6个游戏免cd做法.-软件逆向-看雪-安全社区|安全招聘|kanxue.com

6个游戏免cd做法.

2004-10-23 12:06 5569

6个游戏免cd做法.

maiweijie

2004-10-23 12:06

5569

tomak

1.先安装原光盘版文件,弹出光盘.
2.运行Tomak Again.exe,出现:INSERT 'TOMAK AGAIN GAME DISC'
退出,用W32DASM V10打开Tomak Again.exe,在查找的查找文本中
找INSERT 'TOMAK AGAIN GAME DISC.找到双击来到:
00408184  6854114500 push 00451154
接着往上看看有无跳转,发现往上不到几行在USER32.MESSAGEBOXA
上面有:
00408173 84C0 TEST AL,AL  测试验证程序返回值AL
00408175 7524 JNE 0040819B  判断是否带光盘运行

这时尝试双击00408175 7524 JNE 0040819B  来到改址再按鼠标右键
选HEXEDIT,将修改字节改成:EB248B2DC07645006A01687C1145006854114500
直接跳.

按保存,再按运行,OK.

fighting force

这个麻烦些,因为他只安装极少文件到硬盘里(好有1,2MB左右,
还安装了播放动画软件进戏统(必需提出来),用GETDRIVETYPEA查找.

1.先安装游戏到硬盘,然后把光盘根目录下的文件COPY到你所安装的目录,除FFORCE.EXE.
,在windows\system目录下COPY winplay有关文件到你所安装的目录,弹出光盘,运行ffsetup.exe设定后,再运行fforce.exe出现
PLEASE INSERT FIGHTING FORCE CD.

2.用W32DASM V10 打开fforce.exe,用查找里的查找文本找PLEASE INSERT FIGHTING FORCE CD.
来到0042DFA4 68C4C24600 push 0046C2C4
接着往上翻几行见到0042DF96 85C0 TEST EAX,EAX 测试验证程序返回值EAX
0042DF98 752C JNE 0042DFC6  判断是否带光盘运行,是否设定为当前目录.
这时尝试双击0042DF98 752C JNE 0042DFC6  来到改址再按鼠标右键
选HEXEDIT,将修改字节改成EB2C6811100400686420950068C4C2460053FFD5
直接跳.

按保存,再按运行,OK.

raystorm

1.先安装原光盘版文件,弹出光盘.
2.运行RayStorm.exe,出现:PLEASE INSERT THE "RAYSTORM"CD
退出,今次用odbg110打开RayStorm.exe,这次是打开文件后在左上方MAIN区先按右键
再选SEARCH FOR再选第一个NAME (LABEL) IN CURRENT MODULE
向下翻,选GETDRIVETYPEA,这时未切换界面,再按回车或在此按右键
选第4个FIND REFERENCES TO IMPORT,这时进入KERNEL32.GETDRIVETYPEA界面
第一个
References in RAYSTORM:.text to KERNEL32.GetDriveTypeA, item 0
Address=005949B6
Disassembly=MOV EBX,DWORD PTR DS:[<&KERNEL32.GetDriveTypeA>]
Comment=DS:[005D2074]=83F01608
这时未切换界面,再按回车或在此按右键选第一个FOLLOW IN DISASSEMBLER
这时进入CPU-MAIN界面,位置在
005949B6  |> 8B1D 74205D00  MOV EBX,DWORD PTR DS:[<&KERNEL32.GetDriveTypeA>]
这是是处理读取光驱过程,这时往下看,看看有没有像:
XXXXXXXX  |. XX       ||CMP EAX,5或XXX 比较

XXXXXXXX  |. XX       ||JNZ SHORT XXX.XXX  跳不跳
或
XXXXXXXX  |. XX       ||TEST XXX,XXX  测试验证程序返回值XXX

XXXXXXXX  |. XX       ||JNZ SHORT XXX.XXX  跳不跳

代码如下:
005949B6  |> 8B1D 74205D00  MOV EBX,DWORD PTR DS:[<&KERNEL32.GetDriveTypeA>]
005949BC  |. 8B3D 5C205D00  MOV EDI,DWORD PTR DS:[<&KERNEL32.CreateFileA>]
005949C2  |. 8B2D 20225D00  MOV EBP,DWORD PTR DS:[<&USER32.MessageBoxA>]
005949C8  |> 8D4424 10    /LEA EAX,DWORD PTR SS:[ESP+10]
005949CC  |. 50          |PUSH EAX                                        ; /Buffer
005949CD  |. 68 00010000 |PUSH 100                                        ; |BufSize = 100 (256.)
005949D2  |. FF15 70205D00  |CALL DWORD PTR DS:[<&KERNEL32.GetLogicalDriveStr>; \GetLogicalDriveStringsA
005949D8  |. 85C0          |TEST EAX,EAX
005949DA  |. 0F84 B6000000  |JE RAYSTORM.00594A96
005949E0  |. 8D7424 10    |LEA ESI,DWORD PTR SS:[ESP+10]
005949E4  |> 803E 00       |/CMP BYTE PTR DS:[ESI],0
005949E7  |. 74 50       ||JE SHORT RAYSTORM.00594A39
005949E9  |. 56          ||PUSH ESI
005949EA  |. FFD3          ||CALL EBX
005949EC  |. 83F8 05       ||CMP EAX,5
005949EF  |. 75 38       ||JNZ SHORT RAYSTORM.00594A29
005949F1  |. 8B0D E06D6E00  ||MOV ECX,DWORD PTR DS:[6E6DE0]
005949F7  |. 51          ||PUSH ECX
005949F8  |. 56          ||PUSH ESI
005949F9  |. 68 34376B00 ||PUSH RAYSTORM.006B3734                         ;  ASCII "%s%s"
005949FE  |. 68 48856E00 ||PUSH RAYSTORM.006E8548
00594A03  |. E8 43160300 ||CALL RAYSTORM.005C604B
00594A08  |. 83C4 10       ||ADD ESP,10
00594A0B  |. 6A 00       ||PUSH 0
00594A0D  |. 68 80000000 ||PUSH 80
00594A12  |. 6A 03       ||PUSH 3
00594A14  |. 6A 00       ||PUSH 0
00594A16  |. 6A 00       ||PUSH 0
00594A18  |. 68 00000080 ||PUSH 80000000
00594A1D  |. 68 48856E00 ||PUSH RAYSTORM.006E8548
00594A22  |. FFD7          ||CALL EDI
00594A24  |. 83F8 FF       ||CMP EAX,-1
00594A27  |. 75 51       ||JNZ SHORT RAYSTORM.00594A7A
00594A29  |> 803E 00       ||CMP BYTE PTR DS:[ESI],0
00594A2C  |. 74 08       ||JE SHORT RAYSTORM.00594A36
00594A2E  |> 8A46 01       ||/MOV AL,BYTE PTR DS:[ESI+1]
00594A31  |. 46          |||INC ESI
00594A32  |. 84C0          |||TEST AL,AL
00594A34  |.^75 F8       ||\JNZ SHORT RAYSTORM.00594A2E
00594A36  |> 46          ||INC ESI
00594A37  |.^EB AB       |\JMP SHORT RAYSTORM.005949E4
00594A39  |> A1 F46D6E00 |MOV EAX,DWORD PTR DS:[6E6DF4]
00594A3E  |. 85C0          |TEST EAX,EAX
00594A40  |. 75 08       |JNZ SHORT RAYSTORM.00594A4A
00594A42  |. 6A 01       |PUSH 1                                        ; /Show = TRUE
00594A44  |. FF15 9C215D00  |CALL DWORD PTR DS:[<&USER32.ShowCursor>]       ; \ShowCursor
00594A4A  |> 8B15 E46D6E00  |MOV EDX,DWORD PTR DS:[6E6DE4]
00594A50  |. A1 FC6D6E00 |MOV EAX,DWORD PTR DS:[6E6DFC]
00594A55  |. 6A 35       |PUSH 35
00594A57  |. 6A 00       |PUSH 0
00594A59  |. 52          |PUSH EDX
00594A5A  |. 50          |PUSH EAX
00594A5B  |. FFD5          |CALL EBP
00594A5D  |. 8BF0          |MOV ESI,EAX
00594A5F  |. A1 F46D6E00 |MOV EAX,DWORD PTR DS:[6E6DF4]
00594A64  |. 85C0          |TEST EAX,EAX
00594A66  |. 75 08       |JNZ SHORT RAYSTORM.00594A70
00594A68  |. 6A 00       |PUSH 0                                        ; /Show = FALSE
00594A6A  |. FF15 9C215D00  |CALL DWORD PTR DS:[<&USER32.ShowCursor>]       ; \ShowCursor
00594A70  |> 83FE 02       |CMP ESI,2
00594A73  |. 74 21       |JE SHORT RAYSTORM.00594A96
00594A75  |.^E9 4EFFFFFF \JMP RAYSTORM.005949C8
00594A7A  |> 50          PUSH EAX                                        ; /hChange
00594A7B  |. FF15 64205D00  CALL DWORD PTR DS:[<&KERNEL32.CloseHandle>]    ; \FindCloseChangeNotification
00594A81  |. 8A0E          MOV CL,BYTE PTR DS:[ESI]
00594A83  |. 5F          POP EDI
00594A84  |. 5E          POP ESI
00594A85  |. 5D          POP EBP
00594A86  |. 880D 507F6E00  MOV BYTE PTR DS:[6E7F50],CL
00594A8C  |. B0 01       MOV AL,1
00594A8E  |. 5B          POP EBX
00594A8F  |. 81C4 00010000  ADD ESP,100
00594A95  |. C3          RETN
00594A96  |> 5F          POP EDI
00594A97  |. 5E          POP ESI
00594A98  |. 5D          POP EBP
00594A99  |. 32C0          XOR AL,AL
00594A9B  |. 5B          POP EBX
00594A9C  |. 81C4 00010000  ADD ESP,100
00594AA2  \. C3          RETN

这时会在不远处看见:
005949EC  |. 83F8 05       ||CMP EAX,5

005949EF  |. 75 38       ||JNZ SHORT RAYSTORM.00594A29
5是硬盘,此时的EAX值为3是光驱.可用中断后运行查看,方法是在
005949EC  |. 83F8 05       ||CMP EAX,5
按F2,下断点,再按F9,这是CPU-MAIN下面的EAX=00000003.
比较后达到条件就跳到00594A29,再看看该地址:
00594A29  |> 803E 00       ||CMP BYTE PTR DS:[ESI],0
也是个比较,但上面一行就有个跳,
00594A27  |. 75 51       ||JNZ SHORT RAYSTORM.00594A7A
00594A29  |> 803E 00       ||CMP BYTE PTR DS:[ESI],0

现在我们将005949EF  |. 75 38       ||JNZ SHORT RAYSTORM.00594A29强制改成
005949EF  |. EB 36       ||JNZ SHORT RAYSTORM.00594A27,改法是双击JNZ SHORT 00594A29
弹出窗口,把里面的ASCII码JNZ SHORT 00594A29用键盘输入改成JMP SHORT 00594A27再按
ASSEMBLE,再用鼠标按X.可以看到7538变成EB36,EB表示无条件跳,36表示跳到00594A27.可用下断点来测试,
方法如下:双击005949EF  |. EB 36       ||JNZ SHORT RAYSTORM.00594A27里的EB36
或按F2,再按F9 运行,这时会跳到00594A27  |. 75 51       ||JNZ SHORT RAYSTORM.00594A7A
在005949EF  |. EB 36       ||JNZ SHORT RAYSTORM.00594A27按F2解除断点,这时把JNZ再改成JMP,
同样在00594A27  |. 75 51       ||JNZ SHORT RAYSTORM.00594A7A的JNZ SHORT 00594A7A用鼠标左键双击
将,里面的ASCII码JNZ用键盘输入改成JMP,再按ASSEMBLE,再用鼠标按X.这时也在此处下断点,具体操作如上,
但此次画面一黑,CYBERFONT出来了.它的OFFSET可用W32DASM找到,以前说过.完.

raycrisis
1.先安装原光盘版文件,弹出光盘.
2.运行RayCrisis.exe,出现:PLEASE INSERT THE "RayCrisis"CD
退出,今次用odbg110打开RayStorm.exe,这次是打开文件后在左上方MAIN区先按右键
再选SEARCH FOR再选第一个NAME (LABEL) IN CURRENT MODULE
向下翻,选GETDRIVETYPEA,这时未切换界面,再按回车或在此按右键
选第4个FIND REFERENCES TO IMPORT,这时进入KERNEL32.GETDRIVETYPEA界面
第一个
References in 1RAYCRIS:.text to KERNEL32.GetDriveTypeA, item 0
Address=005C35E6
Disassembly=MOV EBX,DWORD PTR DS:[<&KERNEL32.GetDriveTypeA>]
Comment=DS:[005F707C]=83F42EC8
这时未切换界面,再按回车或在此按右键选第一个FOLLOW IN DISASSEMBLER
这时进入CPU-MAIN界面,这时往下看,看看有没有像:
XXXXXXXX  |. XX       ||CMP EAX,5或XXX 比较

XXXXXXXX  |. XX       ||JNZ SHORT XXX.XXX  跳不跳
或
XXXXXXXX  |. XX       ||TEST XXX,XXX  测试验证程序返回值XXX

XXXXXXXX  |. XX       ||JNZ SHORT XXX.XXX  跳不跳

代码如下:
005C35E6  |> 8B1D 7C705F00  MOV EBX,DWORD PTR DS:[<&KERNEL32.GetDriveTypeA>]
005C35EC  |. 8B3D 68705F00  MOV EDI,DWORD PTR DS:[<&KERNEL32.CreateFileA>]
005C35F2  |. 8B2D 24725F00  MOV EBP,DWORD PTR DS:[<&USER32.MessageBoxA>]
005C35F8  |> 8D4424 10    /LEA EAX,DWORD PTR SS:[ESP+10]
005C35FC  |. 50          |PUSH EAX                                                       ; /Buffer
005C35FD  |. 68 00010000 |PUSH 100                                                       ; |BufSize = 100 (256.)
005C3602  |. FF15 78705F00  |CALL DWORD PTR DS:[<&KERNEL32.GetLogicalDriveStringsA>]          ; \GetLogicalDriveStringsA
005C3608  |. 85C0          |TEST EAX,EAX
005C360A  |. 0F84 B6000000  |JE 1RAYCRIS.005C36C6
005C3610  |. 8D7424 10    |LEA ESI,DWORD PTR SS:[ESP+10]
005C3614  |> 803E 00       |/CMP BYTE PTR DS:[ESI],0
005C3617  |. 74 50       ||JE SHORT 1RAYCRIS.005C3669
005C3619  |. 56          ||PUSH ESI
005C361A  |. FFD3          ||CALL EBX
005C361C  |. 83F8 05       ||CMP EAX,5
005C361F    EB 36       JMP SHORT 1RAYCRIS.005C3657
005C3621  |. 8B0D 20437C00  ||MOV ECX,DWORD PTR DS:[7C4320]                                  ;  1RAYCRIS.006BBE7C
005C3627  |. 51          ||PUSH ECX
005C3628  |. 56          ||PUSH ESI
005C3629  |. 68 40D66E00 ||PUSH 1RAYCRIS.006ED640                                        ;  ASCII "%s%s"
005C362E  |. 68 98557C00 ||PUSH 1RAYCRIS.007C5598
005C3633  |. E8 C9D30100 ||CALL 1RAYCRIS.005E0A01
005C3638  |. 83C4 10       ||ADD ESP,10
005C363B  |. 6A 00       ||PUSH 0
005C363D  |. 68 80000000 ||PUSH 80
005C3642  |. 6A 03       ||PUSH 3
005C3644  |. 6A 00       ||PUSH 0
005C3646  |. 6A 00       ||PUSH 0
005C3648  |. 68 00000080 ||PUSH 80000000
005C364D  |. 68 98557C00 ||PUSH 1RAYCRIS.007C5598
005C3652  |. FFD7          ||CALL EDI
005C3654  |. 83F8 FF       ||CMP EAX,-1
005C3657    EB 51       JMP SHORT 1RAYCRIS.005C36AA
005C3659  |> 803E 00       ||CMP BYTE PTR DS:[ESI],0
005C365C  |. 74 08       ||JE SHORT 1RAYCRIS.005C3666
005C365E  |> 8A46 01       ||/MOV AL,BYTE PTR DS:[ESI+1]
005C3661  |. 46          |||INC ESI
005C3662  |. 84C0          |||TEST AL,AL
005C3664  |.^75 F8       ||\JNZ SHORT 1RAYCRIS.005C365E
005C3666  |> 46          ||INC ESI
005C3667  |.^EB AB       |\JMP SHORT 1RAYCRIS.005C3614
005C3669  |> A1 34437C00 |MOV EAX,DWORD PTR DS:[7C4334]
005C366E  |. 85C0          |TEST EAX,EAX
005C3670  |. 75 08       |JNZ SHORT 1RAYCRIS.005C367A
005C3672  |. 6A 01       |PUSH 1                                                          ; /Show = TRUE
005C3674  |. FF15 54725F00  |CALL DWORD PTR DS:[<&USER32.ShowCursor>]                         ; \ShowCursor
005C367A  |> 8B15 24437C00  |MOV EDX,DWORD PTR DS:[7C4324]                                  ;  1RAYCRIS.006BBE58
005C3680  |. A1 3C437C00 |MOV EAX,DWORD PTR DS:[7C433C]
005C3685  |. 6A 35       |PUSH 35
005C3687  |. 6A 00       |PUSH 0
005C3689  |. 52          |PUSH EDX
005C368A  |. 50          |PUSH EAX
005C368B  |. FFD5          |CALL EBP
005C368D  |. 8BF0          |MOV ESI,EAX
005C368F  |. A1 34437C00 |MOV EAX,DWORD PTR DS:[7C4334]
005C3694  |. 85C0          |TEST EAX,EAX
005C3696  |. 75 08       |JNZ SHORT 1RAYCRIS.005C36A0
005C3698  |. 6A 00       |PUSH 0                                                          ; /Show = FALSE
005C369A  |. FF15 54725F00  |CALL DWORD PTR DS:[<&USER32.ShowCursor>]                         ; \ShowCursor
005C36A0  |> 83FE 02       |CMP ESI,2
005C36A3  |. 74 21       |JE SHORT 1RAYCRIS.005C36C6
005C36A5  |.^E9 4EFFFFFF \JMP 1RAYCRIS.005C35F8
005C36AA  |> 50          PUSH EAX                                                          ; /hChange
005C36AB  |. FF15 70705F00  CALL DWORD PTR DS:[<&KERNEL32.CloseHandle>]                      ; \FindCloseChangeNotification
005C36B1  |. 8A0E          MOV CL,BYTE PTR DS:[ESI]
005C36B3  |. 5F          POP EDI
005C36B4  |. 5E          POP ESI
005C36B5  |. 5D          POP EBP
005C36B6  |. 880D 90547C00  MOV BYTE PTR DS:[7C5490],CL
005C36BC  |. B0 01       MOV AL,1
005C36BE  |. 5B          POP EBX
005C36BF  |. 81C4 00010000  ADD ESP,100
005C36C5  |. C3          RETN
005C36C6  |> 5F          POP EDI
005C36C7  |. 5E          POP ESI
005C36C8  |. 5D          POP EBP
005C36C9  |. 32C0          XOR AL,AL
005C36CB  |. 5B          POP EBX
005C36CC  |. 81C4 00010000  ADD ESP,100
005C36D2  \. C3          RETN
这时会在不远处看见:
005C361C  |. 83F8 05       ||CMP EAX,5
005C361F  |. 75 38       ||JNZ SHORT 1RAYCRIS.005C3659

5是硬盘,此时的EAX值为3是光驱.
比较后达到条件就跳到005C3659,再看看该地址:
005C3659  |> 803E 00       ||CMP BYTE PTR DS:[ESI],0

也是个比较,但上面一行就有个跳,
005C3654  |. 83F8 FF       ||CMP EAX,-1
005C3657  |. 75 51       ||JNZ SHORT 1RAYCRIS.005C36AA

现在我们将005C361F  |. 75 38       ||JNZ SHORT 1RAYCRIS.005C3659
强制改成JMP SHORT 005C3657,改法是双击JNZ SHORT 005C3659,弹出窗口,把里面的ASCII码JNZ SHORT 005C3659用键盘输入改成JMP SHORT 005C3657
再按ASSEMBLE,再用鼠标按X.可以看到7538变成EB36,EB表示无条件跳,36表示跳到005C3657,
这时把005C3657 JNZ再改成JMP,同样在JNZ SHORT 005C36AA,用鼠标左键双击
将,里面的ASCII码JNZ用键盘输入改成JMP,再按ASSEMBLE,再用鼠标按X.再按F9 运行,但此次画面一黑,CYBERFONT出来了.它的OFFSET可用W32DASM找到,以前说过.完.

超能力大战2012

这游戏是认光盘卷标的,后来才知.
1.先安装原光盘版文件,弹出光盘.
2.运行pfx.exe,出现:CD-ROM 霓撞剔????徊矾柑
退出,今次用odbg110打开pfx.exe,这次是打开文件后在左上方MAIN区先按右键
再选SEARCH FOR再选倒数第3个ALL REFERENCED TEXT STRINGS,进入
向上翻,由于出现:CD-ROM 霓撞剔????徊矾柑,所以必定和CD相关信息.
找有CD字样的相关信息.在004FD620看到以下字样
Text strings referenced in 1PFX:.text, item 301
Address=004FD620
Disassembly=PUSH 1PFX.00632C54
Text string=ASCII "CDDA:OpenCDAudio() failed.
"
.......................到
Text strings referenced in 1PFX:.text, item 318
Address=005024D5
Disassembly=PUSH 1PFX.00632E24
Text string=ASCII "A:"

Text strings referenced in 1PFX:.text, item 319
Address=0050256A
Disassembly=PUSH 1PFX.00632E28
Text string=ASCII "PF2012"
是与CD有关信息,在这试选第一个
Text strings referenced in 1PFX:.text, item 301
Address=004FD620
Disassembly=PUSH 1PFX.00632C54
Text string=ASCII "CDDA:OpenCDAudio() failed.
"
按回车进入,CPU-MAIN,
这时往下看,看看有没有像:
XXXXXXXX  |. XX       ||CMP EAX,5或XXX 比较

XXXXXXXX  |. XX       ||JNZ SHORT XXX.XXX  跳不跳
或
XXXXXXXX  |. XX       ||TEST XXX,XXX  测试验证程序返回值XXX

XXXXXXXX  |. XX       ||JNZ SHORT XXX.XXX  跳不跳

代码如下:
004FD620  |. 68 542C6300 |PUSH 1PFX.00632C54                   ; /String = "CDDA:OpenCDAudio() failed.
"
004FD625  |. FF15 ACB05E00  |CALL DWORD PTR DS:[<&KERNEL32.OutputDeb>; \OutputDebugStringA
004FD62B  |. 6A 35       |PUSH 35                               ; /Style = MB_RETRYCANCEL|MB_ICONEXCLAMATION|MB_APPLMODAL
004FD62D  |. A1 D4276300 |MOV EAX,DWORD PTR DS:[_szPF2012App]    ; |
004FD632  |. 50          |PUSH EAX                               ; |Title => "徊矾柑??012 for Windows"
004FD633  |. 8B4D F8       |MOV ECX,DWORD PTR SS:[EBP-8]          ; |
004FD636  |. 51          |PUSH ECX                               ; |Text
004FD637  |. 8B15 D0B48400  |MOV EDX,DWORD PTR DS:[__tgr_hwndApp] ; |
004FD63D  |. 52          |PUSH EDX                               ; |hOwner => NULL
004FD63E  |. FF15 10B25E00  |CALL DWORD PTR DS:[<&USER32.MessageBoxA>; \MessageBoxA
004FD644  |. 83F8 02       |CMP EAX,2
004FD647  |. 75 05       |JNZ SHORT 1PFX.004FD64E
004FD649  |. E9 E0000000 |JMP 1PFX.004FD72E
004FD64E  |>^EB BA       |JMP SHORT 1PFX.004FD60A
004FD650  |> E8 B24C0000 |CALL 1PFX._IsCDInsert
004FD655  |. 85C0          |TEST EAX,EAX
004FD657  |. 75 2A       |JNZ SHORT 1PFX.004FD683
004FD659  |. E8 864C0000 |CALL 1PFX._CloseCDAudio
004FD65E  |. 6A 35       |PUSH 35                               ; /Style = MB_RETRYCANCEL|MB_ICONEXCLAMATION|MB_APPLMODAL
004FD660  |. A1 D4276300 |MOV EAX,DWORD PTR DS:[_szPF2012App]    ; |
004FD665  |. 50          |PUSH EAX                               ; |Title => "徊矾柑??012 for Windows"
004FD666  |. 8B4D FC       |MOV ECX,DWORD PTR SS:[EBP-4]          ; |
004FD669  |. 51          |PUSH ECX                               ; |Text
004FD66A  |. 8B15 D0B48400  |MOV EDX,DWORD PTR DS:[__tgr_hwndApp] ; |
004FD670  |. 52          |PUSH EDX                               ; |hOwner => NULL
004FD671  |. FF15 10B25E00  |CALL DWORD PTR DS:[<&USER32.MessageBoxA>; \MessageBoxA
004FD677  |. 83F8 02       |CMP EAX,2
004FD67A  |. 75 05       |JNZ SHORT 1PFX.004FD681
004FD67C  |. E9 AD000000 |JMP 1PFX.004FD72E
004FD681  |>^EB 87       |JMP SHORT 1PFX.004FD60A
004FD683  |> E8 104D0000 |CALL 1PFX._GetTracks
004FD688  |. 83F8 1D       |CMP EAX,1D
004FD68B  |. 74 2A       |JE SHORT 1PFX.004FD6B7
004FD68D  |. E8 524C0000 |CALL 1PFX._CloseCDAudio
004FD692  |. 6A 35       |PUSH 35                               ; /Style = MB_RETRYCANCEL|MB_ICONEXCLAMATION|MB_APPLMODAL
004FD694  |. A1 D4276300 |MOV EAX,DWORD PTR DS:[_szPF2012App]    ; |
004FD699  |. 50          |PUSH EAX                               ; |Title => "徊矾柑??012 for Windows"
004FD69A  |. 8B4D FC       |MOV ECX,DWORD PTR SS:[EBP-4]          ; |
004FD69D  |. 51          |PUSH ECX                               ; |Text
004FD69E  |. 8B15 D0B48400  |MOV EDX,DWORD PTR DS:[__tgr_hwndApp] ; |
004FD6A4  |. 52          |PUSH EDX                               ; |hOwner => NULL
004FD6A5  |. FF15 10B25E00  |CALL DWORD PTR DS:[<&USER32.MessageBoxA>; \MessageBoxA
004FD6AB  |. 83F8 02       |CMP EAX,2
004FD6AE  |. 75 02       |JNZ SHORT 1PFX.004FD6B2
004FD6B0  |. EB 7C       |JMP SHORT 1PFX.004FD72E
004FD6B2  |>^E9 53FFFFFF |JMP 1PFX.004FD60A
004FD6B7  |> 6A 01       |PUSH 1                               ; /Arg1 = 00000001
004FD6B9  |. E8 504D0000 |CALL 1PFX._IsCDAudioTrack             ; \_IsCDAudioTrack
004FD6BE  |. 83C4 04       |ADD ESP,4
004FD6C1  |. 85C0          |TEST EAX,EAX
004FD6C3  |. 74 2A       |JE SHORT 1PFX.004FD6EF
004FD6C5  |. E8 1A4C0000 |CALL 1PFX._CloseCDAudio
004FD6CA  |. 6A 35       |PUSH 35                               ; /Style = MB_RETRYCANCEL|MB_ICONEXCLAMATION|MB_APPLMODAL
004FD6CC  |. A1 D4276300 |MOV EAX,DWORD PTR DS:[_szPF2012App]    ; |
004FD6D1  |. 50          |PUSH EAX                               ; |Title => "徊矾柑??012 for Windows"
004FD6D2  |. 8B4D FC       |MOV ECX,DWORD PTR SS:[EBP-4]          ; |
004FD6D5  |. 51          |PUSH ECX                               ; |Text
004FD6D6  |. 8B15 D0B48400  |MOV EDX,DWORD PTR DS:[__tgr_hwndApp] ; |
004FD6DC  |. 52          |PUSH EDX                               ; |hOwner => NULL
004FD6DD  |. FF15 10B25E00  |CALL DWORD PTR DS:[<&USER32.MessageBoxA>; \MessageBoxA
004FD6E3  |. 83F8 02       |CMP EAX,2
004FD6E6  |. 75 02       |JNZ SHORT 1PFX.004FD6EA
004FD6E8  |. EB 44       |JMP SHORT 1PFX.004FD72E
004FD6EA  |>^E9 1BFFFFFF |JMP 1PFX.004FD60A
004FD6EF  |> 6A 02       |PUSH 2                               ; /Arg1 = 00000002
004FD6F1  |. E8 184D0000 |CALL 1PFX._IsCDAudioTrack             ; \_IsCDAudioTrack
004FD6F6  |. 83C4 04       |ADD ESP,4
004FD6F9  |. 85C0          |TEST EAX,EAX
004FD6FB  |. 75 2A       |JNZ SHORT 1PFX.004FD727
004FD6FD  |. E8 E24B0000 |CALL 1PFX._CloseCDAudio
004FD702  |. 6A 35       |PUSH 35                               ; /Style = MB_RETRYCANCEL|MB_ICONEXCLAMATION|MB_APPLMODAL
004FD704  |. A1 D4276300 |MOV EAX,DWORD PTR DS:[_szPF2012App]    ; |
004FD709  |. 50          |PUSH EAX                               ; |Title => "徊矾柑??012 for Windows"
004FD70A  |. 8B4D FC       |MOV ECX,DWORD PTR SS:[EBP-4]          ; |
004FD70D  |. 51          |PUSH ECX                               ; |Text
004FD70E  |. 8B15 D0B48400  |MOV EDX,DWORD PTR DS:[__tgr_hwndApp] ; |
004FD714  |. 52          |PUSH EDX                               ; |hOwner => NULL
004FD715  |. FF15 10B25E00  |CALL DWORD PTR DS:[<&USER32.MessageBoxA>; \MessageBoxA
004FD71B  |. 83F8 02       |CMP EAX,2
004FD71E  |. 75 02       |JNZ SHORT 1PFX.004FD722
004FD720  |. EB 0C       |JMP SHORT 1PFX.004FD72E
004FD722  |>^E9 E3FEFFFF \JMP 1PFX.004FD60A
004FD727  |> B8 01000000 MOV EAX,1
004FD72C  |. EB 02       JMP SHORT 1PFX.004FD730
004FD72E  |> 33C0          XOR EAX,EAX
004FD730  |> 8BE5          MOV ESP,EBP
004FD732  |. 5D          POP EBP
004FD733  \. C3          RETN
可看到:
004FD644  |. 83F8 02       |CMP EAX,2
004FD647  |. 75 05       |JNZ SHORT 1PFX.004FD64E
和
004FD655  |. 85C0          |TEST EAX,EAX
004FD657  |. 75 2A       |JNZ SHORT 1PFX.004FD683

等等

先看看头一个:
004FD644  |. 83F8 02       |CMP EAX,2
004FD647  |. 75 05       |JNZ SHORT 1PFX.004FD64E

跳到004FD64E,到004FD64E看看有甚么,004FD64E  |>^EB BA       |JMP SHORT 1PFX.004FD60A
怎么会往上跳呢?,初步认为不是这里,就选
004FD655  |. 85C0          |TEST EAX,EAX

004FD657  |. 75 2A       |JNZ SHORT 1PFX.004FD683
把JNZ SHORT 1PFX.004FD683改成JMP SHORT 1PFX.004FD683

往下跳.004FD683附近的代码
004FD683  |> E8 104D0000 |CALL 1PFX._GetTracks
004FD688  |. 83F8 1D       |CMP EAX,1D

004FD68B    74 2A       |JE SHORT 1PFX.004FD6B7
把JE SHORT 004FD6B7改成JMP SHORT 004FD6B7

下面有个比较然后跳,跳到004FD6B7,004FD6B7附近的代码
004FD6B7  |> 6A 01       |PUSH 1                               ; /Arg1 = 00000001
004FD6B9  |. E8 504D0000 |CALL 1PFX._IsCDAudioTrack             ; \_IsCDAudioTrack
004FD6BE  |. 83C4 04       |ADD ESP,4
004FD6C1  |. 85C0          |TEST EAX,EAX
004FD6C3  |. 74 2A       |JE SHORT 1PFX.004FD6EF
004FD6C5  |. E8 1A4C0000 |CALL 1PFX._CloseCDAudio
004FD6CA  |. 6A 35       |PUSH 35                               ; /Style = MB_RETRYCANCEL|MB_ICONEXCLAMATION|MB_APPLMODAL
004FD6CC  |. A1 D4276300 |MOV EAX,DWORD PTR DS:[_szPF2012App]    ; |
004FD6D1  |. 50          |PUSH EAX                               ; |Title => "徊矾柑??012 for Windows"
004FD6D2  |. 8B4D FC       |MOV ECX,DWORD PTR SS:[EBP-4]          ; |
004FD6D5  |. 51          |PUSH ECX                               ; |Text
004FD6D6  |. 8B15 D0B48400  |MOV EDX,DWORD PTR DS:[__tgr_hwndApp] ; |
004FD6DC  |. 52          |PUSH EDX                               ; |hOwner => NULL
004FD6DD  |. FF15 10B25E00  |CALL DWORD PTR DS:[<&USER32.MessageBoxA>; \MessageBoxA
004FD6E3  |. 83F8 02       |CMP EAX,2
004FD6E6  |. 75 02       |JNZ SHORT 1PFX.004FD6EA
004FD6E8  |. EB 44       |JMP SHORT 1PFX.004FD72E
004FD6EA  |>^E9 1BFFFFFF |JMP 1PFX.004FD60A
004FD6EF  |> 6A 02       |PUSH 2                               ; /Arg1 = 00000002
004FD6F1  |. E8 184D0000 |CALL 1PFX._IsCDAudioTrack             ; \_IsCDAudioTrack
004FD6F6  |. 83C4 04       |ADD ESP,4
004FD6F9  |. 85C0          |TEST EAX,EAX
004FD6FB    75 2A       |JNZ SHORT 1PFX.004FD727
有两个跳
004FD6C1  |. 85C0          |TEST EAX,EAX
004FD6C3  |. 74 2A       |JE SHORT 1PFX.004FD6EF
和
004FD6F9  |. 85C0          |TEST EAX,EAX
004FD6FB    75 2A       |JNZ SHORT 1PFX.004FD727
而第二个似乎跳的更远些,跳出了INITCDDA过程,所以把

004FD6FB    75 2A       |JNZ SHORT 1PFX.004FD727
改成004FD6FB    EB 2A       |JMP SHORT 1PFX.004FD727

,接着试运行,可是还是出现:CD-ROM 霓撞剔????徊矾柑,偶而想带之前还有
Text strings referenced in 1PFX:.text, item 318
Address=005024D5
Disassembly=PUSH 1PFX.00632E24
Text string=ASCII "A:"

Text strings referenced in 1PFX:.text, item 319
Address=0050256A
Disassembly=PUSH 1PFX.00632E28
Text string=ASCII "PF2012"
这两个是甚么来的呢?很像卷标.
跟进去看看,
005024D5  |> 68 242E6300 PUSH 1PFX.00632E24                      ; /String2 = "A:"
005024DA  |. 8D85 E4FEFFFF  LEA EAX,DWORD PTR SS:[EBP-11C]          ; |
005024E0  |. 50          PUSH EAX                               ; |String1
005024E1  |. FF15 B0B05E00  CALL DWORD PTR DS:[<&KERNEL32.lstrcpyA>] ; \lstrcpyA
005024E7  |. FF15 84B05E00  CALL DWORD PTR DS:[<&KERNEL32.GetLogical>; [GetLogicalDrives
005024ED  |. 8945 F0       MOV DWORD PTR SS:[EBP-10],EAX
005024F0  |. C745 FC 010000>MOV DWORD PTR SS:[EBP-4],1
005024F7  |. EB 17       JMP SHORT 1PFX.00502510
005024F9  |> 8B4D FC       /MOV ECX,DWORD PTR SS:[EBP-4]
005024FC  |. D1E1          |SHL ECX,1
005024FE  |. 894D FC       |MOV DWORD PTR SS:[EBP-4],ECX
00502501  |. 8A95 E4FEFFFF  |MOV DL,BYTE PTR SS:[EBP-11C]
00502507  |. 80C2 01       |ADD DL,1
0050250A  |. 8895 E4FEFFFF  |MOV BYTE PTR SS:[EBP-11C],DL
00502510  |> 817D FC 000000> CMP DWORD PTR SS:[EBP-4],4000000
00502517  |. 0F83 8A000000  |JNB 1PFX.005025A7
0050251D  |. 8B45 F0       |MOV EAX,DWORD PTR SS:[EBP-10]
00502520  |. 2345 FC       |AND EAX,DWORD PTR SS:[EBP-4]
00502523  |. 85C0          |TEST EAX,EAX
00502525  |. 74 7B       |JE SHORT 1PFX.005025A2
00502527  |. 8D8D E4FEFFFF  |LEA ECX,DWORD PTR SS:[EBP-11C]
0050252D  |. 51          |PUSH ECX                               ; /RootPathName
0050252E  |. FF15 80B05E00  |CALL DWORD PTR DS:[<&KERNEL32.GetDriveT>; \GetDriveTypeA
00502534  |. 83F8 05       |CMP EAX,5
00502537  |. 75 69       |JNZ SHORT 1PFX.005025A2
00502539  |. 68 04010000 |PUSH 104                               ; /pFileSystemNameSize = 00000104
0050253E  |. 8D95 E8FEFFFF  |LEA EDX,DWORD PTR SS:[EBP-118]       ; |
00502544  |. 52          |PUSH EDX                               ; |pFileSystemNameBuffer
00502545  |. 8D45 F8       |LEA EAX,DWORD PTR SS:[EBP-8]          ; |
00502548  |. 50          |PUSH EAX                               ; |pFileSystemFlags
00502549  |. 8D4D EC       |LEA ECX,DWORD PTR SS:[EBP-14]          ; |
0050254C  |. 51          |PUSH ECX                               ; |pMaxFilenameLength
0050254D  |. 8D55 F4       |LEA EDX,DWORD PTR SS:[EBP-C]          ; |
00502550  |. 52          |PUSH EDX                               ; |pVolumeSerialNumber
00502551  |. 68 04010000 |PUSH 104                               ; |MaxVolumeNameSize = 104 (260.)
00502556  |. 8D85 E0FDFFFF  |LEA EAX,DWORD PTR SS:[EBP-220]       ; |
0050255C  |. 50          |PUSH EAX                               ; |VolumeNameBuffer
0050255D  |. 8D8D E4FEFFFF  |LEA ECX,DWORD PTR SS:[EBP-11C]       ; |
00502563  |. 51          |PUSH ECX                               ; |RootPathName
00502564  |. FF15 68B05E00  |CALL DWORD PTR DS:[<&KERNEL32.GetVolume>; \GetVolumeInformationA
0050256A  |. 68 282E6300 |PUSH 1PFX.00632E28                   ; /String2 = "PF2012"
0050256F  |. 8D95 E0FDFFFF  |LEA EDX,DWORD PTR SS:[EBP-220]       ; |
00502575  |. 52          |PUSH EDX                               ; |String1
00502576  |. FF15 9CB05E00  |CALL DWORD PTR DS:[<&KERNEL32.lstrcmpA>>; \lstrcmpA
0050257C  |. 85C0          |TEST EAX,EAX
0050257E  |. 75 22       |JNZ SHORT 1PFX.005025A2
00502580  |. C785 DCFDFFFF >|MOV DWORD PTR SS:[EBP-224],1
0050258A  |. 8D85 E4FEFFFF  |LEA EAX,DWORD PTR SS:[EBP-11C]
00502590  |. 50          |PUSH EAX                               ; /String2
00502591  |. 8B4D 08       |MOV ECX,DWORD PTR SS:[EBP+8]          ; |
00502594  |. 51          |PUSH ECX                               ; |String1
00502595  |. FF15 B0B05E00  |CALL DWORD PTR DS:[<&KERNEL32.lstrcpyA>>; \lstrcpyA
0050259B  |. B8 01000000 |MOV EAX,1
005025A0  |. EB 07       |JMP SHORT 1PFX.005025A9
005025A2  |>^E9 52FFFFFF \JMP 1PFX.005024F9
005025A7  |> 33C0          XOR EAX,EAX
005025A9  |> 8BE5          MOV ESP,EBP
005025AB  |. 5D          POP EBP
005025AC  \. C3          RETN

来到像卷标的地方
0050256A  |. 68 282E6300 |PUSH 1PFX.00632E28                   ; /String2 = "PF2012"
0050256F  |. 8D95 E0FDFFFF  |LEA EDX,DWORD PTR SS:[EBP-220]       ; |
00502575  |. 52          |PUSH EDX                               ; |String1
00502576  |. FF15 9CB05E00  |CALL DWORD PTR DS:[<&KERNEL32.lstrcmpA>>; \lstrcmpA
0050257C  |. 85C0          |TEST EAX,EAX
0050257E  |. 75 22       |JNZ SHORT 1PFX.005025A2
看看这个处理,有一个呼叫,测试验证程序返回值EAX,一个跳到005025A2,先看看005025A2
005025A2 ^E9 52FFFFFF JMP 1PFX.005024F9跳回上面,应该不是改这个,只剩下
00502576  |. FF15 9CB05E00  |CALL DWORD PTR DS:[<&KERNEL32.lstrcmpA>>; \lstrcmpA
0050257C  |. 85C0          |TEST EAX,EAX
而00502576  |. FF15 9CB05E00  |CALL DWORD PTR DS:[<&KERNEL32.lstrcmpA>>; \lstrcmpA明显不是,

看看0050257C  |. 85C0          |TEST EAX,EAX,在此处下断点,按F9后
EAX=FFFFFFFF,尝试借用其他逻辑运算指令更改这过程
借用网上解释"
EAX
32-bit宽
通用寄存器。相对其他寄存器，在进行运算方面比较常用。在保护模式中，也可以作为内存偏移指针（此时，DS作为段寄存器或选择器）

DS 数据段，或数据选择器。这个寄存器的低16 bit连同ESI一同指向的指令将要处理的内存。同时，所有的内存操作指令默认情况下都用它指定操作段(实模式)或内存(作为选择器，在保护模式。这个寄存器可以被装入任意数值，然而在这么做的时候需要小心一些。方法是，首先把数据送给AX，然后再把它从AX传送给DS(当然，也可以通过堆栈来做).
"
"逻辑运算指令
───────────────────────────────────────
      　　AND 与运算.
      OR    或运算.
      XOR 异或运算.
      NOT 取反.
      TEST 测试.(两操作数作与运算,仅修改标志位,不回送结果).
      SHL 逻辑左移.
      SAL 算术左移.(=SHL)
      SHR 逻辑右移.
      SAR 算术右移.(=SHR)
      ROL 循环左移.
      ROR 循环右移.
      RCL 通过进位的循环左移.
      RCR 通过进位的循环右移.
      以上八种移位指令,其移位次数可达255次.
            移位一次时, 可直接用操作码.  如 SHL AX,1.
            移位>1次时, 则由寄存器CL给出移位次数.

"从试       　　AND 与运算.EAX=FFFFFFFF
      OR    或运算. EAX=FFFFFFFF
试到    XOR 异或运算. 没了EAX,并能运行了.
也就是把0050257C  |. 85C0          |TEST EAX,EAX改成0050257C  |. 33C0          |XOR EAX,EAX

它的OFFSET可用W32DASM找到,以前说过.完.

shikiEX

开始说得快点了,23日正式开学了.
1.安装,弹出光盘,运行shiki.exe,弹出"???????????-???......."

2.用OLLYDBG打开,shiki.exe,这次是打开文件后在左上方MAIN区先按右键
再选SEARCH FOR再选第一个NAME (LABEL) IN CURRENT MODULE
向下翻,选GETDRIVETYPEA,这时未切换界面,再按回车或在此按右键
选第4个FIND REFERENCES TO IMPORT,这时进入KERNEL32.GETDRIVETYPEA界面
第一个References in 1SHIKI:.text to KERNEL32.GetDriveTypeA, item 0
Address=00417307
Disassembly=MOV ESI,DWORD PTR DS:[<&KERNEL32.GetDriveTypeA>]
Comment=DS:[004F706C]=8462B408
这时未切换界面,再按回车或在此按右键选第一个FOLLOW IN DISASSEMBLER
这时进入CPU-MAIN界面,位置在00417307  |. 8B35 6C704F00  MOV ESI,DWORD PTR DS:[<&KERNEL32.GetDriveTypeA>]
这是是处理读取光驱过程,这时往下看,看看有没有像:
XXXXXXXX  |. XX       ||CMP EAX,5或XXX 比较

XXXXXXXX  |. XX       ||JNZ SHORT XXX.XXX  跳不跳
或
XXXXXXXX  |. XX       ||TEST XXX,XXX  测试验证程序返回值XXX

XXXXXXXX  |. XX       ||JNZ SHORT XXX.XXX  跳不跳

代码如下:
00417307  |. 8B35 6C704F00  MOV ESI,DWORD PTR DS:[<&KERNEL32.GetDriveTypeA>]
0041730D  |. 895424 0F    MOV DWORD PTR SS:[ESP+F],EDX
00417311  |. 895424 13    MOV DWORD PTR SS:[ESP+13],EDX
00417315  |. 57          PUSH EDI
00417316  |. 66:894424 0C MOV WORD PTR SS:[ESP+C],AX
0041731B  |. 884C24 0E    MOV BYTE PTR SS:[ESP+E],CL
0041731F  |. 885424 1B    MOV BYTE PTR SS:[ESP+1B],DL
00417323  |. BF 02000000 MOV EDI,2
00417328  |. BB 41000000 MOV EBX,41
0041732D  |> 8D4424 0C    /LEA EAX,DWORD PTR SS:[ESP+C]
00417331  |. 50          |PUSH EAX
00417332  |. 885C24 10    |MOV BYTE PTR SS:[ESP+10],BL
00417336  |. FFD6          |CALL ESI
00417338  |. 83F8 05       |CMP EAX,5
0041733B    75 13       JNZ SHORT 1SHIKI.00417350
0041733D  |. 8D4C24 0C    |LEA ECX,DWORD PTR SS:[ESP+C]
00417341  |. 51          |PUSH ECX
00417342  |. 33FF          |XOR EDI,EDI
00417344  |. E8 27000000 |CALL 1SHIKI.00417370
00417349  |. 83C4 04       |ADD ESP,4
0041734C  |. 85C0          |TEST EAX,EAX
0041734E  |. 75 0F       |JNZ SHORT 1SHIKI.0041735F
00417350  |> 43          |INC EBX
00417351  |. 83FB 5A       |CMP EBX,5A
00417354  |.^7E D7       \JLE SHORT 1SHIKI.0041732D
00417356  |. 8BC7          MOV EAX,EDI
00417358  |. 5F          POP EDI
00417359  |. 5E          POP ESI
0041735A  |. 5B          POP EBX
0041735B  |. 83C4 10       ADD ESP,10
0041735E  |. C3          RETN
0041735F  |> 5F          POP EDI
00417360  |. 5E          POP ESI
00417361  |. B8 01000000 MOV EAX,1
00417366  |. 5B          POP EBX
00417367  |. 83C4 10       ADD ESP,10
0041736A  \. C3          RETN

这时会在不远处看见:
00417338  |. 83F8 05       |CMP EAX,5
0041733B    75 13       JNZ SHORT 1SHIKI.00417350
拉下看看00417350是甚么:
00417350  |> 43          |INC EBX

不是我们要找的东西,再往上两行看看
00417338  |. 83F8 05       |CMP EAX,5
咳下断顶看看EAX是哪个,5是硬盘,3是光驱
0041734E  |. 75 0F       |JNZ SHORT 1SHIKI.0041735F
对了,就是这

将0041733B    75 13       JNZ SHORT 1SHIKI.00417350
改成0041733B    EB 22       JMP SHORT 1SHIKI.0041735F

没下断点就试运行,OK了.
OFFSET用W32DASM找.0041733B是RVA

                                                                                                                                       2004.10.23
                                                                                                                                             maiweijie
回校.

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课

收藏・0

点赞・1

打赏

最新回复 (3)
benladen 雪币： 2260 活跃值： (1880) 能力值： ( LV2，RANK：10 ) 在线值：发帖 25 回帖 268 粉丝 0 关注私信	benladen 2004-10-23 14:18 2 楼 0 我想知道的是如何分辨游戏CD用什么加密的呢？
doskey 雪币： 329 活跃值： (343) 能力值： ( LV10，RANK：170 ) 在线值：发帖 36 回帖 461 粉丝 4 关注私信	doskey 4 2004-10-23 17:09 3 楼 0 最初由 benladen 发布我想知道的是如何分辨游戏CD用什么加密的呢？ SAFEDISK可以用PEiD检测出来。其他保护通过弹出对话框来判断:))
maiweijie 雪币： 205 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 9 回帖 32 粉丝 0 关注私信	maiweijie 2004-10-28 10:22 4 楼 0 sorry,here change: 3是硬盘,此时的EAX值为5是光驱 3 A Fixed Disk (HardDrive) 5 Cd-Rom驱动器 .
	游客登录 \| 注册方可回帖　回帖　表情雪币赚取及消费高级回复