能力值:
( LV2,RANK:10 )
|
-
-
2 楼
软件没加壳,破解完提示注册成功,但是实际上还是限制只能有10人访问。有几个switch结构我弄不明白。现在就想破解这个10的个数,应该是监视连接到服务器的人个数,达到十就禁止继续连接,给点意见,高手帮提醒一下。不要说的太高深的呀,我很菜的。
00421556 |. 83C0 CB add eax, -35 ; Switch (cases 35..40)
00421559 |. 83F8 0B cmp eax, 0B
0042155C |. 56 push esi
0042155D |. 0F87 AE000000 ja 00421611
00421563 |. FF2485 191642>jmp dword ptr [eax*4+421619]
0042156A |> 8B4D 08 mov ecx, dword ptr [ebp+8] ; Case 35 ('5') of switch 00421556
0042156D |. FF55 14 call dword ptr [ebp+14]
00421570 |. E9 98000000 jmp 0042160D
00421575 |> 8B4D 08 mov ecx, dword ptr [ebp+8] ; Case 36 ('6') of switch 00421556
00421578 |. FF55 14 call dword ptr [ebp+14]
0042157B |. E9 8B000000 jmp 0042160B
00421580 |> FF75 0C push dword ptr [ebp+C] ; Case 37 ('7') of switch 00421556
00421583 |. EB 75 jmp short 004215FA
00421585 |> FF75 0C push dword ptr [ebp+C] ; Case 38 ('8') of switch 00421556
00421588 |. EB 7B jmp short 00421605
0042158A |> 8B45 18 mov eax, dword ptr [ebp+18] ; Case 39 ('9') of switch 00421556
0042158D |. FF30 push dword ptr [eax]
0042158F |. 8B4D 08 mov ecx, dword ptr [ebp+8]
00421592 |. FF70 04 push dword ptr [eax+4]
00421595 |. FF55 14 call dword ptr [ebp+14]
00421598 |. EB 73 jmp short 0042160D
0042159A |> 8B45 18 mov eax, dword ptr [ebp+18] ; Case 3A (':') of switch 00421556
0042159D |. FF30 push dword ptr [eax]
0042159F |. 8B4D 08 mov ecx, dword ptr [ebp+8]
004215A2 |. FF70 04 push dword ptr [eax+4]
004215A5 |. FF55 14 call dword ptr [ebp+14]
004215A8 |. EB 61 jmp short 0042160B
004215AA |> 8B45 18 mov eax, dword ptr [ebp+18] ; Case 3B (';') of switch 00421556
004215AD |. FF30 push dword ptr [eax]
004215AF |. 8B4D 08 mov ecx, dword ptr [ebp+8]
004215B2 |. FF70 04 push dword ptr [eax+4]
004215B5 |. FF75 0C push dword ptr [ebp+C]
004215B8 |. FF55 14 call dword ptr [ebp+14]
004215BB |. EB 50 jmp short 0042160D
004215BD |> 8B45 18 mov eax, dword ptr [ebp+18] ; Case 3C ('<') of switch 00421556
004215C0 |. FF30 push dword ptr [eax]
004215C2 |. 8B4D 08 mov ecx, dword ptr [ebp+8]
004215C5 |. FF70 04 push dword ptr [eax+4]
004215C8 |. FF75 0C push dword ptr [ebp+C]
004215CB |. FF55 14 call dword ptr [ebp+14]
004215CE |. EB 3B jmp short 0042160B
004215D0 |> 8B75 18 mov esi, dword ptr [ebp+18] ; Case 3D ('=') of switch 00421556
004215D3 |. 8B4D 08 mov ecx, dword ptr [ebp+8]
004215D6 |. 56 push esi
004215D7 |. FF55 14 call dword ptr [ebp+14]
004215DA |. EB 0D jmp short 004215E9
004215DC |> FF75 0C push dword ptr [ebp+C] ; Case 3E ('>') of switch 00421556
004215DF |. 8B75 18 mov esi, dword ptr [ebp+18]
004215E2 |. 8B4D 08 mov ecx, dword ptr [ebp+8]
004215E5 |. 56 push esi
004215E6 |. FF55 14 call dword ptr [ebp+14]
004215E9 |> 33C0 xor eax, eax
004215EB |. 3946 1C cmp dword ptr [esi+1C], eax
004215EE |. 0F94C0 sete al
004215F1 |. 8366 1C 00 and dword ptr [esi+1C], 0
004215F5 |. EB 14 jmp short 0042160B
004215F7 |> FF75 18 push dword ptr [ebp+18] ; Case 3F ('?') of switch 00421556
004215FA |> 8B4D 08 mov ecx, dword ptr [ebp+8]
004215FD |. FF55 14 call dword ptr [ebp+14]
00421600 |. EB 0B jmp short 0042160D
00421602 |> FF75 18 push dword ptr [ebp+18] ; Case 40 ('@') of switch 00421556
00421605 |> 8B4D 08 mov ecx, dword ptr [ebp+8]
00421608 |. FF55 14 call dword ptr [ebp+14]
0042160B |> 8BF8 mov edi, eax
0042160D |> 8BC7 mov eax, edi
0042160F |. EB 02 jmp short 00421613
00421611 |> 33C0 xor eax, eax ; Default case of switch 00421556
00421613 |> 5E pop esi
00421614 |> 5F pop edi
00421615 |. 5D pop ebp
00421616 \. C2 1C00 retn 1C
00421619 . 6A154200 dd zlsrv2.0042156A ; 分支表 被用于 00421563
0042161D . 75154200 dd zlsrv2.00421575
00421621 . 80154200 dd zlsrv2.00421580
00421625 . 85154200 dd zlsrv2.00421585
00421629 . 8A154200 dd zlsrv2.0042158A
0042162D . 9A154200 dd zlsrv2.0042159A
00421631 . AA154200 dd zlsrv2.004215AA
00421635 . BD154200 dd zlsrv2.004215BD
00421639 . D0154200 dd zlsrv2.004215D0
0042163D . DC154200 dd zlsrv2.004215DC
00421641 . F7154200 dd zlsrv2.004215F7
00421645 . 02164200 dd zlsrv2.00421602
00421649 /$ 55 push ebp
0042164A |. 8BEC mov ebp, esp
0042164C |. 8B45 0C mov eax, dword ptr [ebp+C]
0042164F |. 83F8 FE cmp eax, -2 ; Switch (cases FFFFFFFD..FFFFFFFF)
00421652 |. 57 push edi
00421653 |. 8BF9 mov edi, ecx
00421655 |. 75 21 jnz short 00421678
00421657 |. E8 99310000 call 004247F5 ; Case FFFFFFFE of switch 0042164F
0042165C |. FF75 14 push dword ptr [ebp+14]
0042165F |. 8B80 38100000 mov eax, dword ptr [eax+1038]
00421665 |. FF75 10 push dword ptr [ebp+10]
00421668 |. 8B10 mov edx, dword ptr [eax]
0042166A |. FF75 08 push dword ptr [ebp+8]
0042166D |. 8BC8 mov ecx, eax
0042166F |. 57 push edi
00421670 |. FF52 04 call dword ptr [edx+4]
00421673 |. E9 BE000000 jmp 00421736
00421678 |> 83F8 FD cmp eax, -3
0042167B |. 53 push ebx
0042167C |. 56 push esi
0042167D |. 75 78 jnz short 004216F7
0042167F |. 8B5D 10 mov ebx, dword ptr [ebp+10] ; Case FFFFFFFD of switch 0042164F
00421682 |. 8B43 30 mov eax, dword ptr [ebx+30]
00421685 |. 8365 0C 00 and dword ptr [ebp+C], 0
00421689 |. 8945 10 mov dword ptr [ebp+10], eax
0042168C |. 8B07 mov eax, dword ptr [edi]
0042168E |. 8BCF mov ecx, edi
00421690 |. FF50 2C call dword ptr [eax+2C]
00421693 |. 8BF8 mov edi, eax
00421695 |. EB 57 jmp short 004216EE
00421697 |> 837D 0C 00 /cmp dword ptr [ebp+C], 0
0042169B |. 75 55 |jnz short 004216F2
0042169D |. 8B77 04 |mov esi, dword ptr [edi+4]
004216A0 |. EB 43 |jmp short 004216E5
004216A2 |> 837E 08 00 |/cmp dword ptr [esi+8], 0
004216A6 |. 74 44 ||je short 004216EC
004216A8 |. 837D 0C 00 ||cmp dword ptr [ebp+C], 0
004216AC |. 75 3E ||jnz short 004216EC
004216AE |. 3945 08 ||cmp dword ptr [ebp+8], eax
004216B1 |. 75 2F ||jnz short 004216E2
004216B3 |. 837D 10 00 ||cmp dword ptr [ebp+10], 0
004216B7 |. 75 07 ||jnz short 004216C0
004216B9 |. 833E 00 ||cmp dword ptr [esi], 0
004216BC |. 74 17 ||je short 004216D5
004216BE |. EB 22 ||jmp short 004216E2
004216C0 |> 8B06 ||mov eax, dword ptr [esi]
004216C2 |. 85C0 ||test eax, eax
004216C4 |. 74 1C ||je short 004216E2
004216C6 |. 50 ||push eax
004216C7 |. FF75 10 ||push dword ptr [ebp+10]
004216CA |. E8 31DCFEFF ||call 0040F300
004216CF |. 85C0 ||test eax, eax
004216D1 |. 59 ||pop ecx
004216D2 |. 59 ||pop ecx
004216D3 |. 74 0D ||je short 004216E2
004216D5 |> 8B46 08 ||mov eax, dword ptr [esi+8]
004216D8 |. 8943 04 ||mov dword ptr [ebx+4], eax
004216DB |. C745 0C 01000>||mov dword ptr [ebp+C], 1
004216E2 |> 83C6 0C ||add esi, 0C
004216E5 |> 8B46 04 | mov eax, dword ptr [esi+4]
004216E8 |. 85C0 ||test eax, eax
004216EA |.^ 75 B6 |\jnz short 004216A2
004216EC |> 8B3F |mov edi, dword ptr [edi]
004216EE |> 85FF test edi, edi
004216F0 |.^ 75 A5 \jnz short 00421697
004216F2 |> 8B45 0C mov eax, dword ptr [ebp+C]
004216F5 |. EB 3D jmp short 00421734
004216F7 |> 83F8 FF cmp eax, -1
004216FA |. 74 0D je short 00421709
004216FC |. 8BD8 mov ebx, eax ; Default case of switch 0042164F
004216FE |. C1EB 10 shr ebx, 10
00421701 |. 0FB7C0 movzx eax, ax
00421704 |. 8945 0C mov dword ptr [ebp+C], eax
00421707 |. 75 05 jnz short 0042170E
00421709 |> BB 11010000 mov ebx, 111 ; Case FFFFFFFF of switch 0042164F
0042170E |> 8B07 mov eax, dword ptr [edi]
00421710 |. 8BCF mov ecx, edi
00421712 |. FF50 28 call dword ptr [eax+28]
00421715 |. 8BF0 mov esi, eax
00421717 |. EB 15 jmp short 0042172E
00421719 |> FF75 08 /push dword ptr [ebp+8] ; /Arg4
0042171C |. FF75 0C |push dword ptr [ebp+C] ; |Arg3
0042171F |. 53 |push ebx ; |Arg2
00421720 |. FF76 04 |push dword ptr [esi+4] ; |Arg1
00421723 |. E8 6CC9FFFF |call 0041E094 ; \zlsrv2.0041E094
00421728 |. 85C0 |test eax, eax
0042172A |. 75 0F |jnz short 0042173B
0042172C |. 8B36 |mov esi, dword ptr [esi]
0042172E |> 85F6 test esi, esi
00421730 |.^ 75 E7 \jnz short 00421719
00421732 |. 33C0 xor eax, eax
00421734 |> 5E pop esi
00421735 |. 5B pop ebx
00421736 |> 5F pop edi
00421737 |. 5D pop ebp
00421738 |. C2 1000 retn 10
0042173B |> FF75 14 push dword ptr [ebp+14] ; /Arg7
0042173E |. FF70 10 push dword ptr [eax+10] ; |Arg6
00421741 |. FF75 10 push dword ptr [ebp+10] ; |Arg5
00421744 |. FF70 14 push dword ptr [eax+14] ; |Arg4
00421747 |. FF75 0C push dword ptr [ebp+C] ; |Arg3
0042174A |. FF75 08 push dword ptr [ebp+8] ; |Arg2
0042174D |. 57 push edi ; |Arg1
0042174E |. E8 E0FDFFFF call 00421533 ; \zlsrv2.00421533
00421753 \.^ EB DF jmp short 00421734
以上这段代码是干什么的?
|
能力值:
( LV12,RANK:210 )
|
-
-
3 楼
看看你的access表, 是否有什么设置,
哪个表记录了当前在线人数, 比如
conn.execute "select count(*) from tblonline"
然后判断返回值。 如果大于10则禁止。 段下
数据库查询语句, 这是可能1。
二, 在本地内存记录了这个连接信息。
中断accept函数(这应该是在一个独立线程中完成),
如果超过了连接后, 即accept返回后, 程序应该会做一次
人数判断, 如果超过了则调用close函数。
|
能力值:
( LV2,RANK:10 )
|
-
-
4 楼
未注册时主窗口标题是最多能10人在线。
0000791D E8 638D0000 call 00010685
00007922 8BE8 mov ebp, eax
00007924 8D4424 3C lea eax, dword ptr [esp+3C]
00007928 50 push eax
00007929 C64424 44 00 mov byte ptr [esp+44], 0
0000792E E8 528D0000 call 00010685
00007933 8D4C24 3C lea ecx, dword ptr [esp+3C]
00007937 51 push ecx
00007938 8BD8 mov ebx, eax
0000793A C64424 44 00 mov byte ptr [esp+44], 0
0000793F E8 418D0000 call 00010685
00007944 56 push esi
00007945 55 push ebp
00007946 894424 30 mov dword ptr [esp+30], eax
0000794A E8 81270000 call 0000A0D0
0000794F 56 push esi
00007950 53 push ebx
00007951 8BE8 mov ebp, eax
00007953 E8 78270000 call 0000A0D0
00007958 8B5424 38 mov edx, dword ptr [esp+38]
0000795C 56 push esi
0000795D 52 push edx
0000795E 8BD8 mov ebx, eax
00007960 E8 6B270000 call 0000A0D0
00007965 83C4 28 add esp, 28
00007968 3BEF cmp ebp, edi
0000796A 74 76 jne short 000079E2
0000796C 3B5C24 1C cmp ebx, dword ptr [esp+1C]
00007970 74 70 jne short 000079E2
00007972 3B4424 20 cmp eax, dword ptr [esp+20]
00007976 74 6A jne short 000079E2
00007978 E8 78CE0100 call 000247F5
0000797D 8B4C24 14 mov ecx, dword ptr [esp+14]
00007981 8B15 B801D100 mov edx, dword ptr [D101B8]
00007987 8B40 04 mov eax, dword ptr [eax+4]
0000798A 81C1 C0000000 add ecx, 0C0
00007990 8B09 mov ecx, dword ptr [ecx]
00007992 51 push ecx
00007993 8B0D B401D100 mov ecx, dword ptr [D101B4]
00007999 52 push edx
0000799A 51 push ecx
0000799B 8BC8 mov ecx, eax
0000799D E8 61C30100 call 00023D03 弹出注册成功窗口
000079A2 8B4C24 14 mov ecx, dword ptr [esp+14]
000079A6 6A 00 push 0
改完前面跳转到注册成功后,回到主窗口还是10个人,现在就是要知道如何修改控制人数。表里没有计数的,估计还是在内存中。现在拦截确定成功子窗口后回到主窗口的过程,然后找到计算人数的代码。
|
