-
-
传奇强力外挂7.22脱壳破解(写给新手,高手莫进)
-
发表于:
2004-5-1 17:27
15914
-
传奇强力外挂7.22脱壳破解(写给新手,高手莫进)
破解环境:
系统: win2000sp4,win98se
准备工具:Win32dasm893,Peid092,Stripper_v203,Untelock098,Pelord1.7,Trw2000,
说明:这几天无聊的紧,和朋友一起到网吧去玩(传奇私服哦),其中有人叫喊有人用暗杀外挂,我也不知道怎么回事,出去一看,操,不知道不觉就挂了,后来这样挂几次,郁闷~!用百度一搜,强力外挂有这功能,嘿嘿。。。。,所有今天有这编文章,给新心看的哦~!高手就算了~!
破解过程:首先用Peid92查壳主程序和Dll,显示为tEclock0.98b,当然咱拿出Untelock 脱掉他了,试运行,无错,嘿嘿,Untelock 就是不错,比我手动脱的干净,再查,显示为Aspack2.12,哈哈Striper_203中支持这种壳哦,就拿他来脱了,先脱主程序显示脱壳成功,试运行,无错,看来今天运气不错~!用Peid查,显示VC++6.0,好了主程序干净了,现在论到Dll了,再次拿出Striper_203脱,显示脱壳成功,还说有些文件没有被脱出来,先关掉Striper_203,试运行,2秒钟后,显示出错提示框,说某个地址无效,没办法,只好切换到98下用TRW2000加载了,跟了几次,死机几次,晕,98就是不行,还好前些日子在论坛上看过一些关于Aspack2.12脱壳的文章,说要复制部分代码~!我当然也试试了,拿出Pelord1.7看第1次脱出的Dll的块区信息,比较第二次的Dll和块区信息,原来少了一个块,用PeLord先Dump出第一次脱壳文的多出来的块区,再把它写进第二次脱出来的Dll,再次运行,没出错~!嘿嘿,脱壳完功,现在就得破掉了~!
先运行进入游戏,再随便输入用户名,密码,提示:没有这个用户,当然现在拿出W32dasm反编了,找到出错提示的地方,如下:
:10005A48 8B1500770210 mov edx, dword ptr [10027700]
:10005A4E 899550FFFFFF mov dword ptr [ebp+FFFFFF50], edx
:10005A54 8B8550FFFFFF mov eax, dword ptr [ebp+FFFFFF50]
:10005A5A 83E801 sub eax, 00000001
:10005A5D 898550FFFFFF mov dword ptr [ebp+FFFFFF50], eax
:10005A63 83BD50FFFFFF03 cmp dword ptr [ebp+FFFFFF50], 00000003
:10005A6A 0F8718050000 ja 10005F88
:10005A70 8B8D50FFFFFF mov ecx, dword ptr [ebp+FFFFFF50]
:10005A76 FF248DE4690010 jmp dword ptr [4*ecx+100069E4]
* Possible StringData Ref from Data Obj ->"#FULL!"
|
:10005A7D 68B0A50110 push 1001A5B0
:10005A82 680C770210 push 1002770C
:10005A87 E894EE0000 call 10014920
:10005A8C 83C408 add esp, 00000008
:10005A8F 85C0 test eax, eax
:10005A91 750F jne 10005AA2
:10005A93 C705447D021001000000 mov dword ptr [10027D44], 00000001
:10005A9D E9E6040000 jmp 10005F88
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10005A91(C)
|
* Possible StringData Ref from Data Obj ->"#FAIL!"
|
:10005AA2 68A8A50110 push 1001A5A8
:10005AA7 680C770210 push 1002770C
:10005AAC E86FEE0000 call 10014920
:10005AB1 83C408 add esp, 00000008
:10005AB4 85C0 test eax, eax
:10005AB6 7520 jne 10005AD8
:10005AB8 6A10 push 00000010
* Possible StringData Ref from Data Obj ->"失败"
|
:10005ABA 6860A40110 push 1001A460
* Possible StringData Ref from Data Obj ->"用户不存在!"
|
:10005ABF 6898A50110 push 1001A598
:10005AC4 8B5508 mov edx, dword ptr [ebp+08]
:10005AC7 52 push edx
* Reference To: user32.MessageBoxA, Ord:0000h
|
:10005AC8 FF1534A10110 Call dword ptr [1001A134]
:10005ACE 6A01 push 00000001
* Reference To: kernel32.ExitProcess, Ord:0000h
|
:10005AD0 FF15F0A00110 Call dword ptr [1001A0F0]
:10005AD6 EB6A jmp 10005B42
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10005AB6(C)
|
* Possible StringData Ref from Data Obj ->"#TIME!"
|
:10005AD8 6890A50110 push 1001A590
:10005ADD 680C770210 push 1002770C
:10005AE2 E839EE0000 call 10014920
:10005AE7 83C408 add esp, 00000008
:10005AEA 85C0 test eax, eax
:10005AEC 7520 jne 10005B0E
:10005AEE 6A10 push 00000010
* Possible StringData Ref from Data Obj ->"失败"
|
:10005AF0 6860A40110 push 1001A460
* Possible StringData Ref from Data Obj ->"用户到期!"
|
:10005AF5 6884A50110 push 1001A584
:10005AFA 8B4508 mov eax, dword ptr [ebp+08]
:10005AFD 50 push eax
* Reference To: user32.MessageBoxA, Ord:0000h
|
:10005AFE FF1534A10110 Call dword ptr [1001A134]
:10005B04 6A01 push 00000001
* Reference To: kernel32.ExitProcess, Ord:0000h
|
:10005B06 FF15F0A00110 Call dword ptr [1001A0F0]
:10005B0C EB34 jmp 10005B42
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10005AEC(C)
|
* Possible StringData Ref from Data Obj ->"#GOOD!"
|
:10005B0E 687CA50110 push 1001A57C
:10005B13 680C770210 push 1002770C
:10005B18 E803EE0000 call 10014920
:10005B1D 83C408 add esp, 00000008
:10005B20 85C0 test eax, eax
:10005B22 741E je 10005B42
:10005B24 6A10 push 00000010
* Possible StringData Ref from Data Obj ->"失败"
|
:10005B26 6860A40110 push 1001A460
* Possible StringData Ref from Data Obj ->"未知错误!"
|
:10005B2B 6870A50110 push 1001A570
:10005B30 8B4D08 mov ecx, dword ptr [ebp+08]
:10005B33 51 push ecx
* Reference To: user32.MessageBoxA, Ord:0000h
|
:10005B34 FF1534A10110 Call dword ptr [1001A134]
:10005B3A 6A01 push 00000001
* Reference To: kernel32.ExitProcess, Ord:0000h
|
:10005B3C FF15F0A00110 Call dword ptr [1001A0F0]
看跟转,找到10005a91这一行,在前面有:
10005A76 FF248DE4690010 jmp dword ptr [4*ecx+100069E4]
在W32dasm中搜100069e4
来到:
:100069E4 7D5A0010 DWORD 10005A7D
:100069E8 675B0010 DWORD 10005B67
:100069EC E65B0010 DWORD 10005BE6
:100069F0 175F0010 DWORD 10005F17
:100069F4 C9600010 DWORD 100060C9
:100069F8 7D600010 DWORD 1000607D
:100069FC 36690010 DWORD 10006936
:10006A00 B7600010 DWORD 100060B7
:10006A04 A5600010 DWORD 100060A5
:10006A08 AF660010 DWORD 100066AF
:10006A0C BA650010 DWORD 100065BA
:10006A10 29670010 DWORD 10006729
:10006A14 10690010 DWORD 10006910
:10006A18 40650010 DWORD 10006540
:10006A1C 98680010 DWORD 10006898
:10006A20 1E680010 DWORD 1000681E
:10006A24 A4670010 DWORD 100067A4
:10006A28 20690010 DWORD 10006920
:10006A2C 4F690010 DWORD 1000694F
看这是一张跳转表,100069e4一行刚好跳到10005a7d,看前面代码,找出关键地址10027700,如果这个地址保存的值为3,则跳到正确地址,
再次向前搜10027700,
在100054d7 一行中有 move dword ptr[10027700],00000001
我们要做的就是修改00000001为00000003,试运行,嘿嘿,能用了,由于时间关系,我就只说到这了,动态跟踪的断点下在bpx 10005968,只要1002770C地址保存的字串为#GOOD!就是合法用户,自己去SMC吧,好了就到这里~!
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课