最初由 kanxue 发布
先google搜索资料,看看命令行编程如何实现的,再找切入点。
例如,一般用GetCommandLine等
嗯,因为以上代码均是游戏已进入界面时的代码,所以很难跟踪.
我在GetCommandLine后找到了一些代码:
* Reference To: KERNEL32.GetCommandLineA, Ord:00AAh
|
:0049365E FF15FCB04A00 Call dword ptr [004AB0FC]
:00493664 A3706B5500 mov dword ptr [00556B70], eax
:00493669 E802640000 call 00499A70
:0049366E A3BC545500 mov dword ptr [005554BC], eax
:00493673 85C0 test eax, eax
:00493675 7409 je 00493680
:00493677 A1706B5500 mov eax, dword ptr [00556B70]
:0049367C 85C0 test eax, eax
:0049367E 750A jne 0049368A
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00493675(C)
|
:00493680 6AFF push FFFFFFFF
:00493682 E8A9DDFFFF call 00491430
:00493687 83C404 add esp, 00000004
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0049367E(C)
|
:0049368A E831610000 call 004997C0
:0049368F E83C600000 call 004996D0
:00493694 E867DDFFFF call 00491400
:00493699 8B35706B5500 mov esi, dword ptr [00556B70]
:0049369F 89759C mov dword ptr [ebp-64], esi
:004936A2 803E22 cmp byte ptr [esi], 22
:004936A5 0F85BE000000 jne 00493769
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004936C9(C), :004936CF(U)
|
:004936AB 46 inc esi
:004936AC 89759C mov dword ptr [ebp-64], esi
:004936AF 8A06 mov al, byte ptr [esi]
:004936B1 3C22 cmp al, 22
:004936B3 741C je 004936D1
:004936B5 84C0 test al, al
:004936B7 7418 je 004936D1
:004936B9 25FF000000 and eax, 000000FF
:004936BE 50 push eax
:004936BF E8AC5F0000 call 00499670
:004936C4 83C404 add esp, 00000004
:004936C7 85C0 test eax, eax
:004936C9 74E0 je 004936AB
:004936CB 46 inc esi
:004936CC 89759C mov dword ptr [ebp-64], esi
:004936CF EBDA jmp 004936AB
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004936B3(C), :004936B7(C)
|
:004936D1 803E22 cmp byte ptr [esi], 22
:004936D4 7504 jne 004936DA
:004936D6 46 inc esi
:004936D7 89759C mov dword ptr [ebp-64], esi
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004936D4(C), :004936E8(U), :0049376C(C)
|
:004936DA 8A06 mov al, byte ptr [esi]
:004936DC 84C0 test al, al
:004936DE 740A je 004936EA
:004936E0 3C20 cmp al, 20
:004936E2 7706 ja 004936EA
:004936E4 46 inc esi
:004936E5 89759C mov dword ptr [ebp-64], esi
:004936E8 EBF0 jmp 004936DA
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004936DE(C), :004936E2(C)
|
:004936EA C745D000000000 mov [ebp-30], 00000000
:004936F1 8D45A4 lea eax, dword ptr [ebp-5C]
:004936F4 50 push eax
在一边加参数一边调试后,我大概看懂了...因为GetCommandLine获得的数据是以下格式的字符串:
"盘符\文件夹名\EXE文件名" -badnews
所以程序中是这样将EXE路径和参数分开的.先逐一比较"并堆栈,比较到第二个"时,再比较空格(去空格),然后就获得了-badnews
我是这样改得,将:
004936E0 3C20 cmp al, 20
改为:
004936E0 3C2D cmp al, 2D
这样就成了比较-(去掉了-),获得成了badnews堆栈.
游戏运行时,确实起到了屏蔽作弊模式的目的.但又出现了2个问题:
1、有时游戏进入或退出时,会出来WINDOWS常见的那个,发送不发送错误报告的对话框.
2、游戏的有一些功能出现了异常.
我只改了一个参数呀,且观察没有发现影响到别的变量和堆栈值.所以我又做了测试,只要随便(指把一句不重要的NOP)改一下,游戏也会出现这种情况.一开始我怀疑是EXE监测修改时间的问题,就把时间调成原EXE的修改时间,但不行.这个游戏没有加壳呀...难道这个游戏还监测是不是做了修改?如果修改了故意让程序出错?我用Stud_PE比较了一下原版和修改版的PE值,发现除了CheckSum外,各种参数都一样.难道是CheckSum的问题?CheckSum怎么修改?如果能修改,我修改成原版的值,游戏的问题是不是能解决?
不知我说的,高手们听懂了吗?你们碰到过这种问题吗?我以前曾学将这个游戏免CD,也成功了,但一样是出以上的两个问题。
