 0040F482 . 81FF E0930400 cmp edi, 493E0 ; 比較 EDI-EAX 是否大於 493E0 0040F488 . 0F87 49010000 ja 0040F5D7 0040F48E > 395E 48 cmp dword ptr [esi+48], ebx ; <<<這裡 Patch>>> 驗證通過時為1 0040F491 . 0F84 40010000 je 0040F5D7 ; 0則跳到預設 0040F497 . 395E 4C cmp dword ptr [esi+4C], ebx 0040F49A . 0F85 37010000 jnz 0040F5D7 ; 0則跳到預設 0040F4A0 . FFD5 call ebp 0040F4A2 . 8B56 44 mov edx, dword ptr [esi+44] 0040F4A5 . 8BF8 mov edi, eax 0040F4A7 . 8BCF mov ecx, edi 0040F4A9 . B8 D34D6210 mov eax, 10624DD3 0040F4AE . 2BCA sub ecx, edx 0040F4B0 . F7E1 mul ecx 0040F4B2 . C1EA 06 shr edx, 6 0040F4B5 . B8 89888888 mov eax, 88888889 0040F4BA . F7E2 mul edx 0040F4BC . C1EA 05 shr edx, 5 0040F4BF . 79 46 jns short 0040F507 ; 跳到第二個重登 0040F4C1 . 8D5424 10 lea edx, dword ptr [esp+10] 0040F4C5 . 68 08844400 push 00448408 ; /format = "check time relogin dl with minute error" 0040F4CA . 52 push edx ; \|s 0040F4CB . FF15 3C6D4300 call dword ptr [436D3C] ; \sprintf 改為 0040F48E > \C746 48 01000>mov dword ptr [esi+48], 1 ; 這裡 Patch 0040F495 . C746 4C 00000>mov dword ptr [esi+4C], 0 0040F49C . E9 36010000 jmp 0040F5D7 0040F4A1 90 nop ================ relogin dl Patch ================ 0040F48E C7 46 48 01 00 00 00 C7 46 4C 00 00 00 00 E9 36 01 00 00 90 ================ 三 102 108 封包處理代碼 Patch 搜尋字串 recv packet 0102 0040E706 > \8B4D 08 mov ecx, dword ptr [ebp+8] ; Case 102 of switch 0040E696 0040E709 . 68 C0814400 push 004481C0 ; ASCII "recv packet 0102" 0040E70E . 8B01 mov eax, dword ptr [ecx] 0040E710 . FF50 18 call dword ptr [eax+18] 0040E713 . 8B8C24 940400>mov ecx, dword ptr [esp+494] 0040E71A . 8D56 02 lea edx, dword ptr [esi+2] 0040E71D . 83C1 FE add ecx, -2 0040E720 . 51 push ecx 0040E721 . 52 push edx 0040E722 . 8BCD mov ecx, ebp 0040E724 . E8 97130000 call 0040FAC0 0040E729 . 33C9 xor ecx, ecx 0040E72B . 66:3B06 cmp ax, word ptr [esi] 0040E72E . BB 01000000 mov ebx, 1 0040E733 . 74 02 je short 0040E737 ; 改 JMP 0040E735 . 8BCB mov ecx, ebx 0040E737 > 8B46 15 mov eax, dword ptr [esi+15] 0040E73A . 8B95 94200000 mov edx, dword ptr [ebp+2094] 0040E740 . F7D0 not eax 0040E742 . 83C0 02 add eax, 2 0040E745 . 3BC2 cmp eax, edx 0040E747 . 74 02 je short 0040E74B ; 改 JMP 0040E749 . 8BCB mov ecx, ebx 0040E74B > 8B46 0D mov eax, dword ptr [esi+D] 0040E74E . 85C9 test ecx, ecx 0040E750 . 8945 10 mov dword ptr [ebp+10], eax 0040E753 . 74 17 je short 0040E76C ; 改 JMP 0040E755 . 8B4D 08 mov ecx, dword ptr [ebp+8] 0040E758 . 33C0 xor eax, eax 0040E75A . 8945 48 mov dword ptr [ebp+48], eax 0040E75D . 8945 10 mov dword ptr [ebp+10], eax 0040E760 . 8B01 mov eax, dword ptr [ecx] 0040E762 . 68 A4814400 push 004481A4 ; 登入動力伺服器失敗,資料錯誤 0040E767 . E9 24010000 jmp 0040E890 0040E76C > 8A46 0C mov al, byte ptr [esi+C] ; 封包+C 0040E76F . 84C0 test al, al 0040E771 . 0F85 8A000000 jnz 0040E801 ; NOP 0040E777 . 8B4E 0D mov ecx, dword ptr [esi+D] ; 封包+D 0040E77A . 895D 04 mov dword ptr [ebp+4], ebx 0040E77D . 894D 10 mov dword ptr [ebp+10], ecx 0040E780 . 8B56 11 mov edx, dword ptr [esi+11] ; 封包+11 0040E783 . 8955 40 mov dword ptr [ebp+40], edx 0040E786 . FFD7 call edi 0040E788 . 8B4D 08 mov ecx, dword ptr [ebp+8] 0040E78B . 8945 44 mov dword ptr [ebp+44], eax 0040E78E . 68 90814400 push 00448190 0040E793 . 8B01 mov eax, dword ptr [ecx] 0040E795 . FF50 1C call dword ptr [eax+1C] 0040E798 . 8B4D 40 mov ecx, dword ptr [ebp+40] 0040E79B . BB 3C000000 mov ebx, 3C 0040E7A0 . 8BC1 mov eax, ecx 0040E7A2 . 99 cdq 0040E7A3 . F7FB idiv ebx 0040E7A5 . B8 89888888 mov eax, 88888889 0040E7AA . 52 push edx ; /<%d> 0040E7AB . F7E9 imul ecx ; \| 0040E7AD . 03D1 add edx, ecx ; \| 0040E7AF . C1FA 05 sar edx, 5 ; \| 0040E7B2 . 8BCA mov ecx, edx ; \| 0040E7B4 . C1E9 1F shr ecx, 1F ; \| 0040E7B7 . 03D1 add edx, ecx ; \| 0040E7B9 . 52 push edx ; \|<%d> 0040E7BA . 8D5424 24 lea edx, dword ptr [esp+24] ; \| 0040E7BE . 68 78814400 push 00448178 ; \|可使用動力%d小時%d分鐘 0040E7C3 . 52 push edx ; \|s 0040E7C4 . FF15 3C6D4300 call dword ptr [<&msvcrt.sprintf>] ; \sprintf 0040E7CA . 8B4D 08 mov ecx, dword ptr [ebp+8] 0040E7CD . 83C4 10 add esp, 10 0040E7D0 . 8D5424 1C lea edx, dword ptr [esp+1C] 0040E7D4 . 8B01 mov eax, dword ptr [ecx] 0040E7D6 . 52 push edx 0040E7D7 . FF50 1C call dword ptr [eax+1C] 0040E7DA . 8A46 15 mov al, byte ptr [esi+15] 0040E7DD . 8B4D 08 mov ecx, dword ptr [ebp+8] 0040E7E0 . 8845 50 mov byte ptr [ebp+50], al 0040E7E3 . 8B11 mov edx, dword ptr [ecx] 0040E7E5 . FF52 14 call dword ptr [edx+14] 0040E7E8 . BB 01000000 mov ebx, 1 0040E7ED . 895D 48 mov dword ptr [ebp+48], ebx 0040E7F0 . FFD7 call edi 0040E7F2 . 8945 3C mov dword ptr [ebp+3C], eax 0040E7F5 . C745 4C 00000>mov dword ptr [ebp+4C], 0 0040E7FC . E9 92000000 jmp 0040E893 .... 0040E893 > \395D 1C cmp dword ptr [ebp+1C], ebx 0040E896 . 0F85 F3050000 jnz 0040EE8F ; NOP 0040E89C . C745 1C 00000>mov dword ptr [ebp+1C], 0 0040E8A3 . E9 E7050000 jmp 0040EE8F ; 跳到 Default case 搜尋字串 recv packet 108 0040E8A8 > \8B4D 08 mov ecx, dword ptr [ebp+8] ; Case 108 of switch 0040E696 0040E8AB . 68 3C814400 push 0044813C ; ASCII "recv packet 108" 0040E8B0 . 8B11 mov edx, dword ptr [ecx] 0040E8B2 . FF52 18 call dword ptr [edx+18] 0040E8B5 . 8B8424 940400>mov eax, dword ptr [esp+494] 0040E8BC . 8D4E 02 lea ecx, dword ptr [esi+2] 0040E8BF . 83C0 FE add eax, -2 0040E8C2 . 50 push eax 0040E8C3 . 51 push ecx 0040E8C4 . 8BCD mov ecx, ebp 0040E8C6 . E8 F5110000 call 0040FAC0 0040E8CB . 66:3B06 cmp ax, word ptr [esi] 0040E8CE . 895C24 10 mov dword ptr [esp+10], ebx 0040E8D2 . B9 01000000 mov ecx, 1 0040E8D7 . 74 04 je short 0040E8DD ; 改JMP 0040E8D9 . 894C24 10 mov dword ptr [esp+10], ecx 0040E8DD > 8B46 15 mov eax, dword ptr [esi+15] 0040E8E0 . 8B95 94200000 mov edx, dword ptr [ebp+2094] 0040E8E6 . F7D0 not eax 0040E8E8 . 83C0 02 add eax, 2 0040E8EB . 3BC2 cmp eax, edx 0040E8ED . 74 04 je short 0040E8F3 ; 改JMP 0040E8EF . 894C24 10 mov dword ptr [esp+10], ecx 0040E8F3 > 8B55 28 mov edx, dword ptr [ebp+28] 0040E8F6 . 33C0 xor eax, eax 0040E8F8 . 8B5A F8 mov ebx, dword ptr [edx-8] 0040E8FB . 85DB test ebx, ebx 0040E8FD . 7E 12 jle short 0040E911 0040E8FF > 8A0C02 mov cl, byte ptr [edx+eax] 0040E902 . 384C06 19 cmp byte ptr [esi+eax+19], cl 0040E906 . 0F85 15010000 jnz 0040EA21 ; NOP 0040E90C . 40 inc eax 0040E90D . 3BC3 cmp eax, ebx 0040E90F .^ 7C EE jl short 0040E8FF 0040E911 > 8B4424 10 mov eax, dword ptr [esp+10] 0040E915 . 85C0 test eax, eax 0040E917 . 0F85 04010000 jnz 0040EA21 ; NOP 0040E91D . 8A46 0C mov al, byte ptr [esi+C] 0040E920 . 84C0 test al, al 0040E922 . 0F85 8D000000 jnz 0040E9B5 ; NOP 0040E928 . 8B56 0D mov edx, dword ptr [esi+D] 0040E92B . C745 04 01000>mov dword ptr [ebp+4], 1 0040E932 . 8955 10 mov dword ptr [ebp+10], edx 0040E935 . 8B46 11 mov eax, dword ptr [esi+11] 0040E938 . 8945 40 mov dword ptr [ebp+40], eax 0040E93B . FFD7 call edi 0040E93D . 8B4D 40 mov ecx, dword ptr [ebp+40] 0040E940 . 8945 44 mov dword ptr [ebp+44], eax 0040E943 . 8BC1 mov eax, ecx 0040E945 . BB 3C000000 mov ebx, 3C 0040E94A . 99 cdq 0040E94B . F7FB idiv ebx 0040E94D . B8 89888888 mov eax, 88888889 0040E952 . 52 push edx ; /<%d> 0040E953 . F7E9 imul ecx ; \| 0040E955 . 03D1 add edx, ecx ; \| 0040E957 . C1FA 05 sar edx, 5 ; \| 0040E95A . 8BCA mov ecx, edx ; \| 0040E95C . C1E9 1F shr ecx, 1F ; \| 0040E95F . 03D1 add edx, ecx ; \| 0040E961 . 52 push edx ; \|<%d> 0040E962 . 8D5424 24 lea edx, dword ptr [esp+24] ; \| 0040E966 . 68 24814400 push 00448124 ; \|可使用動力%d小時%d分鐘 0040E96B . 52 push edx ; \|s 0040E96C . FF15 3C6D4300 call dword ptr [<&msvcrt.sprintf>] ; \sprintf 0040E972 . 8B4D 08 mov ecx, dword ptr [ebp+8] 0040E975 . 83C4 10 add esp, 10 0040E978 . 8D5424 1C lea edx, dword ptr [esp+1C] 0040E97C . 8B01 mov eax, dword ptr [ecx] 0040E97E . 52 push edx 0040E97F . FF50 1C call dword ptr [eax+1C] 0040E982 . 8A46 15 mov al, byte ptr [esi+15] 0040E985 . 8845 50 mov byte ptr [ebp+50], al 0040E988 . 8A4E 15 mov cl, byte ptr [esi+15] 0040E98B . 884D 50 mov byte ptr [ebp+50], cl 0040E98E . 8B4D 08 mov ecx, dword ptr [ebp+8] 0040E991 . 8B11 mov edx, dword ptr [ecx] 0040E993 . FF52 14 call dword ptr [edx+14] 0040E996 . FFD7 call edi 0040E998 . 8945 3C mov dword ptr [ebp+3C], eax 0040E99B . C745 48 01000>mov dword ptr [ebp+48], 1 0040E9A2 . C745 4C 00000>mov dword ptr [ebp+4C], 0 0040E9A9 . C745 1C 00000>mov dword ptr [ebp+1C], 0 0040E9B0 . E9 DA040000 jmp 0040EE8F ; 跳到 Default case 0040EA21 mov dword ptr [ebp+48], 0 改為 0040EA21 mov dword ptr [ebp+48], 1 ========================== recv packet 0102 MEM Patch ========================== 0040E733 EB 0040E747 EB 0040E753 EB 0040E771 90 90 90 90 90 90 0040E896 90 90 90 90 90 90 ========================== ========================= recv packet 108 MEM Patch ========================= 0040E8D7 EB 0040E8ED EB 0040E917 90 90 90 90 90 90 0040E922 90 90 90 90 90 90 0040EA21 C7 45 48 01 ========================= +++++++++++++++++++++++++++++++++++++++++++++++++++ 四 102 108 Packet Patch <非必要> A 方式一搜尋字串 recv packet 0102 找到下面第一個 Call 0040E709 . 68 C0814400 push 004481C0 ; ASCII "recv packet 0102" 0040E70E . 8B01 mov eax, dword ptr [ecx] 0040E710 . FF50 18 call dword ptr [eax+18] 0040E713 . 8B8C24 940400>mov ecx, dword ptr [esp+494] 0040E71A . 8D56 02 lea edx, dword ptr [esi+2] 0040E71D . 83C1 FE add ecx, -2 0040E720 . 51 push ecx 0040E721 . 52 push edx 0040E722 . 8BCD mov ecx, ebp 0040E724 E8 F7760200 call 00435E20 ; 這裡改為 Call Patch 搜尋字串 recv packet 108 找到下面第一個 Call 0040E8AB . 68 3C814400 push 0044813C ; ASCII "recv packet 108" 0040E8B0 . 8B11 mov edx, dword ptr [ecx] 0040E8B2 . FF52 18 call dword ptr [edx+18] 0040E8B5 . 8B8424 940400>mov eax, dword ptr [esp+494] 0040E8BC . 8D4E 02 lea ecx, dword ptr [esi+2] 0040E8BF . 83C0 FE add eax, -2 0040E8C2 . 50 push eax 0040E8C3 . 51 push ecx 0040E8C4 . 8BCD mov ecx, ebp 0040E8C6 E8 55750200 call 00435E20 ; 這裡改為 Call Patch <Patch> 00435E20 66:C706 C4A7 mov word ptr [esi], 0A7C4 ; 封包頭 Key <長度4個位元組> 00435E25 C646 0C 00 mov byte ptr [esi+C], 0 ; 0=認證通過 1=資料比對錯誤 2=帳號到期 00435E29 C746 0D 28C00 mov dword ptr [esi+D], 3C028 ; 動力註冊序號 00435E30 C746 11 84270 mov dword ptr [esi+11], 92784 ; 剩餘可用時間以分鐘計16進位 00435E37 C746 15 39C4E mov dword ptr [esi+15], ADE4C439 ; 動力認證 KEY2 00435E3E C746 19 73616 mov dword ptr [esi+19], 69666173 ; 動力認證遊戲帳號 <最多20個位元組> 00435E45 C746 1D 6E616 mov dword ptr [esi+1D], 6F63616E 00435E4C C746 21 6F6C0 mov dword ptr [esi+21], 6C6F 00435E53 C746 25 00000 mov dword ptr [esi+25], 0 00435E5A C746 29 00000 mov dword ptr [esi+29], 0 00435E61 ^ E9 5A9CFDFF jmp 0040FAC0 ========================== 102 & 108 Packet MEM Patch ========================== 0040E724 E8 F7 76 02 00 0040E8C6 E8 55 75 02 00 00435E20 [CODE]66 C7 06 C4 A7 C6 46 0C 00 C7 46 0D 28 C0 03 00 C7 46 11 84 27 09 00 C7 46 15 39 C4 E4 AD C7 46 19 73 61 66 69 C7 46 1D 6E 61 63 6F C7 46 21 6F 6C 00 00 C7 46 25 00 00 00 00 C7 46 29 00 00 00 00 E9 5A 9C FD FF[/CODE] +++++++++++++++++++++++++++++++++++++++++++++++++++ B 方式二 <Patch> 00435E20 50 push eax 00435E21 51 push ecx 00435E22 52 push edx 00435E23 56 push esi 00435E24 33D2 xor edx, edx 00435E26 33C0 xor eax, eax 00435E28 B9 50606800 mov ecx, 00686050 00435E2D 83FA 08 cmp edx, 8 00435E30 74 0E je short 00435E40 00435E32 83FA 0A cmp edx, 0A 00435E35 74 09 je short 00435E40 00435E37 83FA 2D cmp edx, 2D 00435E3A 74 0F je short 00435E4B 00435E3C 8A01 mov al, byte ptr [ecx] 00435E3E 8806 mov byte ptr [esi], al 00435E40 83C2 01 add edx, 1 00435E43 83C1 01 add ecx, 1 00435E46 83C6 01 add esi, 1 00435E49 ^ EB E2 jmp short 00435E2D 00435E4B 5E pop esi 00435E4C 5A pop edx 00435E4D 59 pop ecx 00435E4E 58 pop eax 00435E4F ^ E9 6C9CFDFF jmp 0040FAC0 50 51 52 56 33 D2 33 C0 B9 50 60 68 00 83 FA 08 74 0E 83 FA 0A 74 09 83 FA 2D 74 0F 8A 01 88 06 83 C2 01 83 C1 01 83 C6 01 EB E2 5E 5A 59 58 E9 6C 9C FD FF ====================== SRO.dll Patch ====================== 一認證帳號修改 Patch 搜尋字串 %sconf\%s.cfg 找到 20040150 /$ 56 push esi 20040151 \|. 8B7424 08 mov esi, dword ptr [esp+8] 20040155 \|. 57 push edi 20040156 \|. 56 push esi 20040157 \|. E8 44FEFFFF call 2003FFA0 2004015C \|. 8B7C24 14 mov edi, dword ptr [esp+14] 20040160 \|. 68 C0070920 push 200907C0 20040165 \|. 57 push edi 20040166 \|. FF15 10260820 call dword ptr [20082610] 2004016C \|. 83C4 0C add esp, 0C 2004016F \|. 85C0 test eax, eax 20040171 \|. 57 push edi 20040172 \|. 56 push esi 20040173 \|. 75 12 jnz short 20040187 20040175 \|. 68 186A0920 push 20096A18 ; ASCII "%sconf\%s.cfg" 2004017A \|. 56 push esi 2004017B \|. FF15 34260820 call dword ptr [20082634] 20040181 \|. 83C4 10 add esp, 10 20040184 \|. 5F pop edi 20040185 \|. 5E pop esi 20040186 \|. C3 retn 20040187 \|> 68 7C440920 push 2009447C ; ASCII "%sconf\%s" 2004018C \|. 56 push esi 2004018D \|. FF15 34260820 call dword ptr [20082634] 20040193 \|. 83C4 10 add esp, 10 20040196 \|. 5F pop edi 20040197 \|. 5E pop esi 20040198 \. C3 retn 往回找來源的第一個 Call 找到 20026350 >/$ 6A FF push -1 20026352 \|. 68 B8F10720 push 2007F1B8 ; SE 處理程序安裝 20026357 \|. 64:A1 00000000 mov eax, dword ptr fs:[0] 2002635D \|. 50 push eax 2002635E \|. 64:8925 000000>mov dword ptr fs:[0], esp 20026365 \|. 81EC 24050000 sub esp, 524 2002636B \|. 55 push ebp 2002636C \|. 56 push esi 2002636D \|. 57 push edi 2002636E \|. 8BF1 mov esi, ecx 20026370 \|. E8 826B0500 call 2007CEF7 20026375 \|. 50 push eax 20026376 \|. 8D4C24 18 lea ecx, dword ptr [esp+18] 2002637A \|. E8 DD670500 call 2007CB5C 2002637F \|. 33ED xor ebp, ebp 20026381 \|. C74424 1C F443>mov dword ptr [esp+1C], 200843F4 20026389 \|. 89AC24 3805000>mov dword ptr [esp+538], ebp 20026390 \|. 896C24 20 mov dword ptr [esp+20], ebp 20026394 \|. 896C24 2C mov dword ptr [esp+2C], ebp 20026398 \|. 896C24 28 mov dword ptr [esp+28], ebp 2002639C \|. 896C24 24 mov dword ptr [esp+24], ebp 200263A0 \|. 8D4C24 0C lea ecx, dword ptr [esp+C] 200263A4 \|. C68424 3805000>mov byte ptr [esp+538], 1 200263AC \|. E8 E1640500 call 2007C892 200263B1 \|. 8B86 28590100 mov eax, dword ptr [esi+15928] 200263B7 \|. 8D8E 28590100 lea ecx, dword ptr [esi+15928] 200263BD \|. C68424 3805000>mov byte ptr [esp+538], 2 200263C5 \|. 3968 F8 cmp dword ptr [eax-8], ebp 200263C8 \|. 0F84 D2000000 je 200264A0 200263CE \|. 55 push ebp 200263CF \|. E8 D4660500 call 2007CAA8 200263D4 \|. 8D8C24 3001000>lea ecx, dword ptr [esp+130] 200263DB \|. 50 push eax ; 驗證帳號指標 200263DC \|. 51 push ecx 200263DD \|. E8 6E9D0100 call 20040150 在此處 Call Patch ; 進入 %sconf\%s.cfg 代碼 =============================== 200263DD 改為 call 20081298 =============================== Call Patch 代碼 20081298 $ 50 push eax ; 將通過動力認證的帳號字串寫入 EAX 指標位置 20081299 . 52 push edx 2008129A . 51 push ecx 2008129B . B9 C0120820 mov ecx, 200812C0 ; 要寫入的帳號存放指標(帳號必須原動力註冊用戶) 200812A0 > 8A11 mov dl, byte ptr [ecx] 200812A2 . 84D2 test dl, dl 200812A4 . 74 0A je short 200812B0 200812A6 . 8810 mov byte ptr [eax], dl 200812A8 . 83C0 01 add eax, 1 200812AB . 83C1 01 add ecx, 1 200812AE .^ EB F0 jmp short 200812A0 200812B0 > C600 00 mov byte ptr [eax], 0 200812B3 . 59 pop ecx 200812B4 . 5A pop edx 200812B5 . 58 pop eax 200812B6 .^ E9 95EEFBFF jmp 20040150 ; 跳回 %sconf\%s.cfg 代碼 200812BB 90 nop 200812BC 90 nop 200812BD 90 nop 200812BE 90 nop 200812BF 90 nop 200812C0 . 64 65 76 69 6>ascii "devilism",0 ; 帳號字串 (必須與SRO.EXE的Ptach字串一樣) 50 52 51 B9 C0 12 08 20 8A 11 84 D2 74 0A 88 10 83 C0 01 83 C1 01 EB F0 C6 00 00 59 5A 58 E9 95 EE FB FF 90 90 90 90 90 64 65 76 69 6C 69 73 6D 00 二開始掛機按鈕 Patch 搜尋 cmp eax,2D 確認登入認證指標 2004EDDE \|> \83F8 2D cmp eax, 2D 2004EDE1 \|. 75 57 jnz short 2004EE3A 2004EDE3 \|. 8B86 54040000 mov eax, dword ptr [esi+454] ; 認證指標 1=通過 0=不通過; Case 2D ('-') of switch 2004EDE9 \|. 85C0 test eax, eax 2004EDEB \|. 74 11 je short 2004EDFE 2004EDED \|. 8B46 14 mov eax, dword ptr [esi+14] 2004EDF0 \|. 5E pop esi 2004EDF1 \|. C780 24D60000>mov dword ptr [eax+D624], 1 ; 開始掛機記號 1=開始掛機 0=停止掛機 2004EDFB \|. C2 0400 retn 4 登入認證代碼為 [e??+454] HEX 54 04 00 00 ================================= 找到輸出表 # 47 2002B400 >/$ 53 push ebx ; #47 2002B401 \|. 56 push esi 2002B402 \|. 8BF1 mov esi, ecx 2002B404 \|. 57 push edi 2002B405 \|. 66:83BE 48390>cmp word ptr [esi+3948], 0 2002B40D \|. 0F84 75040000 je 2002B888 2002B413 \|. E8 986A0000 call #249 2002B418 \|. 85C0 test eax, eax 2002B41A \|. 0F85 68040000 jnz 2002B888 2002B420 \|. 8B46 1C mov eax, dword ptr [esi+1C] 2002B423 \|. 8B88 54040000 mov ecx, dword ptr [eax+454] ; 改為 mov dword ptr [eax+454],1 2002B429 \|. 85C9 test ecx, ecx ; NOP 2002B42B \|. 0F84 57040000 je 2002B888 ; NOP 2002B431 \|. FF15 44200820 call dword ptr [20082044] ================================= 搜尋 push 0C30 20065AD0 /$ 6A 01 push 1 20065AD2 \|. 68 300C0000 push 0C30 20065AD7 \|. E8 D86F0100 call 2007CAB4 20065ADC \|. 8BC8 mov ecx, eax 20065ADE \|. E8 25700100 call 2007CB08 20065AE3 \. C3 retn 往回找來源的 Call 找到 200655A0 . 8B81 54040000 mov eax, dword ptr [ecx+454] ; 改為 mov dword ptr [ecx+454],1 200655A6 . 85C0 test eax, eax ; nop 200655A8 . 74 07 je short 200655B1 ; nop 200655AA > 8BCD mov ecx, ebp 200655AC . E8 1F050000 call 20065AD0 ; 進入 push 0C30 2013-5-13 19:52 0
djpvd 雪币： 320 活跃值： (104) 能力值： (RANK：180 ) 在线值：发帖 133 回帖 447 粉丝 2 关注私信	djpvd 4 3 楼 Send Packet Patch II 004103C0 . /E9 DF590200 jmp 00435DA4 ; Send Packet JMP Patch 004103C5 \|90 nop 004103C6 \|90 nop 0041065E . /E9 5C570200 jmp 00435DBF ; Re send Packet JMP Patch 00410663 \|90 nop <JMP Patch> 00435DA4 00435DA4 > \83EC 64 sub esp, 64 00435DA7 . 8B4424 68 mov eax, dword ptr [esp+68] 00435DAB . 50 push eax 00435DAC . 51 push ecx 00435DAD . 52 push edx 00435DAE . 53 push ebx 00435DAF . E8 27000000 call 00435DDB 00435DB4 . 5B pop ebx 00435DB5 . 5A pop edx 00435DB6 . 59 pop ecx 00435DB7 . 58 pop eax 00435DB8 .^ E9 0AA6FDFF jmp 004103C7 00435DBD 00 db 00 00435DBE 00 db 00 00435DBF > 8D96 B04E0000 lea edx, dword ptr [esi+4EB0] 00435DC5 . 50 push eax 00435DC6 . 51 push ecx 00435DC7 . 52 push edx 00435DC8 . 53 push ebx 00435DC9 . 8BC2 mov eax, edx 00435DCB . E8 0B000000 call 00435DDB 00435DD0 . 5B pop ebx 00435DD1 . 5A pop edx 00435DD2 . 59 pop ecx 00435DD3 . 58 pop eax 00435DD4 .^ E9 8BA8FDFF jmp 00410664 00435DD9 00 db 00 00435DDA 00 db 00 00435DDB /$ 66:8178 0A 01>cmp word ptr [eax+A], 101 00435DE1 \|. 74 08 je short 00435DEB 00435DE3 \|. 66:8178 0A 07>cmp word ptr [eax+A], 107 00435DE9 \|. 75 27 jnz short 00435E12 00435DEB \|> B9 00506800 mov ecx, 00685000 ; 發送封包指標 00435DF0 \|. 33D2 xor edx, edx 00435DF2 \|. 33DB xor ebx, ebx 00435DF4 \|> 83FB 08 /cmp ebx, 8 00435DF7 \|. 74 0E \|je short 00435E07 00435DF9 \|. 83FB 0A \|cmp ebx, 0A 00435DFC \|. 74 09 \|je short 00435E07 00435DFE \|. 83FB 47 \|cmp ebx, 47 00435E01 \|. 74 0F \|je short 00435E12 00435E03 \|. 8A11 \|mov dl, byte ptr [ecx] 00435E05 \|. 8810 \|mov byte ptr [eax], dl 00435E07 \|> 83C0 01 \|add eax, 1 00435E0A \|. 83C1 01 \|add ecx, 1 00435E0D \|. 83C3 01 \|add ebx, 1 00435E10 \|.^ EB E2 \jmp short 00435DF4 00435E12 \> C3 retn ======================== 004103C0 E9 DF 59 02 00 90 90 0041065E E9 5C 57 02 00 90 00435DA4 83 EC 64 8B 44 24 68 50 51 52 53 E8 27 00 00 00 5B 5A 59 58 E9 0A A6 FD FF 00 00 8D 96 B0 4E 00 00 50 51 52 53 8B C2 E8 0B 00 00 00 5B 5A 59 58 E9 8B A8 FD FF 00 00 66 81 78 0A 01 01 74 08 66 81 78 0A 07 01 75 27 B9 00 69 44 00 33 D2 33 DB 83 FB 08 74 0E 83 FB 0A 74 09 83 FB 47 74 0F 8A 11 88 10 83 C0 01 83 C1 01 83 C3 01 EB E2 C3 ======================== 102 & 108 Packet Patch II 0040E724 call 00435E15 <Call Patch> 0040E8C6 call 00435E15 <Call Patch> <Call Patch> 00435E15 $ 50 push eax 00435E16 . 51 push ecx 00435E17 . 52 push edx 00435E18 . 56 push esi 00435E19 . 33D2 xor edx, edx 00435E1B . 33C0 xor eax, eax 00435E1D . B9 50506800 mov ecx, 00685050 ; 接收封包指標 00435E22 > 83FA 08 cmp edx, 8 00435E25 . 74 0E je short 00435E35 00435E27 . 83FA 0A cmp edx, 0A 00435E2A . 74 09 je short 00435E35 00435E2C . 83FA 2D cmp edx, 2D 00435E2F . 74 0F je short 00435E40 00435E31 . 8A01 mov al, byte ptr [ecx] 00435E33 . 8806 mov byte ptr [esi], al 00435E35 > 83C2 01 add edx, 1 00435E38 . 83C1 01 add ecx, 1 00435E3B . 83C6 01 add esi, 1 00435E3E .^ EB E2 jmp short 00435E22 00435E40 > 5E pop esi 00435E41 . 5A pop edx 00435E42 . 59 pop ecx 00435E43 . 58 pop eax 00435E44 .^ E9 779CFDFF jmp 0040FAC0 ======================== 0040E724 E8 EC 76 02 00 0040E8C6 E8 4A 75 02 00 00435E15 50 51 52 56 33 D2 33 C0 B9 50 69 44 00 83 FA 08 74 0E 83 FA 0A 74 09 83 FA 2D 74 0F 8A 01 88 06 83 C2 01 83 C1 01 83 C6 01 EB E2 5E 5A 59 58 E9 77 9C FD FF ======================== send packet 00685000 7C 22 47 00 00 00 00 00 00 00 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 64 65 76 69 6C 69 73 6D 00 00 00 00 00 00 00 00 00 00 00 00 00 6D 7A 9E A6 1B DB 70 2D recv packet 00685050 6D 53 2D 00 00 00 00 00 00 00 02 01 00 14 BE 03 00 65 68 03 00 1B DB 70 2D 64 65 76 69 6C 69 73 6D 00 00 00 00 00 00 00 00 00 00 00 00 發送與接收封包全寫在 .tls 區段 2013-5-13 19:57 0
djpvd 雪币： 320 活跃值： (104) 能力值： (RANK：180 ) 在线值：发帖 133 回帖 447 粉丝 2 关注私信	djpvd 4 4 楼 SRO 脫機主程式無法解密的時候就得打記憶體補丁下載附件然後修改 ========================================= SRO-Trainer Patch For SRO.EXE v1.69d ========================================= packet 102 Code Patch 0040153A $ 6A 00 push 0 ; /# 102 case Patch 0040153C . 6A 01 push 1 ; \|BytesToWrite = 1 0040153E . 68 00504000 push 00405000 ; \|Buffer = SRO-Trai.00405000 00401543 . 68 33E74000 push 0040E733 ; \|Address = 40E733 00401548 . FF35 22234000 push dword ptr [402322] ; \|hProcess = NULL 0040154E . E8 9AFFFFFF call <jmp.&kernel32.WriteProcessMemor>; \WriteProcessMemory 00401553 . 6A 00 push 0 ; /pBytesWritten = NULL 00401555 . 6A 01 push 1 ; \|BytesToWrite = 1 00401557 . 68 00504000 push 00405000 ; \|Buffer = SRO-Trai.00405000 0040155C . 68 47E74000 push 0040E747 ; \|Address = 40E747 00401561 . FF35 22234000 push dword ptr [402322] ; \|hProcess = NULL 00401567 . E8 81FFFFFF call <jmp.&kernel32.WriteProcessMemor>; \WriteProcessMemory 0040156C . 6A 00 push 0 ; /pBytesWritten = NULL 0040156E . 6A 01 push 1 ; \|BytesToWrite = 1 00401570 . 68 00504000 push 00405000 ; \|Buffer = SRO-Trai.00405000 00401575 . 68 53E74000 push 0040E753 ; \|Address = 40E753 0040157A . FF35 22234000 push dword ptr [402322] ; \|hProcess = NULL 00401580 . E8 68FFFFFF call <jmp.&kernel32.WriteProcessMemor>; \WriteProcessMemory 00401585 . 6A 00 push 0 ; /pBytesWritten = NULL 00401587 . 6A 06 push 6 ; \|BytesToWrite = 6 00401589 . 68 10504000 push 00405010 ; \|Buffer = SRO-Trai.00405010 0040158E . 68 71E74000 push 0040E771 ; \|Address = 40E771 00401593 . FF35 22234000 push dword ptr [402322] ; \|hProcess = NULL 00401599 . E8 4FFFFFFF call <jmp.&kernel32.WriteProcessMemor>; \WriteProcessMemory 0040159E . 6A 00 push 0 ; /pBytesWritten = NULL 004015A0 . 6A 06 push 6 ; \|BytesToWrite = 6 004015A2 . 68 10504000 push 00405010 ; \|Buffer = SRO-Trai.00405010 004015A7 . 68 96E84000 push 0040E896 ; \|Address = 40E896 004015AC . FF35 22234000 push dword ptr [402322] ; \|hProcess = NULL 004015B2 . E8 36FFFFFF call <jmp.&kernel32.WriteProcessMemor>; \WriteProcessMemory packet 108 Code Patch 004015B7 . 6A 00 push 0 ; /# 108 case Patch 004015B9 . 6A 01 push 1 ; \|BytesToWrite = 1 004015BB . 68 00504000 push 00405000 ; \|Buffer = SRO-Trai.00405000 004015C0 . 68 D7E84000 push 0040E8D7 ; \|Address = 40E8D7 004015C5 . FF35 22234000 push dword ptr [402322] ; \|hProcess = NULL 004015CB . E8 1DFFFFFF call <jmp.&kernel32.WriteProcessMemor>; \WriteProcessMemory 004015D0 . 6A 00 push 0 ; /pBytesWritten = NULL 004015D2 . 6A 01 push 1 ; \|BytesToWrite = 1 004015D4 . 68 00504000 push 00405000 ; \|Buffer = SRO-Trai.00405000 004015D9 . 68 EDE84000 push 0040E8ED ; \|Address = 40E8ED 004015DE . FF35 22234000 push dword ptr [402322] ; \|hProcess = NULL 004015E4 . E8 04FFFFFF call <jmp.&kernel32.WriteProcessMemor>; \WriteProcessMemory 004015E9 . 6A 00 push 0 ; /pBytesWritten = NULL 004015EB . 6A 06 push 6 ; \|BytesToWrite = 6 004015ED . 68 10504000 push 00405010 ; \|Buffer = SRO-Trai.00405010 004015F2 . 68 17E94000 push 0040E917 ; \|Address = 40E917 004015F7 . FF35 22234000 push dword ptr [402322] ; \|hProcess = NULL 004015FD . E8 EBFEFFFF call <jmp.&kernel32.WriteProcessMemor>; \WriteProcessMemory 00401602 . 6A 00 push 0 ; /pBytesWritten = NULL 00401604 . 6A 06 push 6 ; \|BytesToWrite = 6 00401606 . 68 10504000 push 00405010 ; \|Buffer = SRO-Trai.00405010 0040160B . 68 22E94000 push 0040E922 ; \|Address = 40E922 00401610 . FF35 22234000 push dword ptr [402322] ; \|hProcess = NULL 00401616 . E8 D2FEFFFF call <jmp.&kernel32.WriteProcessMemor>; \WriteProcessMemory 0040161B . 6A 00 push 0 ; /pBytesWritten = NULL 0040161D . 6A 04 push 4 ; \|BytesToWrite = 4 0040161F . 68 18504000 push 00405018 ; \|Buffer = SRO-Trai.00405018 00401624 . 68 21EA4000 push 0040EA21 ; \|Address = 40EA21 00401629 . FF35 22234000 push dword ptr [402322] ; \|hProcess = NULL 0040162F . E8 B9FEFFFF call <jmp.&kernel32.WriteProcessMemor>; \WriteProcessMemory check time relogin Code Patch 00401634 . 6A 00 push 0 ; /# check time relogin Patch 00401636 . 6A 14 push 14 ; \|BytesToWrite = 14 (20.) 00401638 . 68 20504000 push 00405020 ; \|Buffer = SRO-Trai.00405020 0040163D . 68 8EF44000 push 0040F48E ; \|Address = 40F48E 00401642 . FF35 22234000 push dword ptr [402322] ; \|hProcess = NULL 00401648 . E8 A0FEFFFF call <jmp.&kernel32.WriteProcessMemor>; \WriteProcessMemory dl send data Patch 0040164D . 6A 00 push 0 ; /# dl send data Patch 0040164F . 6A 65 push 65 ; \|BytesToWrite = 65 (101.) 00401651 . 68 40504000 push 00405040 ; \|Buffer = Trainer-.00405040 00401656 . 68 A45D4300 push 435DA4 ; \|Address = 435DA4 0040165B . FF35 22234000 push dword ptr [402322] ; \|hProcess = NULL 00401661 . E8 87FEFFFF call <jmp.&kernel32.WriteProcessMemor>; \WriteProcessMemory 00401666 . 6A 00 push 0 ; /pBytesWritten = NULL 00401668 . 6A 07 push 7 ; \|BytesToWrite = 7 0040166A . 68 B0504000 push 004050B0 ; \|Buffer = Trainer-.004050B0 0040166F . 68 C0034100 push 004103C0 ; \|Address = 4103C0 00401674 . FF35 22234000 push dword ptr [402322] ; \|hProcess = NULL 0040167A . E8 6EFEFFFF call <jmp.&kernel32.WriteProcessMemor>; \WriteProcessMemory 0040167F . 6A 00 push 0 ; /pBytesWritten = NULL 00401681 . 6A 06 push 6 ; \|BytesToWrite = 6 00401683 . 68 B8504000 push 004050B8 ; \|Buffer = Trainer-.004050B8 00401688 . 68 5E064100 push 0041065E ; \|Address = 41065E 0040168D . FF35 22234000 push dword ptr [402322] ; \|hProcess = NULL 00401693 . E8 55FEFFFF call <jmp.&kernel32.WriteProcessMemor>; \WriteProcessMemory 102 & 108 Packet Patch 00401698 . 6A 00 push 0 ; /# 102 & 108 Packet Patch 0040169A . 6A 34 push 34 ; \|BytesToWrite = 34 (52.) 0040169C . 68 C0504000 push 004050C0 ; \|Buffer = Trainer-.004050C0 004016A1 . 68 205E4300 push 435E20 ; \|Address = 435E20 004016A6 . FF35 22234000 push dword ptr [402322] ; \|hProcess = NULL 004016AC . E8 3CFEFFFF call <jmp.&kernel32.WriteProcessMemor>; \WriteProcessMemory 004016B1 . 6A 00 push 0 ; /pBytesWritten = NULL 004016B3 . 6A 00 push 0 ; \|BytesToWrite = 0 004016B5 . 68 00514000 push 00405100 ; \|Buffer = Trainer-.00405100 004016BA . 68 24E74000 push 0040E724 ; \|Address = 40E724 004016BF . FF35 22234000 push dword ptr [402322] ; \|hProcess = NULL 004016C5 . E8 23FEFFFF call <jmp.&kernel32.WriteProcessMemor>; \WriteProcessMemory 004016CA . 6A 00 push 0 ; /pBytesWritten = NULL 004016CC . 6A 00 push 0 ; \|BytesToWrite = 0 004016CE . 68 08514000 push 00405108 ; \|Buffer = Trainer-.00405108 004016D3 . 68 C6E84000 push 0040E8C6 ; \|Address = 40E8C6 004016D8 . FF35 22234000 push dword ptr [402322] ; \|hProcess = NULL 004016DE . E8 0AFEFFFF call <jmp.&kernel32.WriteProcessMemor>; \WriteProcessMemory send packet 004016E3 . 6A 00 push 0 ; /# send packet 004016E5 . 6A 47 push 47 ; \|BytesToWrite = 47 (71.) 004016E7 . 68 10514000 push 00405110 ; \|Buffer = Trainer-.00405110 004016EC 68 00606800 push 686000 004016F1 . FF35 22234000 push dword ptr [402322] ; \|hProcess = NULL 004016F7 . E8 F1FDFFFF call <jmp.&kernel32.WriteProcessMemor>; \WriteProcessMemory recv packet 004016FC . 6A 00 push 0 ; /# recv packet 004016FE . 6A 2D push 2D ; \|BytesToWrite = 2D (45.) 00401700 . 68 60514000 push 00405160 ; \|Buffer = Trainer-.00405160 00401705 68 50606800 push 686050 0040170A . FF35 22234000 push dword ptr [402322] ; \|hProcess = NULL 00401710 . E8 D8FDFFFF call <jmp.&kernel32.WriteProcessMemor>; \WriteProcessMemory jmp 00401066 <ExitCode = 0> Patch Code <5000h> EB 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 90 90 90 90 90 00 00 C7 45 48 01 00 00 00 00 C7 46 48 01 00 00 00 C7 46 4C 00 00 00 00 E9 36 01 00 00 90 00 00 00 00 00 00 00 00 00 00 00 00 83 EC 64 8B 44 24 68 50 51 52 53 E8 27 00 00 00 5B 5A 59 58 E9 0A A6 FD FF 00 00 8D 96 B0 4E 00 00 50 51 52 53 8B C2 E8 0B 00 00 00 5B 5A 59 58 E9 8B A8 FD FF 00 00 66 81 78 0A 01 01 74 08 66 81 78 0A 07 01 75 1D B9 00 60 68 00 33 D2 33 DB 83 FB 47 74 0F 8A 11 88 10 83 C0 01 83 C1 01 83 C3 01 EB EC C3 00 00 00 00 00 00 00 00 00 00 00 E9 DF 59 02 00 90 90 00 E9 5C 57 02 00 90 00 00 50 51 52 56 33 D2 33 C0 B9 50 60 68 00 83 FA 08 74 0E 83 FA 0A 74 09 83 FA 2D 74 0F 8A 01 88 06 83 C2 01 83 C1 01 83 C6 01 EB E2 5E 5A 59 58 E9 6C 9C FD FF 00 00 00 00 00 00 00 00 00 00 00 00 E8 F7 76 02 00 00 00 00 E8 55 75 02 00 00 00 00 CD 56 47 00 00 00 00 00 00 00 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 73 61 66 69 6E 61 63 6F 6F 6C 00 00 00 00 00 00 00 00 00 00 00 3F A3 6E 6E 39 C4 E4 AD 00 00 00 00 00 00 00 00 00 C4 A7 2D 00 00 00 00 00 C7 03 02 01 00 28 C0 03 00 BE 34 04 00 39 C4 E4 AD 73 61 66 69 6E 61 63 6F 6F 6C 00 00 00 00 00 00 00 00 00 00 00 00 00 ========================= SRO-Trainer 處理代碼解析 ========================= 0040113C > \6A 70 push 70 ; /Key = VK_F1 0040113E . E8 EC030000 call <jmp.&user32.GetAsyncKeyState> ; \GetAsyncKeyState 00401143 . 83F8 00 cmp eax, 0 00401146 . 74 05 je short 0040114D 00401148 . E8 ED030000 call 0040153A ; 進入Patch代碼 kernel32.WriteProcessMemor 函數分析 0040153A $ 6A 00 push 0 ; /pBytesWritten = NULL 0040153C . 6A 59 push 59 ; \|BytesToWrite = 要寫入的 Patch 位元組長度 0040153E . 68 30504000 push 00405030 ; \|Buffer = SRO-Trai.00405030 已寫好的 Patch 的指標 00401543 . 68 A25D4300 push 435DA2 ; \|Address = SRO.EXE 要 Patch 的位址 00401548 . FF35 22234000 push dword ptr [402322] ; \|hProcess = NULL 0040154E . E8 9AFFFFFF call <jmp.&kernel32.WriteProcessMemor> ; \WriteProcessMemory 上传的附件： Trainer.v1.74.rar （35.54kb，27次下载） 2013-5-13 20:00 0
djpvd 雪币： 320 活跃值： (104) 能力值： (RANK：180 ) 在线值：发帖 133 回帖 447 粉丝 2 关注私信	djpvd 4 5 楼 ====================== sro.dll 無法用OD載入脫殼時 ====================== 1. DLL 無法載入原因輸出表還原實際大小即可 2. SRO.DLL OEP 入口點代碼 hex 8B EC 53 8B 5D 08 56 8B 75 0C 57 8B 7D 10 85 F6 2013-5-13 20:02 0
djpvd 雪币： 320 活跃值： (104) 能力值： (RANK：180 ) 在线值：发帖 133 回帖 447 粉丝 2 关注私信	djpvd 4 6 楼封包分析 ======================================================================== send <發送封包> +0 +1 +2 +3 +4 +5 +6 +7 +8 +9 +A +B +C +D +E +F 0000 3B 92 47 00 00 00 00 00 2E 00 08 01 00 00 00 00 ;.G............. 0010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0020 00 00 00 00 00 00 02 00 00 00 70 76 64 32 30 30 ..........pvd200 0030 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 BA 7............... 0040 2C 12 3E BC 52 40 C4 ,.>k.Z. ------------------------------------------------------------------------ +00 位置 3B 92 發送認證封包的 KEY +02 位置 47 為封包長度 +08 位置 2E 為封包發送次數 +0A 位置 08 01 為 Case 代碼 +26 位置為外掛種類識別 01=內掛 02=脫機 +2A 位置為遊戲帳號字串 +3F 位置為動力註冊認證 KEY1 +43 位置為動力註冊認證 KEY2 ------------------------------------------------------------------------ Patch 目標 +00 封包頭 KEY +26 掛機種類 +2A 動力註冊帳號 +3F 註冊認證 KEY1 +43 註冊認證 KEY2 ======================================================================== ======================================================================== Recv <接收封包> +0 +1 +2 +3 +4 +5 +6 +7 +8 +9 +A +B +C +D +E +F 0000 83 FB 2D 00 00 00 00 00 00 00 02 01 00 75 26 02 ..-..........u&. 0010 00 66 5C 03 00 BC 52 40 C4 61 30 39 33 34 31 37 .f\...R@.a093417 0020 38 32 31 35 00 00 00 00 00 00 00 00 00 8215......... ------------------------------------------------------------------------ +00 位置 83 FB 接收認證封包的 KEY +02 位置 2D 為封包長度 +0A 位置 02 01 為 Case 代碼 +0C 位置為帳號註冊狀態 02 為帳號到期 01 為資料錯誤 00 為註冊可用帳號 +0D 位置 75 26 02 00 動力註冊序號 (每個註冊用戶都有一個序號) +11 位置 66 5C 03 00 為剩餘時間(以分鐘計算) +15 位置 BC 52 40 C4 為動力註冊認證 KEY2 +19 位置 61 30 39 33 34 31 37 38 32 31 35 動力註冊帳號(遊戲帳號) ------------------------------------------------------------------------ Patch 目標 (非必要) +00 封包頭 KEY +0C 認證帳號註冊狀態 +0D 動力註冊序號 +11 剩餘時間 <必須有時間才會運作> +15 動力註冊認證 KEY2 +19 動力註冊帳號(遊戲帳號) ======================================================================== 其實說真的有些DEBUG專業名詞我也搞不懂這一切都是誤打誤撞長期觀察加點幻想搞出這些東西出來的像上面什麼Key....都是自己暫定名稱反正你看得懂就好原理解說: 其實這個破解方式就是拿別人有註冊的帳號然後修改外掛讓外掛發送給動力伺服器有註冊的會員帳號然後外掛就會收到伺服器正常註冊的封包讓外掛正常運作因為卡在絲路官網有圖片驗證而外掛自動圖片驗證又是在動力伺服器上面怕外掛斷線重登時人不在旁邊沒辦法打驗證圖片文字所以乾脆就用這個方法以前的版本沒有圖片驗證可以解Game.dat 現在做免驗證的麻煩至於有註冊動力的帳號怎麼取得自己動腦想吧外掛本身就可以測試哪個帳號有沒有註冊勝多少時間了 2013-5-13 20:04 0
ProbieTmp 雪币： 144 活跃值： (42) 能力值： ( LV3，RANK：20 ) 在线值：发帖 3 回帖 35 粉丝 0 关注私信	ProbieTmp 7 楼图破了。 2013-5-13 20:32 0
white、、雪币： 60 活跃值： (11) 能力值： ( LV2，RANK：10 ) 在线值：发帖 7 回帖 387 粉丝 0 关注私信	white、、 8 楼收藏，等下仔细看，谢谢。 2013-5-15 23:33 0
透明色雪币： 143 活跃值： (263) 能力值： ( LV8，RANK：120 ) 在线值：发帖 12 回帖 242 粉丝 8 关注私信	透明色 2 9 楼好东西，感谢楼主分享啊 2013-5-16 07:14 0
zyicai 雪币： 437 活跃值： (78) 能力值： ( LV2，RANK：10 ) 在线值：发帖 3 回帖 194 粉丝 0 关注私信	zyicai 10 楼不错，楼主好人 2013-5-16 08:30 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

djpvd

雪币： 320

活跃值： (104)

能力值： (RANK：180 )

在线值：

发帖

133

回帖

447

粉丝

2

关注

私信

djpvd 4: 2 楼

SRO.EXE(脫機掛主程式) Patch 分析

一發送封包寫入

A 方式一

*********************************************************
搜尋字串 dl send data %x,%d,TICK:%d 往上找代碼的頭
找到

004103C0   .  83EC 64       sub     esp, 64                          ;  這裡 NOP 改 JMP <Patch>
004103C3   .  8B4424 68     mov     eax, dword ptr [esp+68]          ;  這裡 NOP <封包指標傳到 EAX>
004103C7   .  53            push    ebx                              ;  <Patch> Run 完跳回這裡
004103C8   .  55            push    ebp
004103C9   .  8B6C24 74     mov     ebp, dword ptr [esp+74]          ;  <封包大小傳到 EBP>
004103CD   .  8BD9          mov     ebx, ecx
004103CF   .  8BCD          mov     ecx, ebp
004103D1   .  56            push    esi
004103D2   .  8BD1          mov     edx, ecx
004103D4   .  57            push    edi
004103D5   .  8BF0          mov     esi, eax
004103D7   .  8DBB B04E0000 lea     edi, dword ptr [ebx+4EB0]
004103DD   .  C1E9 02       shr     ecx, 2
004103E0   .  F3:A5         rep     movs dword ptr es:[edi], dword p>
004103E2   .  8BCA          mov     ecx, edx
004103E4   .  83E1 03       and     ecx, 3
004103E7   .  F3:A4         rep     movs byte ptr es:[edi], byte ptr>
004103E9   .  8B8B B48E0000 mov     ecx, dword ptr [ebx+8EB4]
004103EF   .  89AB B06E0000 mov     dword ptr [ebx+6EB0], ebp
004103F5   .  85C9          test    ecx, ecx
004103F7   .  0F84 0D010000 je      0041050A
004103FD   .  81FD E8030000 cmp     ebp, 3E8

略......................

0041049A   .  8983 BC8E0000 mov     dword ptr [ebx+8EBC], eax
004104A0   .  50            push    eax                              ; /<%d>
004104A1   .  33C0          xor     eax, eax                         ; |
004104A3   .  55            push    ebp                              ; |<%d>
004104A4   .  66:8B46 0A    mov     ax, word ptr [esi+A]             ; |
004104A8   .  8D4C24 18     lea     ecx, dword ptr [esp+18]          ; |
004104AC   .  50            push    eax                              ; |<%x>
004104AD   .  68 D4844400   push    004484D4                         ; |format = "dl send data %x,%d,TICK:%d"
004104B2   .  51            push    ecx                              ; |s
004104B3   .  FF15 3C6D4300 call    dword ptr [436D3C]               ; \sprintf

改為

004103C0   . /E9 DF590200   jmp     00435DA4                         ;  這裡 NOP 改 JMP <dl send data Patch>
004103C5     |90            nop
004103C6     |90            nop
004103C7   > |53            push    ebx                              ;  <Patch> Run 完跳回這裡
004103C8   . |55            push    ebp
004103C9   . |8B6C24 74     mov     ebp, dword ptr [esp+74]          ;  <封包大小傳到 EBP>

*********************************************************

搜尋字串 re send data %x,%d
找到

00410630  /$  83EC 64       sub     esp, 64
00410633  |.  56            push    esi
00410634  |.  8BF1          mov     esi, ecx
00410636  |.  8B86 B48E0000 mov     eax, dword ptr [esi+8EB4]
0041063C  |.  85C0          test    eax, eax
0041063E  |.  74 65         je      short 004106A5
00410640  |.  8B86 B88E0000 mov     eax, dword ptr [esi+8EB8]
00410646  |.  8B96 B06E0000 mov     edx, dword ptr [esi+6EB0]        ;  移動大小到 EDX
0041064C  |.  8B8E C48E0000 mov     ecx, dword ptr [esi+8EC4]
00410652  |.  40            inc     eax
00410653  |.  6A 00         push    0
00410655  |.  52            push    edx                              ;  EDX 大小
00410656  |.  8986 B88E0000 mov     dword ptr [esi+8EB8], eax
0041065C  |.  8B01          mov     eax, dword ptr [ecx]
0041065E  |.  8D96 B04E0000 lea     edx, dword ptr [esi+4EB0]        ;  指標移到 DEX <這裡NOP 改為 JMP Patch>
00410664  |.  52            push    edx                              ;  EDX 指標 <Patch 代碼跑完跳回這裡>
00410665  |.  FF50 20       call    dword ptr [eax+20]               ;  Call MFC42.#CAsyncSocket::Send_5796
00410668  |.  E8 51D92000   call    0061DFBE
0041066D  |.  90            nop
0041066E  |.  8986 BC8E0000 mov     dword ptr [esi+8EBC], eax
00410674  |.  8B86 B06E0000 mov     eax, dword ptr [esi+6EB0]
0041067A  |.  33C9          xor     ecx, ecx
0041067C  |.  50            push    eax                              ; /<%d>
0041067D  |.  66:8B8E BA4E0>mov     cx, word ptr [esi+4EBA]          ; |
00410684  |.  8D5424 08     lea     edx, dword ptr [esp+8]           ; |
00410688  |.  51            push    ecx                              ; |<%x>
00410689  |.  68 14854400   push    00448514                         ; |format = "re send data %x,%d"
0041068E  |.  52            push    edx                              ; |s
0041068F  |.  FF15 3C6D4300 call    dword ptr [436D3C]               ; \sprintf

改為

0041065E   . /E9 54570200   jmp     00435DB7                         ;  這裡 NOP 改為 JMP <re send data Patch>
00410663     |90            nop
00410664   > |52            push    edx                              ;  <Patch 代碼跑完跳回這裡>

*********************************************************

<Patch>

00435DA4   > \83EC 64       sub     esp, 64                          ;  <dl send data Patch>
00435DA7   .  8B4424 68     mov     eax, dword ptr [esp+68]
00435DAB   .  E8 1D000000   call    00435DCD                         ;  <Packet Patch>
00435DB0   .^ E9 12A6FDFF   jmp     004103C7                         ;  跳回到原來代碼
00435DB5      00            db      00
00435DB6      00            db      00
00435DB7   >  8D96 B04E00   lea     edx, dword ptr [esi+4EB0]        ;  <re send data Patch>
00435DBD   .  50            push    eax
00435DBE   .  8BC2          mov     eax, edx
00435DC0   .  E8 08000000   call    00435DCD                         ;  <Packet Patch>
00435DC5   .  58            pop     eax
00435DC6   .^ E9 99A8FDFF   jmp     00410664                         ;  跳回到原來代碼
00435DCB      00            db      00
00435DCC      00            db      00
00435DCD  /$  66:8178 0A    cmp     word ptr [eax+A], 101
00435DD3  |.  74 08         je      short 00435DDD
00435DD5  |.  66:8178 0A    cmp     word ptr [eax+A], 107
00435DDB  |.  75 40         jnz     short 00435E1D
00435DDD  |>  66:C700 CD56  mov     word ptr [eax], 56CD             ;  封包頭 Key <長度4個位元組>
00435DE2  |.  66:C740 0A    mov     word ptr [eax+A], 101            ;  Case
00435DE8  |.  C640 26 02    mov     byte ptr [eax+26], 2             ;  掛機種類 01=內掛 02=脫機
00435DEC  |.  C740 2A 7361  mov     dword ptr [eax+2A], 69666173     ;  動力認證遊戲帳號 <最多20個位元組>
00435DF3  |.  C740 2E 6E61  mov     dword ptr [eax+2E], 6F63616E
00435DFA  |.  C740 32 6F6C  mov     dword ptr [eax+32], 6C6F
00435E01  |.  C740 36 0000  mov     dword ptr [eax+36], 0
00435E08  |.  C740 3A 0000  mov     dword ptr [eax+3A], 0
00435E0F  |.  C740 3F 3FA3  mov     dword ptr [eax+3F], 6E6EA33F     ;  動力認證 KEY1
00435E16  |.  C740 43 39C4  mov     dword ptr [eax+43], ADE4C439     ;  動力認證 KEY2
00435E1D  \>  C3            retn

==================
dl send data Patch
==================

004103C0
E9 DF 59 02 00 90 90

0041065E
E9 54 57 02 00 90

00435DA4
83 EC 64 8B 44 24 68 E8 1D 00 00 00 E9 12 A6 FD FF 00 00 8D 96 B0 4E 00 00 50 8B C2 E8 08 00 00
00 58 E9 99 A8 FD FF 00 00 66 81 78 0A 01 01 74 08 66 81 78 0A 07 01 75 40 66 C7 00 CD 56 66 C7
40 0A 01 01 C6 40 26 02 C7 40 2A 73 61 66 69 C7 40 2E 6E 61 63 6F C7 40 32 6F 6C 00 00 C7 40 36
00 00 00 00 C7 40 3A 00 00 00 00 C7 40 3F 3F A3 6E 6E C7 40 43 39 C4 E4 AD C3

==================

B 方式二

*********************************************************

004103C0   . /E9 DF590200   jmp     00435DA4                         ;  JMP to <Patch1>
004103C5     |90            nop
004103C6     |90            nop

0041065E   . /E9 5C570200   jmp     00435DBF                         ;  JMP to <Patch2>
00410663     |90            nop

00435DA4   > \83EC 64       sub     esp, 64
00435DA7   .  8B4424 68     mov     eax, dword ptr [esp+68]
00435DAB   .  50            push    eax
00435DAC   .  51            push    ecx
00435DAD   .  52            push    edx
00435DAE   .  53            push    ebx
00435DAF   .  E8 27000000   call    00435DDB                         ;  Call Sand Packet Patch
00435DB4   .  5B            pop     ebx
00435DB5   .  5A            pop     edx
00435DB6   .  59            pop     ecx
00435DB7   .  58            pop     eax
00435DB8   .^ E9 0AA6FDFF   jmp     004103C7

00435DBF   > \8D96 B04E0000 lea     edx, dword ptr [esi+4EB0]
00435DC5   .  50            push    eax
00435DC6   .  51            push    ecx
00435DC7   .  52            push    edx
00435DC8   .  53            push    ebx
00435DC9   .  8BC2          mov     eax, edx
00435DCB   .  E8 0B000000   call    00435DDB                         ;  Call <Sand Packet Patch>
00435DD0   .  5B            pop     ebx
00435DD1   .  5A            pop     edx
00435DD2   .  59            pop     ecx
00435DD3   .  58            pop     eax
00435DD4   .^ E9 8BA8FDFF   jmp     00410664

00435DDB  /$  66:8178 0A 01>cmp     word ptr [eax+A], 101            ;  Sand Packet Patch
00435DE1  |.  74 08         je      short 00435DEB
00435DE3  |.  66:8178 0A 07>cmp     word ptr [eax+A], 107
00435DE9  |.  75 1D         jnz     short 00435E08                   ;  JMP TO RETN
00435DEB  |>  B9 00606800   mov     ecx, 00686000
00435DF0  |.  33D2          xor     edx, edx
00435DF2  |.  33DB          xor     ebx, ebx
00435DF4  |>  83FB 47       /cmp     ebx, 47
00435DF7  |.  74 0F         |je      short 00435E08                  ;  JMP TO RETN
00435DF9  |.  8A11          |mov     dl, byte ptr [ecx]
00435DFB  |.  8810          |mov     byte ptr [eax], dl
00435DFD  |.  83C0 01       |add     eax, 1
00435E00  |.  83C1 01       |add     ecx, 1
00435E03  |.  83C3 01       |add     ebx, 1
00435E06  |.^ EB EC         \jmp     short 00435DF4
00435E08  \>  C3            retn

==================

004103C0
E9 DF 59 02 00 90 90

0041065E
E9 5C 57 02 00 90

00435DA4
83 EC 64 8B 44 24 68 50 51 52 53 E8 27 00 00 00 5B 5A 59 58 E9 0A A6 FD FF 00 00 8D 96 B0 4E 00
00 50 51 52 53 8B C2 E8 0B 00 00 00 5B 5A 59 58 E9 8B A8 FD FF 00 00 66 81 78 0A 01 01 74 08 66
81 78 0A 07 01 75 1D B9 00 60 68 00 33 D2 33 DB 83 FB 47 74 0F 8A 11 88 10 83 C0 01 83 C1 01 83
C3 01 EB EC C3

==================

二檢查 DL 重登時間

搜尋字串 check time relogin dl with minute error
找到

0040F476   > \8B86 90200000 mov     eax, dword ptr [esi+2090]
0040F47C   .  3BC3          cmp     eax, ebx                         ;  比較 EAX 是否=0
0040F47E   .  74 0E         je      short 0040F48E                   ;  
0040F480   .  2BF8          sub     edi, eax
0040F482   .  81FF E0930400 cmp     edi, 493E0                       ;  比較 EDI-EAX 是否大於 493E0
0040F488   .  0F87 49010000 ja      0040F5D7
0040F48E   >  395E 48       cmp     dword ptr [esi+48], ebx          ;  <<<這裡 Patch>>> 驗證通過時為1
0040F491   .  0F84 40010000 je      0040F5D7                         ;  0則跳到預設
0040F497   .  395E 4C       cmp     dword ptr [esi+4C], ebx
0040F49A   .  0F85 37010000 jnz     0040F5D7                         ;  0則跳到預設
0040F4A0   .  FFD5          call    ebp
0040F4A2   .  8B56 44       mov     edx, dword ptr [esi+44]
0040F4A5   .  8BF8          mov     edi, eax
0040F4A7   .  8BCF          mov     ecx, edi
0040F4A9   .  B8 D34D6210   mov     eax, 10624DD3
0040F4AE   .  2BCA          sub     ecx, edx
0040F4B0   .  F7E1          mul     ecx
0040F4B2   .  C1EA 06       shr     edx, 6
0040F4B5   .  B8 89888888   mov     eax, 88888889
0040F4BA   .  F7E2          mul     edx
0040F4BC   .  C1EA 05       shr     edx, 5
0040F4BF   .  79 46         jns     short 0040F507                   ;  跳到第二個重登
0040F4C1   .  8D5424 10     lea     edx, dword ptr [esp+10]
0040F4C5   .  68 08844400   push    00448408                         ; /format = "check time relogin dl with minute error"
0040F4CA   .  52            push    edx                              ; |s
0040F4CB   .  FF15 3C6D4300 call    dword ptr [436D3C]               ; \sprintf

改為

0040F48E   > \C746 48 01000>mov     dword ptr [esi+48], 1            ;  這裡 Patch
0040F495   .  C746 4C 00000>mov     dword ptr [esi+4C], 0
0040F49C   .  E9 36010000   jmp     0040F5D7
0040F4A1      90            nop

================
relogin dl Patch
================

0040F48E
C7 46 48 01 00 00 00 C7 46 4C 00 00 00 00 E9 36 01 00 00 90

================

三 102 108 封包處理代碼 Patch

搜尋字串 recv packet 0102

0040E706   > \8B4D 08       mov     ecx, dword ptr [ebp+8]        ;  Case 102 of switch 0040E696
0040E709   .  68 C0814400   push    004481C0                      ;  ASCII "recv packet 0102"
0040E70E   .  8B01          mov     eax, dword ptr [ecx]
0040E710   .  FF50 18       call    dword ptr [eax+18]
0040E713   .  8B8C24 940400>mov     ecx, dword ptr [esp+494]
0040E71A   .  8D56 02       lea     edx, dword ptr [esi+2]
0040E71D   .  83C1 FE       add     ecx, -2
0040E720   .  51            push    ecx
0040E721   .  52            push    edx
0040E722   .  8BCD          mov     ecx, ebp
0040E724   .  E8 97130000   call    0040FAC0
0040E729   .  33C9          xor     ecx, ecx
0040E72B   .  66:3B06       cmp     ax, word ptr [esi]
0040E72E   .  BB 01000000   mov     ebx, 1
0040E733   .  74 02         je      short 0040E737                ;  改 JMP
0040E735   .  8BCB          mov     ecx, ebx
0040E737   >  8B46 15       mov     eax, dword ptr [esi+15]
0040E73A   .  8B95 94200000 mov     edx, dword ptr [ebp+2094]
0040E740   .  F7D0          not     eax
0040E742   .  83C0 02       add     eax, 2
0040E745   .  3BC2          cmp     eax, edx
0040E747   .  74 02         je      short 0040E74B                ;  改 JMP
0040E749   .  8BCB          mov     ecx, ebx
0040E74B   >  8B46 0D       mov     eax, dword ptr [esi+D]
0040E74E   .  85C9          test    ecx, ecx
0040E750   .  8945 10       mov     dword ptr [ebp+10], eax
0040E753   .  74 17         je      short 0040E76C                ;  改 JMP
0040E755   .  8B4D 08       mov     ecx, dword ptr [ebp+8]
0040E758   .  33C0          xor     eax, eax
0040E75A   .  8945 48       mov     dword ptr [ebp+48], eax
0040E75D   .  8945 10       mov     dword ptr [ebp+10], eax
0040E760   .  8B01          mov     eax, dword ptr [ecx]
0040E762   .  68 A4814400   push    004481A4                      ;  登入動力伺服器失敗,資料錯誤
0040E767   .  E9 24010000   jmp     0040E890
0040E76C   >  8A46 0C       mov     al, byte ptr [esi+C]          ;  封包+C
0040E76F   .  84C0          test    al, al
0040E771   .  0F85 8A000000 jnz     0040E801                      ;  NOP
0040E777   .  8B4E 0D       mov     ecx, dword ptr [esi+D]        ;  封包+D
0040E77A   .  895D 04       mov     dword ptr [ebp+4], ebx
0040E77D   .  894D 10       mov     dword ptr [ebp+10], ecx
0040E780   .  8B56 11       mov     edx, dword ptr [esi+11]       ;  封包+11
0040E783   .  8955 40       mov     dword ptr [ebp+40], edx
0040E786   .  FFD7          call    edi
0040E788   .  8B4D 08       mov     ecx, dword ptr [ebp+8]
0040E78B   .  8945 44       mov     dword ptr [ebp+44], eax
0040E78E   .  68 90814400   push    00448190
0040E793   .  8B01          mov     eax, dword ptr [ecx]
0040E795   .  FF50 1C       call    dword ptr [eax+1C]
0040E798   .  8B4D 40       mov     ecx, dword ptr [ebp+40]
0040E79B   .  BB 3C000000   mov     ebx, 3C
0040E7A0   .  8BC1          mov     eax, ecx
0040E7A2   .  99            cdq
0040E7A3   .  F7FB          idiv    ebx
0040E7A5   .  B8 89888888   mov     eax, 88888889
0040E7AA   .  52            push    edx                           ; /<%d>
0040E7AB   .  F7E9          imul    ecx                           ; |
0040E7AD   .  03D1          add     edx, ecx                      ; |
0040E7AF   .  C1FA 05       sar     edx, 5                        ; |
0040E7B2   .  8BCA          mov     ecx, edx                      ; |
0040E7B4   .  C1E9 1F       shr     ecx, 1F                       ; |
0040E7B7   .  03D1          add     edx, ecx                      ; |
0040E7B9   .  52            push    edx                           ; |<%d>
0040E7BA   .  8D5424 24     lea     edx, dword ptr [esp+24]       ; |
0040E7BE   .  68 78814400   push    00448178                      ; |可使用動力%d小時%d分鐘
0040E7C3   .  52            push    edx                           ; |s
0040E7C4   .  FF15 3C6D4300 call    dword ptr [<&msvcrt.sprintf>] ; \sprintf
0040E7CA   .  8B4D 08       mov     ecx, dword ptr [ebp+8]
0040E7CD   .  83C4 10       add     esp, 10
0040E7D0   .  8D5424 1C     lea     edx, dword ptr [esp+1C]
0040E7D4   .  8B01          mov     eax, dword ptr [ecx]
0040E7D6   .  52            push    edx
0040E7D7   .  FF50 1C       call    dword ptr [eax+1C]
0040E7DA   .  8A46 15       mov     al, byte ptr [esi+15]
0040E7DD   .  8B4D 08       mov     ecx, dword ptr [ebp+8]
0040E7E0   .  8845 50       mov     byte ptr [ebp+50], al
0040E7E3   .  8B11          mov     edx, dword ptr [ecx]
0040E7E5   .  FF52 14       call    dword ptr [edx+14]
0040E7E8   .  BB 01000000   mov     ebx, 1
0040E7ED   .  895D 48       mov     dword ptr [ebp+48], ebx
0040E7F0   .  FFD7          call    edi
0040E7F2   .  8945 3C       mov     dword ptr [ebp+3C], eax
0040E7F5   .  C745 4C 00000>mov     dword ptr [ebp+4C], 0
0040E7FC   .  E9 92000000   jmp     0040E893

....

0040E893   > \395D 1C       cmp     dword ptr [ebp+1C], ebx
0040E896   .  0F85 F3050000 jnz     0040EE8F                      ;  NOP
0040E89C   .  C745 1C 00000>mov     dword ptr [ebp+1C], 0
0040E8A3   .  E9 E7050000   jmp     0040EE8F                      ;  跳到 Default case

搜尋字串 recv packet 108

0040E8A8   > \8B4D 08       mov     ecx, dword ptr [ebp+8]        ;  Case 108 of switch 0040E696
0040E8AB   .  68 3C814400   push    0044813C                      ;  ASCII "recv packet 108"
0040E8B0   .  8B11          mov     edx, dword ptr [ecx]
0040E8B2   .  FF52 18       call    dword ptr [edx+18]
0040E8B5   .  8B8424 940400>mov     eax, dword ptr [esp+494]
0040E8BC   .  8D4E 02       lea     ecx, dword ptr [esi+2]
0040E8BF   .  83C0 FE       add     eax, -2
0040E8C2   .  50            push    eax
0040E8C3   .  51            push    ecx
0040E8C4   .  8BCD          mov     ecx, ebp
0040E8C6   .  E8 F5110000   call    0040FAC0
0040E8CB   .  66:3B06       cmp     ax, word ptr [esi]
0040E8CE   .  895C24 10     mov     dword ptr [esp+10], ebx
0040E8D2   .  B9 01000000   mov     ecx, 1
0040E8D7   .  74 04         je      short 0040E8DD                ;  改JMP
0040E8D9   .  894C24 10     mov     dword ptr [esp+10], ecx
0040E8DD   >  8B46 15       mov     eax, dword ptr [esi+15]
0040E8E0   .  8B95 94200000 mov     edx, dword ptr [ebp+2094]
0040E8E6   .  F7D0          not     eax
0040E8E8   .  83C0 02       add     eax, 2
0040E8EB   .  3BC2          cmp     eax, edx
0040E8ED   .  74 04         je      short 0040E8F3                ;  改JMP
0040E8EF   .  894C24 10     mov     dword ptr [esp+10], ecx
0040E8F3   >  8B55 28       mov     edx, dword ptr [ebp+28]
0040E8F6   .  33C0          xor     eax, eax
0040E8F8   .  8B5A F8       mov     ebx, dword ptr [edx-8]
0040E8FB   .  85DB          test    ebx, ebx
0040E8FD   .  7E 12         jle     short 0040E911
0040E8FF   >  8A0C02        mov     cl, byte ptr [edx+eax]
0040E902   .  384C06 19     cmp     byte ptr [esi+eax+19], cl
0040E906   .  0F85 15010000 jnz     0040EA21                      ;  NOP
0040E90C   .  40            inc     eax
0040E90D   .  3BC3          cmp     eax, ebx
0040E90F   .^ 7C EE         jl      short 0040E8FF
0040E911   >  8B4424 10     mov     eax, dword ptr [esp+10]
0040E915   .  85C0          test    eax, eax
0040E917   .  0F85 04010000 jnz     0040EA21                      ;  NOP
0040E91D   .  8A46 0C       mov     al, byte ptr [esi+C]
0040E920   .  84C0          test    al, al
0040E922   .  0F85 8D000000 jnz     0040E9B5                      ;  NOP
0040E928   .  8B56 0D       mov     edx, dword ptr [esi+D]
0040E92B   .  C745 04 01000>mov     dword ptr [ebp+4], 1
0040E932   .  8955 10       mov     dword ptr [ebp+10], edx
0040E935   .  8B46 11       mov     eax, dword ptr [esi+11]
0040E938   .  8945 40       mov     dword ptr [ebp+40], eax
0040E93B   .  FFD7          call    edi
0040E93D   .  8B4D 40       mov     ecx, dword ptr [ebp+40]
0040E940   .  8945 44       mov     dword ptr [ebp+44], eax
0040E943   .  8BC1          mov     eax, ecx
0040E945   .  BB 3C000000   mov     ebx, 3C
0040E94A   .  99            cdq
0040E94B   .  F7FB          idiv    ebx
0040E94D   .  B8 89888888   mov     eax, 88888889
0040E952   .  52            push    edx                           ; /<%d>
0040E953   .  F7E9          imul    ecx                           ; |
0040E955   .  03D1          add     edx, ecx                      ; |
0040E957   .  C1FA 05       sar     edx, 5                        ; |
0040E95A   .  8BCA          mov     ecx, edx                      ; |
0040E95C   .  C1E9 1F       shr     ecx, 1F                       ; |
0040E95F   .  03D1          add     edx, ecx                      ; |
0040E961   .  52            push    edx                           ; |<%d>
0040E962   .  8D5424 24     lea     edx, dword ptr [esp+24]       ; |
0040E966   .  68 24814400   push    00448124                      ; |可使用動力%d小時%d分鐘
0040E96B   .  52            push    edx                           ; |s
0040E96C   .  FF15 3C6D4300 call    dword ptr [<&msvcrt.sprintf>] ; \sprintf
0040E972   .  8B4D 08       mov     ecx, dword ptr [ebp+8]
0040E975   .  83C4 10       add     esp, 10
0040E978   .  8D5424 1C     lea     edx, dword ptr [esp+1C]
0040E97C   .  8B01          mov     eax, dword ptr [ecx]
0040E97E   .  52            push    edx
0040E97F   .  FF50 1C       call    dword ptr [eax+1C]
0040E982   .  8A46 15       mov     al, byte ptr [esi+15]
0040E985   .  8845 50       mov     byte ptr [ebp+50], al
0040E988   .  8A4E 15       mov     cl, byte ptr [esi+15]
0040E98B   .  884D 50       mov     byte ptr [ebp+50], cl
0040E98E   .  8B4D 08       mov     ecx, dword ptr [ebp+8]
0040E991   .  8B11          mov     edx, dword ptr [ecx]
0040E993   .  FF52 14       call    dword ptr [edx+14]
0040E996   .  FFD7          call    edi
0040E998   .  8945 3C       mov     dword ptr [ebp+3C], eax
0040E99B   .  C745 48 01000>mov     dword ptr [ebp+48], 1
0040E9A2   .  C745 4C 00000>mov     dword ptr [ebp+4C], 0
0040E9A9   .  C745 1C 00000>mov     dword ptr [ebp+1C], 0
0040E9B0   .  E9 DA040000   jmp     0040EE8F                      ;  跳到 Default case

0040EA21   mov dword ptr [ebp+48], 0

改為

0040EA21   mov dword ptr [ebp+48], 1

==========================
recv packet 0102 MEM Patch
==========================

0040E733 EB

0040E747 EB

0040E753 EB

0040E771 90 90 90 90 90 90

0040E896 90 90 90 90 90 90

==========================

=========================
recv packet 108 MEM Patch
=========================

0040E8D7 EB

0040E8ED EB

0040E917 90 90 90 90 90 90

0040E922 90 90 90 90 90 90

0040EA21 C7 45 48 01

=========================

+++++++++++++++++++++++++++++++++++++++++++++++++++
四 102 108 Packet Patch <非必要>

A 方式一

搜尋字串 recv packet 0102
找到下面第一個 Call

0040E709   .  68 C0814400   push    004481C0                         ; ASCII "recv packet 0102"
0040E70E   .  8B01          mov     eax, dword ptr [ecx]
0040E710   .  FF50 18       call    dword ptr [eax+18]
0040E713   .  8B8C24 940400>mov     ecx, dword ptr [esp+494]
0040E71A   .  8D56 02       lea     edx, dword ptr [esi+2]
0040E71D   .  83C1 FE       add     ecx, -2
0040E720   .  51            push    ecx
0040E721   .  52            push    edx
0040E722   .  8BCD          mov     ecx, ebp
0040E724      E8 F7760200   call    00435E20                         ; 這裡改為 Call Patch

搜尋字串 recv packet 108
找到下面第一個 Call

0040E8AB   .  68 3C814400   push    0044813C                         ;  ASCII "recv packet 108"
0040E8B0   .  8B11          mov     edx, dword ptr [ecx]
0040E8B2   .  FF52 18       call    dword ptr [edx+18]
0040E8B5   .  8B8424 940400>mov     eax, dword ptr [esp+494]
0040E8BC   .  8D4E 02       lea     ecx, dword ptr [esi+2]
0040E8BF   .  83C0 FE       add     eax, -2
0040E8C2   .  50            push    eax
0040E8C3   .  51            push    ecx
0040E8C4   .  8BCD          mov     ecx, ebp
0040E8C6      E8 55750200   call    00435E20                         ; 這裡改為 Call Patch

<Patch>

00435E20      66:C706 C4A7  mov     word ptr [esi], 0A7C4            ;  封包頭 Key <長度4個位元組>
00435E25      C646 0C 00    mov     byte ptr [esi+C], 0              ;  0=認證通過 1=資料比對錯誤 2=帳號到期
00435E29      C746 0D 28C00 mov     dword ptr [esi+D], 3C028         ;  動力註冊序號
00435E30      C746 11 84270 mov     dword ptr [esi+11], 92784        ;  剩餘可用時間 以分鐘計16進位
00435E37      C746 15 39C4E mov     dword ptr [esi+15], ADE4C439     ;  動力認證 KEY2
00435E3E      C746 19 73616 mov     dword ptr [esi+19], 69666173     ;  動力認證遊戲帳號 <最多20個位元組>
00435E45      C746 1D 6E616 mov     dword ptr [esi+1D], 6F63616E
00435E4C      C746 21 6F6C0 mov     dword ptr [esi+21], 6C6F
00435E53      C746 25 00000 mov     dword ptr [esi+25], 0
00435E5A      C746 29 00000 mov     dword ptr [esi+29], 0
00435E61    ^ E9 5A9CFDFF   jmp     0040FAC0

==========================
102 & 108 Packet MEM Patch
==========================
0040E724

E8 F7 76 02 00

0040E8C6

E8 55 75 02 00

00435E20

[CODE]66 C7 06 C4 A7 C6 46 0C 00 C7 46 0D 28 C0 03 00 C7 46 11 84 27 09 00 C7 46

15 39 C4 E4 AD C7 46
19 73 61 66 69 C7 46 1D 6E 61 63 6F C7 46 21 6F 6C 00 00 C7 46 25 00 00 00 00 C7 46 29 00 00 00
00 E9 5A 9C FD FF[/CODE]

+++++++++++++++++++++++++++++++++++++++++++++++++++

B 方式二

<Patch>

00435E20      50                    push    eax
00435E21      51                    push    ecx
00435E22      52                    push    edx
00435E23      56                    push    esi
00435E24      33D2                  xor     edx, edx
00435E26      33C0                  xor     eax, eax
00435E28      B9 50606800           mov     ecx, 00686050
00435E2D      83FA 08               cmp     edx, 8
00435E30      74 0E                 je      short 00435E40
00435E32      83FA 0A               cmp     edx, 0A
00435E35      74 09                 je      short 00435E40
00435E37      83FA 2D               cmp     edx, 2D
00435E3A      74 0F                 je      short 00435E4B
00435E3C      8A01                  mov     al, byte ptr [ecx]
00435E3E      8806                  mov     byte ptr [esi], al
00435E40      83C2 01               add     edx, 1
00435E43      83C1 01               add     ecx, 1
00435E46      83C6 01               add     esi, 1
00435E49    ^ EB E2                 jmp     short 00435E2D
00435E4B      5E                    pop     esi
00435E4C      5A                    pop     edx
00435E4D      59                    pop     ecx
00435E4E      58                    pop     eax
00435E4F    ^ E9 6C9CFDFF           jmp     0040FAC0

50 51 52 56 33 D2 33 C0 B9 50 60 68 00 83 FA 08 74 0E 83 FA 0A 74 09 83 FA 2D 74 0F 8A 01 88 06
83 C2 01 83 C1 01 83 C6 01 EB E2 5E 5A 59 58 E9 6C 9C FD FF

======================
SRO.dll Patch
======================

一認證帳號修改 Patch

搜尋字串 %sconf\%s.cfg
找到

20040150  /$  56             push    esi
20040151  |.  8B7424 08      mov     esi, dword ptr [esp+8]
20040155  |.  57             push    edi
20040156  |.  56             push    esi
20040157  |.  E8 44FEFFFF    call    2003FFA0
2004015C  |.  8B7C24 14      mov     edi, dword ptr [esp+14]
20040160  |.  68 C0070920    push    200907C0
20040165  |.  57             push    edi
20040166  |.  FF15 10260820  call    dword ptr [20082610]
2004016C  |.  83C4 0C        add     esp, 0C
2004016F  |.  85C0           test    eax, eax
20040171  |.  57             push    edi
20040172  |.  56             push    esi
20040173  |.  75 12          jnz     short 20040187
20040175  |.  68 186A0920    push    20096A18                       ;  ASCII "%sconf\%s.cfg"
2004017A  |.  56             push    esi
2004017B  |.  FF15 34260820  call    dword ptr [20082634]
20040181  |.  83C4 10        add     esp, 10
20040184  |.  5F             pop     edi
20040185  |.  5E             pop     esi
20040186  |.  C3             retn
20040187  |>  68 7C440920    push    2009447C                       ;  ASCII "%sconf\%s"
2004018C  |.  56             push    esi
2004018D  |.  FF15 34260820  call    dword ptr [20082634]
20040193  |.  83C4 10        add     esp, 10
20040196  |.  5F             pop     edi
20040197  |.  5E             pop     esi
20040198  \.  C3             retn

往回找來源的第一個 Call
找到

20026350 >/$  6A FF          push    -1
20026352  |.  68 B8F10720    push    2007F1B8                       ;  SE 處理程序安裝
20026357  |.  64:A1 00000000 mov     eax, dword ptr fs:[0]
2002635D  |.  50             push    eax
2002635E  |.  64:8925 000000>mov     dword ptr fs:[0], esp
20026365  |.  81EC 24050000  sub     esp, 524
2002636B  |.  55             push    ebp
2002636C  |.  56             push    esi
2002636D  |.  57             push    edi
2002636E  |.  8BF1           mov     esi, ecx
20026370  |.  E8 826B0500    call    2007CEF7
20026375  |.  50             push    eax
20026376  |.  8D4C24 18      lea     ecx, dword ptr [esp+18]
2002637A  |.  E8 DD670500    call    2007CB5C
2002637F  |.  33ED           xor     ebp, ebp
20026381  |.  C74424 1C F443>mov     dword ptr [esp+1C], 200843F4
20026389  |.  89AC24 3805000>mov     dword ptr [esp+538], ebp
20026390  |.  896C24 20      mov     dword ptr [esp+20], ebp
20026394  |.  896C24 2C      mov     dword ptr [esp+2C], ebp
20026398  |.  896C24 28      mov     dword ptr [esp+28], ebp
2002639C  |.  896C24 24      mov     dword ptr [esp+24], ebp
200263A0  |.  8D4C24 0C      lea     ecx, dword ptr [esp+C]
200263A4  |.  C68424 3805000>mov     byte ptr [esp+538], 1
200263AC  |.  E8 E1640500    call    2007C892
200263B1  |.  8B86 28590100  mov     eax, dword ptr [esi+15928]
200263B7  |.  8D8E 28590100  lea     ecx, dword ptr [esi+15928]
200263BD  |.  C68424 3805000>mov     byte ptr [esp+538], 2
200263C5  |.  3968 F8        cmp     dword ptr [eax-8], ebp
200263C8  |.  0F84 D2000000  je      200264A0
200263CE  |.  55             push    ebp
200263CF  |.  E8 D4660500    call    2007CAA8
200263D4  |.  8D8C24 3001000>lea     ecx, dword ptr [esp+130]
200263DB  |.  50             push    eax                            ;  驗證帳號指標
200263DC  |.  51             push    ecx
200263DD  |.  E8 6E9D0100    call    20040150 在此處 Call Patch     ;  進入 %sconf\%s.cfg 代碼

===============================
200263DD 改為 call 20081298
===============================

Call Patch 代碼

20081298   $  50             push    eax                            ;  將通過動力認證的帳號字串寫入 EAX 指標位置
20081299   .  52             push    edx
2008129A   .  51             push    ecx
2008129B   .  B9 C0120820    mov     ecx, 200812C0                  ;  要寫入的帳號存放指標(帳號必須原動力註冊用戶)
200812A0   >  8A11           mov     dl, byte ptr [ecx]
200812A2   .  84D2           test    dl, dl
200812A4   .  74 0A          je      short 200812B0
200812A6   .  8810           mov     byte ptr [eax], dl
200812A8   .  83C0 01        add     eax, 1
200812AB   .  83C1 01        add     ecx, 1
200812AE   .^ EB F0          jmp     short 200812A0
200812B0   >  C600 00        mov     byte ptr [eax], 0
200812B3   .  59             pop     ecx
200812B4   .  5A             pop     edx
200812B5   .  58             pop     eax
200812B6   .^ E9 95EEFBFF    jmp     20040150                       ;  跳回 %sconf\%s.cfg 代碼
200812BB      90             nop
200812BC      90             nop
200812BD      90             nop
200812BE      90             nop
200812BF      90             nop
200812C0   .  64 65 76 69 6>ascii   "devilism",0                     ;  帳號字串 (必須與SRO.EXE的Ptach字串一樣)

50 52 51 B9 C0 12 08 20 8A 11 84 D2 74 0A 88 10 83 C0 01 83 C1 01 EB F0 C6 00 00 59 5A 58 E9 95
EE FB FF 90 90 90 90 90 64 65 76 69 6C 69 73 6D 00

二開始掛機按鈕 Patch

搜尋 cmp eax,2D 確認登入認證指標

2004EDDE  |> \83F8 2D       cmp     eax, 2D
2004EDE1  |.  75 57         jnz     short 2004EE3A
2004EDE3  |.  8B86 54040000 mov     eax, dword ptr [esi+454]    ;  認證指標 1=通過 0=不通過; Case 2D ('-') of switch
2004EDE9  |.  85C0          test    eax, eax
2004EDEB  |.  74 11         je      short 2004EDFE
2004EDED  |.  8B46 14       mov     eax, dword ptr [esi+14]
2004EDF0  |.  5E            pop     esi
2004EDF1  |.  C780 24D60000>mov     dword ptr [eax+D624], 1     ;  開始掛機記號 1=開始掛機 0=停止掛機
2004EDFB  |.  C2 0400       retn    4

登入認證代碼為 [e??+454] HEX 54 04 00 00

=================================

找到輸出表 # 47

2002B400 >/$  53            push    ebx                         ;  #47
2002B401  |.  56            push    esi
2002B402  |.  8BF1          mov     esi, ecx
2002B404  |.  57            push    edi
2002B405  |.  66:83BE 48390>cmp     word ptr [esi+3948], 0
2002B40D  |.  0F84 75040000 je      2002B888
2002B413  |.  E8 986A0000   call    #249
2002B418  |.  85C0          test    eax, eax
2002B41A  |.  0F85 68040000 jnz     2002B888
2002B420  |.  8B46 1C       mov     eax, dword ptr [esi+1C]
2002B423  |.  8B88 54040000 mov     ecx, dword ptr [eax+454]    ;  改為 mov dword ptr [eax+454],1
2002B429  |.  85C9          test    ecx, ecx                    ;  NOP
2002B42B  |.  0F84 57040000 je      2002B888                    ;  NOP
2002B431  |.  FF15 44200820 call    dword ptr [20082044]

=================================

搜尋 push 0C30

20065AD0  /$  6A 01         push    1
20065AD2  |.  68 300C0000   push    0C30
20065AD7  |.  E8 D86F0100   call    2007CAB4
20065ADC  |.  8BC8          mov     ecx, eax
20065ADE  |.  E8 25700100   call    2007CB08
20065AE3  \.  C3            retn

往回找來源的 Call
找到

200655A0   .  8B81 54040000 mov     eax, dword ptr [ecx+454]    ;  改為 mov  dword ptr [ecx+454],1
200655A6   .  85C0          test    eax, eax                    ;  nop
200655A8   .  74 07         je      short 200655B1              ;  nop
200655AA   >  8BCD          mov     ecx, ebp
200655AC   .  E8 1F050000   call    20065AD0                    ;  進入 push 0C30

2013-5-13 19:52

0

djpvd

雪币： 320

活跃值： (104)

能力值： (RANK：180 )

在线值：

发帖

133

回帖

447

粉丝

2

关注

私信

djpvd 4: 3 楼

Send Packet Patch II

004103C0   . /E9 DF590200   jmp     00435DA4                         ;  Send Packet JMP Patch
004103C5     |90            nop
004103C6     |90            nop

0041065E   . /E9 5C570200   jmp     00435DBF                         ;  Re send Packet JMP Patch
00410663     |90            nop

00435DA4
00435DA4   > \83EC 64       sub     esp, 64
00435DA7   .  8B4424 68     mov     eax, dword ptr [esp+68]
00435DAB   .  50            push    eax
00435DAC   .  51            push    ecx
00435DAD   .  52            push    edx
00435DAE   .  53            push    ebx
00435DAF   .  E8 27000000   call    00435DDB
00435DB4   .  5B            pop     ebx
00435DB5   .  5A            pop     edx
00435DB6   .  59            pop     ecx
00435DB7   .  58            pop     eax
00435DB8   .^ E9 0AA6FDFF   jmp     004103C7
00435DBD      00            db      00
00435DBE      00            db      00
00435DBF   >  8D96 B04E0000 lea     edx, dword ptr [esi+4EB0]
00435DC5   .  50            push    eax
00435DC6   .  51            push    ecx
00435DC7   .  52            push    edx
00435DC8   .  53            push    ebx
00435DC9   .  8BC2          mov     eax, edx
00435DCB   .  E8 0B000000   call    00435DDB
00435DD0   .  5B            pop     ebx
00435DD1   .  5A            pop     edx
00435DD2   .  59            pop     ecx
00435DD3   .  58            pop     eax
00435DD4   .^ E9 8BA8FDFF   jmp     00410664
00435DD9      00            db      00
00435DDA      00            db      00
00435DDB  /$  66:8178 0A 01>cmp     word ptr [eax+A], 101
00435DE1  |.  74 08         je      short 00435DEB
00435DE3  |.  66:8178 0A 07>cmp     word ptr [eax+A], 107
00435DE9  |.  75 27         jnz     short 00435E12
00435DEB  |>  B9 00506800   mov     ecx, 00685000                    ;  發送封包指標
00435DF0  |.  33D2          xor     edx, edx
00435DF2  |.  33DB          xor     ebx, ebx
00435DF4  |>  83FB 08       /cmp     ebx, 8
00435DF7  |.  74 0E         |je      short 00435E07
00435DF9  |.  83FB 0A       |cmp     ebx, 0A
00435DFC  |.  74 09         |je      short 00435E07
00435DFE  |.  83FB 47       |cmp     ebx, 47
00435E01  |.  74 0F         |je      short 00435E12
00435E03  |.  8A11          |mov     dl, byte ptr [ecx]
00435E05  |.  8810          |mov     byte ptr [eax], dl
00435E07  |>  83C0 01       |add     eax, 1
00435E0A  |.  83C1 01       |add     ecx, 1
00435E0D  |.  83C3 01       |add     ebx, 1
00435E10  |.^ EB E2         \jmp     short 00435DF4
00435E12  \>  C3            retn

========================
004103C0

E9 DF 59 02 00 90 90

0041065E

E9 5C 57 02 00 90

00435DA4

83 EC 64 8B 44 24 68 50 51 52 53 E8 27 00 00 00 5B 5A 59 58 E9 0A A6 FD FF 00 00 8D 96 B0 4E 00
00 50 51 52 53 8B C2 E8 0B 00 00 00 5B 5A 59 58 E9 8B A8 FD FF 00 00 66 81 78 0A 01 01 74 08 66
81 78 0A 07 01 75 27 B9 00 69 44 00 33 D2 33 DB 83 FB 08 74 0E 83 FB 0A 74 09 83 FB 47 74 0F 8A
11 88 10 83 C0 01 83 C1 01 83 C3 01 EB E2 C3

========================

102 & 108 Packet Patch II

0040E724   call    00435E15 <Call Patch>

0040E8C6   call    00435E15 <Call Patch>

00435E15   $  50            push    eax
00435E16   .  51            push    ecx
00435E17   .  52            push    edx
00435E18   .  56            push    esi
00435E19   .  33D2          xor     edx, edx
00435E1B   .  33C0          xor     eax, eax
00435E1D   .  B9 50506800   mov     ecx, 00685050                    ;  接收封包指標
00435E22   >  83FA 08       cmp     edx, 8
00435E25   .  74 0E         je      short 00435E35
00435E27   .  83FA 0A       cmp     edx, 0A
00435E2A   .  74 09         je      short 00435E35
00435E2C   .  83FA 2D       cmp     edx, 2D
00435E2F   .  74 0F         je      short 00435E40
00435E31   .  8A01          mov     al, byte ptr [ecx]
00435E33   .  8806          mov     byte ptr [esi], al
00435E35   >  83C2 01       add     edx, 1
00435E38   .  83C1 01       add     ecx, 1
00435E3B   .  83C6 01       add     esi, 1
00435E3E   .^ EB E2         jmp     short 00435E22
00435E40   >  5E            pop     esi
00435E41   .  5A            pop     edx
00435E42   .  59            pop     ecx
00435E43   .  58            pop     eax
00435E44   .^ E9 779CFDFF   jmp     0040FAC0

========================
0040E724

E8 EC 76 02 00

0040E8C6

E8 4A 75 02 00

00435E15

50 51 52 56 33 D2 33 C0 B9 50 69 44 00 83 FA 08 74 0E 83 FA 0A 74 09 83 FA 2D 74 0F 8A 01 88 06
83 C2 01 83 C1 01 83 C6 01 EB E2 5E 5A 59 58 E9 77 9C FD FF

========================

send packet

00685000

7C 22 47 00 00 00 00 00 00 00 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 02 00 00 00 64 65 76 69 6C 69 73 6D 00 00 00 00 00 00 00 00 00 00 00 00 00 6D
7A 9E A6 1B DB 70 2D

recv packet

00685050

6D 53 2D 00 00 00 00 00 00 00 02 01 00 14 BE 03 00 65 68 03 00 1B DB 70 2D 64 65 76 69 6C 69 73
6D 00 00 00 00 00 00 00 00 00 00 00 00

發送與接收封包全寫在 .tls 區段

2013-5-13 19:57

0

djpvd

雪币： 320

活跃值： (104)

能力值： (RANK：180 )

在线值：

发帖

133

回帖

447

粉丝

2

关注

私信

djpvd 4: 4 楼

SRO 脫機主程式無法解密的時候就得打記憶體補丁下載附件然後修改

=========================================
SRO-Trainer Patch For SRO.EXE v1.69d
=========================================

packet 102 Code Patch

0040153A   $  6A 00         push    0                                ; /# 102 case Patch
0040153C   .  6A 01         push    1                                ; |BytesToWrite = 1
0040153E   .  68 00504000   push    00405000                         ; |Buffer = SRO-Trai.00405000
00401543   .  68 33E74000   push    0040E733                         ; |Address = 40E733
00401548   .  FF35 22234000 push    dword ptr [402322]               ; |hProcess = NULL
0040154E   .  E8 9AFFFFFF   call    <jmp.&kernel32.WriteProcessMemor>; \WriteProcessMemory
00401553   .  6A 00         push    0                                ; /pBytesWritten = NULL
00401555   .  6A 01         push    1                                ; |BytesToWrite = 1
00401557   .  68 00504000   push    00405000                         ; |Buffer = SRO-Trai.00405000
0040155C   .  68 47E74000   push    0040E747                         ; |Address = 40E747
00401561   .  FF35 22234000 push    dword ptr [402322]               ; |hProcess = NULL
00401567   .  E8 81FFFFFF   call    <jmp.&kernel32.WriteProcessMemor>; \WriteProcessMemory
0040156C   .  6A 00         push    0                                ; /pBytesWritten = NULL
0040156E   .  6A 01         push    1                                ; |BytesToWrite = 1
00401570   .  68 00504000   push    00405000                         ; |Buffer = SRO-Trai.00405000
00401575   .  68 53E74000   push    0040E753                         ; |Address = 40E753
0040157A   .  FF35 22234000 push    dword ptr [402322]               ; |hProcess = NULL
00401580   .  E8 68FFFFFF   call    <jmp.&kernel32.WriteProcessMemor>; \WriteProcessMemory
00401585   .  6A 00         push    0                                ; /pBytesWritten = NULL
00401587   .  6A 06         push    6                                ; |BytesToWrite = 6
00401589   .  68 10504000   push    00405010                         ; |Buffer = SRO-Trai.00405010
0040158E   .  68 71E74000   push    0040E771                         ; |Address = 40E771
00401593   .  FF35 22234000 push    dword ptr [402322]               ; |hProcess = NULL
00401599   .  E8 4FFFFFFF   call    <jmp.&kernel32.WriteProcessMemor>; \WriteProcessMemory
0040159E   .  6A 00         push    0                                ; /pBytesWritten = NULL
004015A0   .  6A 06         push    6                                ; |BytesToWrite = 6
004015A2   .  68 10504000   push    00405010                         ; |Buffer = SRO-Trai.00405010
004015A7   .  68 96E84000   push    0040E896                         ; |Address = 40E896
004015AC   .  FF35 22234000 push    dword ptr [402322]               ; |hProcess = NULL
004015B2   .  E8 36FFFFFF   call    <jmp.&kernel32.WriteProcessMemor>; \WriteProcessMemory

packet 108 Code Patch

004015B7   .  6A 00         push    0                                ; /# 108 case Patch
004015B9   .  6A 01         push    1                                ; |BytesToWrite = 1
004015BB   .  68 00504000   push    00405000                         ; |Buffer = SRO-Trai.00405000
004015C0   .  68 D7E84000   push    0040E8D7                         ; |Address = 40E8D7
004015C5   .  FF35 22234000 push    dword ptr [402322]               ; |hProcess = NULL
004015CB   .  E8 1DFFFFFF   call    <jmp.&kernel32.WriteProcessMemor>; \WriteProcessMemory
004015D0   .  6A 00         push    0                                ; /pBytesWritten = NULL
004015D2   .  6A 01         push    1                                ; |BytesToWrite = 1
004015D4   .  68 00504000   push    00405000                         ; |Buffer = SRO-Trai.00405000
004015D9   .  68 EDE84000   push    0040E8ED                         ; |Address = 40E8ED
004015DE   .  FF35 22234000 push    dword ptr [402322]               ; |hProcess = NULL
004015E4   .  E8 04FFFFFF   call    <jmp.&kernel32.WriteProcessMemor>; \WriteProcessMemory
004015E9   .  6A 00         push    0                                ; /pBytesWritten = NULL
004015EB   .  6A 06         push    6                                ; |BytesToWrite = 6
004015ED   .  68 10504000   push    00405010                         ; |Buffer = SRO-Trai.00405010
004015F2   .  68 17E94000   push    0040E917                         ; |Address = 40E917
004015F7   .  FF35 22234000 push    dword ptr [402322]               ; |hProcess = NULL
004015FD   .  E8 EBFEFFFF   call    <jmp.&kernel32.WriteProcessMemor>; \WriteProcessMemory
00401602   .  6A 00         push    0                                ; /pBytesWritten = NULL
00401604   .  6A 06         push    6                                ; |BytesToWrite = 6
00401606   .  68 10504000   push    00405010                         ; |Buffer = SRO-Trai.00405010
0040160B   .  68 22E94000   push    0040E922                         ; |Address = 40E922
00401610   .  FF35 22234000 push    dword ptr [402322]               ; |hProcess = NULL
00401616   .  E8 D2FEFFFF   call    <jmp.&kernel32.WriteProcessMemor>; \WriteProcessMemory
0040161B   .  6A 00         push    0                                ; /pBytesWritten = NULL
0040161D   .  6A 04         push    4                                ; |BytesToWrite = 4
0040161F   .  68 18504000   push    00405018                         ; |Buffer = SRO-Trai.00405018
00401624   .  68 21EA4000   push    0040EA21                         ; |Address = 40EA21
00401629   .  FF35 22234000 push    dword ptr [402322]               ; |hProcess = NULL
0040162F   .  E8 B9FEFFFF   call    <jmp.&kernel32.WriteProcessMemor>; \WriteProcessMemory

check time relogin Code Patch

00401634   .  6A 00         push    0                                ; /# check time relogin Patch
00401636   .  6A 14         push    14                               ; |BytesToWrite = 14 (20.)
00401638   .  68 20504000   push    00405020                         ; |Buffer = SRO-Trai.00405020
0040163D   .  68 8EF44000   push    0040F48E                         ; |Address = 40F48E
00401642   .  FF35 22234000 push    dword ptr [402322]               ; |hProcess = NULL
00401648   .  E8 A0FEFFFF   call    <jmp.&kernel32.WriteProcessMemor>; \WriteProcessMemory

dl send data Patch

0040164D   .  6A 00         push    0                                ; /# dl send data Patch
0040164F   .  6A 65         push    65                               ; |BytesToWrite = 65 (101.)
00401651   .  68 40504000   push    00405040                         ; |Buffer = Trainer-.00405040
00401656   .  68 A45D4300   push    435DA4                           ; |Address = 435DA4
0040165B   .  FF35 22234000 push    dword ptr [402322]               ; |hProcess = NULL
00401661   .  E8 87FEFFFF   call    <jmp.&kernel32.WriteProcessMemor>; \WriteProcessMemory
00401666   .  6A 00         push    0                                ; /pBytesWritten = NULL
00401668   .  6A 07         push    7                                ; |BytesToWrite = 7
0040166A   .  68 B0504000   push    004050B0                         ; |Buffer = Trainer-.004050B0
0040166F   .  68 C0034100   push    004103C0                         ; |Address = 4103C0
00401674   .  FF35 22234000 push    dword ptr [402322]               ; |hProcess = NULL
0040167A   .  E8 6EFEFFFF   call    <jmp.&kernel32.WriteProcessMemor>; \WriteProcessMemory
0040167F   .  6A 00         push    0                                ; /pBytesWritten = NULL
00401681   .  6A 06         push    6                                ; |BytesToWrite = 6
00401683   .  68 B8504000   push    004050B8                         ; |Buffer = Trainer-.004050B8
00401688   .  68 5E064100   push    0041065E                         ; |Address = 41065E
0040168D   .  FF35 22234000 push    dword ptr [402322]               ; |hProcess = NULL
00401693   .  E8 55FEFFFF   call    <jmp.&kernel32.WriteProcessMemor>; \WriteProcessMemory

102 & 108 Packet Patch

00401698   .  6A 00         push    0                                ; /# 102 & 108 Packet Patch
0040169A   .  6A 34         push    34                               ; |BytesToWrite = 34 (52.)
0040169C   .  68 C0504000   push    004050C0                         ; |Buffer = Trainer-.004050C0
004016A1   .  68 205E4300   push    435E20                           ; |Address = 435E20
004016A6   .  FF35 22234000 push    dword ptr [402322]               ; |hProcess = NULL
004016AC   .  E8 3CFEFFFF   call    <jmp.&kernel32.WriteProcessMemor>; \WriteProcessMemory
004016B1   .  6A 00         push    0                                ; /pBytesWritten = NULL
004016B3   .  6A 00         push    0                                ; |BytesToWrite = 0
004016B5   .  68 00514000   push    00405100                         ; |Buffer = Trainer-.00405100
004016BA   .  68 24E74000   push    0040E724                         ; |Address = 40E724
004016BF   .  FF35 22234000 push    dword ptr [402322]               ; |hProcess = NULL
004016C5   .  E8 23FEFFFF   call    <jmp.&kernel32.WriteProcessMemor>; \WriteProcessMemory
004016CA   .  6A 00         push    0                                ; /pBytesWritten = NULL
004016CC   .  6A 00         push    0                                ; |BytesToWrite = 0
004016CE   .  68 08514000   push    00405108                         ; |Buffer = Trainer-.00405108
004016D3   .  68 C6E84000   push    0040E8C6                         ; |Address = 40E8C6
004016D8   .  FF35 22234000 push    dword ptr [402322]               ; |hProcess = NULL
004016DE   .  E8 0AFEFFFF   call    <jmp.&kernel32.WriteProcessMemor>; \WriteProcessMemory

send packet

004016E3   .  6A 00         push    0                                ; /# send packet
004016E5   .  6A 47         push    47                               ; |BytesToWrite = 47 (71.)
004016E7   .  68 10514000   push    00405110                         ; |Buffer = Trainer-.00405110
004016EC      68 00606800   push    686000
004016F1   .  FF35 22234000 push    dword ptr [402322]               ; |hProcess = NULL
004016F7   .  E8 F1FDFFFF   call    <jmp.&kernel32.WriteProcessMemor>; \WriteProcessMemory

recv packet

004016FC   .  6A 00         push    0                                ; /# recv packet
004016FE   .  6A 2D         push    2D                               ; |BytesToWrite = 2D (45.)
00401700   .  68 60514000   push    00405160                         ; |Buffer = Trainer-.00405160
00401705      68 50606800   push    686050
0040170A   .  FF35 22234000 push    dword ptr [402322]               ; |hProcess = NULL
00401710   .  E8 D8FDFFFF   call    <jmp.&kernel32.WriteProcessMemor>; \WriteProcessMemory

jmp 00401066 <ExitCode = 0>

Patch Code <5000h>
EB 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 90 90 90 90 90 00 00 C7 45 48 01 00 00 00 00
C7 46 48 01 00 00 00 C7 46 4C 00 00 00 00 E9 36 01 00 00 90 00 00 00 00 00 00 00 00 00 00 00 00
83 EC 64 8B 44 24 68 50 51 52 53 E8 27 00 00 00 5B 5A 59 58 E9 0A A6 FD FF 00 00 8D 96 B0 4E 00
00 50 51 52 53 8B C2 E8 0B 00 00 00 5B 5A 59 58 E9 8B A8 FD FF 00 00 66 81 78 0A 01 01 74 08 66
81 78 0A 07 01 75 1D B9 00 60 68 00 33 D2 33 DB 83 FB 47 74 0F 8A 11 88 10 83 C0 01 83 C1 01 83
C3 01 EB EC C3 00 00 00 00 00 00 00 00 00 00 00 E9 DF 59 02 00 90 90 00 E9 5C 57 02 00 90 00 00
50 51 52 56 33 D2 33 C0 B9 50 60 68 00 83 FA 08 74 0E 83 FA 0A 74 09 83 FA 2D 74 0F 8A 01 88 06
83 C2 01 83 C1 01 83 C6 01 EB E2 5E 5A 59 58 E9 6C 9C FD FF 00 00 00 00 00 00 00 00 00 00 00 00
E8 F7 76 02 00 00 00 00 E8 55 75 02 00 00 00 00 CD 56 47 00 00 00 00 00 00 00 01 01 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 73 61 66 69 6E 61
63 6F 6F 6C 00 00 00 00 00 00 00 00 00 00 00 3F A3 6E 6E 39 C4 E4 AD 00 00 00 00 00 00 00 00 00
C4 A7 2D 00 00 00 00 00 C7 03 02 01 00 28 C0 03 00 BE 34 04 00 39 C4 E4 AD 73 61 66 69 6E 61 63
6F 6F 6C 00 00 00 00 00 00 00 00 00 00 00 00 00

=========================
SRO-Trainer 處理代碼解析
=========================

0040113C   > \6A 70         push    70                               ; /Key = VK_F1
0040113E   .  E8 EC030000   call    <jmp.&user32.GetAsyncKeyState>   ; \GetAsyncKeyState
00401143   .  83F8 00       cmp     eax, 0
00401146   .  74 05         je      short 0040114D
00401148   .  E8 ED030000   call    0040153A                         ;  進入Patch代碼

kernel32.WriteProcessMemor 函數分析

0040153A   $  6A 00         push    0                                 ; /pBytesWritten = NULL
0040153C   .  6A 59         push    59                                ; |BytesToWrite = 要寫入的 Patch 位元組長度
0040153E   .  68 30504000   push    00405030                          ; |Buffer = SRO-Trai.00405030 已寫好的 Patch 的指標
00401543   .  68 A25D4300   push    435DA2                            ; |Address = SRO.EXE 要 Patch 的位址
00401548   .  FF35 22234000 push    dword ptr [402322]                ; |hProcess = NULL
0040154E   .  E8 9AFFFFFF   call    <jmp.&kernel32.WriteProcessMemor> ; \WriteProcessMemory

上传的附件：

Trainer.v1.74.rar （35.54kb，27次下载）

2013-5-13 20:00

0

djpvd

雪币： 320

活跃值： (104)

能力值： (RANK：180 )

在线值：

发帖

133

回帖

447

粉丝

2

关注

私信

djpvd 4: 5 楼

======================
sro.dll 無法用OD載入脫殼時
======================
1. DLL 無法載入原因輸出表還原實際大小即可

2. SRO.DLL OEP 入口點代碼
hex

8B EC 53 8B 5D 08 56 8B 75 0C 57 8B 7D 10 85 F6

2013-5-13 20:02

0

djpvd

雪币： 320

活跃值： (104)

能力值： (RANK：180 )

在线值：

发帖

133

回帖

447

粉丝

2

关注

私信

djpvd 4: 6 楼

封包分析

========================================================================
send <發送封包>

      +0 +1 +2 +3 +4 +5 +6 +7 +8 +9 +A +B +C +D +E +F
0000  3B 92 47 00 00 00 00 00 2E 00 08 01 00 00 00 00    ;.G.............
0010  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
0020  00 00 00 00 00 00 02 00 00 00 70 76 64 32 30 30    ..........pvd200
0030  37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 BA    7...............
0040  2C 12 3E BC 52 40 C4                               ,.>k.Z.

------------------------------------------------------------------------
+00 位置 3B 92 發送認證封包的 KEY
+02 位置 47 為封包長度
+08 位置 2E 為封包發送次數
+0A 位置 08 01 為 Case 代碼
+26 位置為外掛種類識別 01=內掛 02=脫機
+2A 位置為遊戲帳號字串
+3F 位置為動力註冊認證 KEY1
+43 位置為動力註冊認證 KEY2

------------------------------------------------------------------------
Patch 目標
+00 封包頭 KEY
+26 掛機種類
+2A 動力註冊帳號
+3F 註冊認證 KEY1
+43 註冊認證 KEY2
========================================================================

========================================================================
Recv <接收封包>

      +0 +1 +2 +3 +4 +5 +6 +7 +8 +9 +A +B +C +D +E +F
0000  83 FB 2D 00 00 00 00 00 00 00 02 01 00 75 26 02    ..-..........u&.
0010  00 66 5C 03 00 BC 52 40 C4 61 30 39 33 34 31 37    .f\...R@.a093417
0020  38 32 31 35 00 00 00 00 00 00 00 00 00             8215.........

------------------------------------------------------------------------
+00 位置 83 FB 接收認證封包的 KEY
+02 位置 2D 為封包長度
+0A 位置 02 01 為 Case 代碼
+0C 位置為帳號註冊狀態 02 為帳號到期 01 為資料錯誤 00 為註冊可用帳號
+0D 位置 75 26 02 00 動力註冊序號 (每個註冊用戶都有一個序號)
+11 位置 66 5C 03 00 為剩餘時間(以分鐘計算)
+15 位置 BC 52 40 C4 為動力註冊認證 KEY2
+19 位置 61 30 39 33 34 31 37 38 32 31 35 動力註冊帳號(遊戲帳號)
------------------------------------------------------------------------
Patch 目標 (非必要)
+00 封包頭 KEY
+0C 認證帳號註冊狀態
+0D 動力註冊序號
+11 剩餘時間 <必須有時間才會運作>
+15 動力註冊認證 KEY2
+19 動力註冊帳號(遊戲帳號)
========================================================================

其實說真的有些DEBUG專業名詞我也搞不懂這一切都是誤打誤撞長期觀察加點幻想搞出這些東西出來的

像上面什麼Key....都是自己暫定名稱反正你看得懂就好

原理解說:

其實這個破解方式就是拿別人有註冊的帳號然後修改外掛讓外掛發送給動力伺服器有註冊的會員帳號

然後外掛就會收到伺服器正常註冊的封包讓外掛正常運作

因為卡在絲路官網有圖片驗證而外掛自動圖片驗證又是在動力伺服器上面怕外掛斷線重登時人不在旁邊沒辦法打驗證圖片文字

所以乾脆就用這個方法以前的版本沒有圖片驗證可以解Game.dat 現在做免驗證的麻煩

至於有註冊動力的帳號怎麼取得自己動腦想吧外掛本身就可以測試哪個帳號有沒有註冊勝多少時間了