前言:
无意中发现电脑中有个小游戏...打开玩了下....哈哈,很快就挂了...最高记录10秒...刚好最近在学习,就试下新学到的东西.在兜了好几个圈子之后,终于完成了目标......
废话不说了,正式进入主题.
目标:
修改碰撞检测....(邪恶Ing....)
1,查壳(ASPack 2.12 -> Alexey Solodovnikov)
2,脱壳(什么都没找到 *[TASM / MASM (31 ms)])(T____T高手啊,什么时候我能练到这个境界...)
3,为了方便,先将部分信息英文化,比如游戏挂了的时候...这里在UE下搜索"Enter",就可以找到位置了.
4,正式开始,用OD载入先...
00402000 /$ 6905 005C4000>IMUL EAX,DWORD PTR DS:[405C00],343FD
0040200A |. 05 C39E2600 ADD EAX,269EC3
0040200F |. A3 005C4000 MOV DWORD PTR DS:[405C00],EAX
00402014 |. C1F8 10 SAR EAX,10
00402017 |. 25 FF7F0000 AND EAX,7FFF
0040201C \. C3 RETN
0040201D 90 NOP
0040201E 90 NOP
0040201F 90 NOP
00402020 > $ 53 PUSH EBX <-----------------载入后来到这里
00402021 . 83C4 E4 ADD ESP,-1C
00402024 . 6A 00 PUSH 0 ; /pModule = NULL
00402026 . E8 C7270000 CALL <JMP.&kernel32.GetModuleHandleA> ; \GetModuleHandleA
0040202B . A3 D8694000 MOV DWORD PTR DS:[4069D8],EAX
00402030 . E8 D3010000 CALL 是男人就.00402208
00402035 . 85C0 TEST EAX,EAX
00402037 . 75 20 JNZ SHORT 是男人就.00402059
00402039 . 6A 10 PUSH 10 ; /Style = MB_OK|MB_ICONHAND|MB_APPLMODAL
0040203B . 68 515C4000 PUSH 是男人就.00405C51 ; |Title = "摿孭"
00402040 . 68 3E5C4000 PUSH 是男人就.00405C3E ; |Text = "僂僀儞僪僂嶌惉幐攕"
00402045 . 6A 00 PUSH 0 ; |hOwner = NULL
00402047 . E8 F4270000 CALL <JMP.&user32.MessageBoxA> ; \MessageBoxA
0040204C . C74424 08 010>MOV DWORD PTR SS:[ESP+8],1
00402054 . E9 B5000000 JMP 是男人就.0040210E
00402059 > E8 12010000 CALL 是男人就.00402170
0040205E . 8BD8 MOV EBX,EAX
找找API....把可疑的断下..[API从0x4047C8开始,找到里面的gdi32.TextOutA断下]
在游戏结束时,会显示一个绝妙度,格式如下:%d%%~就把这里当作切入点吧!
F9以后,按Enter进入游戏,接着.......CPU100%,游戏白屏,按了几个回车后..出现..(忘记是什么了),接着就被断下来了..
77EFBA3F > 8BFF MOV EDI,EDI ; 是男人就.00405C5D <----F8后来到这里,GDI32领域
77EFBA41 55 PUSH EBP
77EFBA42 8BEC MOV EBP,ESP
77EFBA44 33C0 XOR EAX,EAX
77EFBA46 3945 18 CMP DWORD PTR SS:[EBP+18],EAX
77EFBA49 0F8E 82350100 JLE GDI32.77F0EFD1
77EFBA4F 3945 14 CMP DWORD PTR SS:[EBP+14],EAX
77EFBA52 0F84 87350100 JE GDI32.77F0EFDF
77EFBA58 6A 01 PUSH 1
77EFBA5A 50 PUSH EAX
77EFBA5B FF75 18 PUSH DWORD PTR SS:[EBP+18]
77EFBA5E FF75 14 PUSH DWORD PTR SS:[EBP+14]
77EFBA61 50 PUSH EAX
77EFBA62 50 PUSH EAX
77EFBA63 FF75 10 PUSH DWORD PTR SS:[EBP+10]
77EFBA66 FF75 0C PUSH DWORD PTR SS:[EBP+C]
77EFBA69 FF75 08 PUSH DWORD PTR SS:[EBP+8]
77EFBA6C E8 B7CEFFFF CALL GDI32.77EF8928
77EFBA71 5D POP EBP
77EFBA72 C2 1400 RETN 14 ;<-------在这里F4
0040292E |. 6A 00 PUSH 0 ; |XStart = 0
00402930 |. 8B15 E8694000 MOV EDX,DWORD PTR DS:[4069E8] ; |
00402936 |. 52 PUSH EDX ; |hDC => 4A011A40
00402937 |. E8 4C1F0000 CALL <JMP.&gdi32.TextOutA> ; \TextOutA
0040293C |. 8B4C24 04 MOV ECX,DWORD PTR SS:[ESP+4] ;<---------F7后来到这里,游戏领域
00402940 |. 51 PUSH ECX ; /hObject
00402941 |. A1 E8694000 MOV EAX,DWORD PTR DS:[4069E8] ; |
00402946 |. 50 PUSH EAX ; |hDC => 4A011A40
00402947 |. E8 5A1F0000 CALL <JMP.&gdi32.SelectObject> ; \SelectObject
0040294C |. 56 PUSH ESI ; /hObject
0040294D |. E8 721F0000 CALL <JMP.&gdi32.DeleteObject> ; \DeleteObject
00402952 |. 55 PUSH EBP ; /hDC
00402953 |. 8B5424 04 MOV EDX,DWORD PTR SS:[ESP+4] ; |
00402957 |. 52 PUSH EDX ; |hWnd
00402958 |. E8 CB1E0000 CALL <JMP.&user32.ReleaseDC> ; \ReleaseDC
好了,从这里开始找我们的切入点吧...
从0x403B70开始为游戏的文本数据.
00403D84 /$ 53 PUSH EBX ;<-----CALL到00403D84
00403D85 |. 56 PUSH ESI
00403D86 |. 57 PUSH EDI
00403D87 |. 55 PUSH EBP
00403D88 |. 81C4 ECFEFFFF ADD ESP,-114
00403D8E |. 8BDA MOV EBX,EDX
00403D90 |. 8BE8 MOV EBP,EAX
00403D92 |. C705 74634000>MOV DWORD PTR DS:[406374],50
00403D9C |. 68 74634000 PUSH 是男人就.00406374 ; /pLogfont = 是男人就.00406374
00403DA1 |. E8 2A0B0000 CALL <JMP.&gdi32.CreateFontIndirectA> ; \CreateFontIndirectA
00403DA6 |. 8BF0 MOV ESI,EAX
00403DA8 |. C705 74634000>MOV DWORD PTR DS:[406374],10
00403DB2 |. 68 74634000 PUSH 是男人就.00406374 ; /pLogfont = 是男人就.00406374
00403DB7 |. E8 140B0000 CALL <JMP.&gdi32.CreateFontIndirectA> ; \CreateFontIndirectA
00403DBC |. 8BF8 MOV EDI,EAX
00403DBE |. 56 PUSH ESI ; /hObject
00403DBF |. A1 E4694000 MOV EAX,DWORD PTR DS:[4069E4] ; |
00403DC4 |. 50 PUSH EAX ; |hDC => B9010DE5
00403DC5 |. E8 DC0A0000 CALL <JMP.&gdi32.SelectObject> ; \SelectObject
00403DCA |. 890424 MOV DWORD PTR SS:[ESP],EAX
00403DCD |. 68 FFFFFF00 PUSH 0FFFFFF ; /Color = <WHITE>
00403DD2 |. 8B15 E4694000 MOV EDX,DWORD PTR DS:[4069E4] ; |
00403DD8 |. 52 PUSH EDX ; |hDC => B9010DE5
00403DD9 |. E8 B00A0000 CALL <JMP.&gdi32.SetTextColor> ; \SetTextColor
00403DDE |. 6A 01 PUSH 1 ; /BkMode = TRANSPARENT
00403DE0 |. 8B0D E4694000 MOV ECX,DWORD PTR DS:[4069E4] ; |
00403DE6 |. 51 PUSH ECX ; |hDC => B9010DE5
00403DE7 |. E8 AE0A0000 CALL <JMP.&gdi32.SetBkMode> ; \SetBkMode
00403DEC |. 33C0 XOR EAX,EAX
00403DEE |. 33D2 XOR EDX,EDX
00403DF0 |. 894424 04 MOV DWORD PTR SS:[ESP+4],EAX
00403DF4 |. 895424 08 MOV DWORD PTR SS:[ESP+8],EDX
00403DF8 |. C74424 0C 400>MOV DWORD PTR SS:[ESP+C],140
00403E00 |. C74424 10 780>MOV DWORD PTR SS:[ESP+10],78
00403E08 |. 68 25080000 PUSH 825 ; /Flags = DT_CENTER|DT_VCENTER|DT_SINGLELINE|DT_NOPREFIX
00403E0D |. 8D4C24 08 LEA ECX,DWORD PTR SS:[ESP+8] ; |
00403E11 |. 51 PUSH ECX ; |pRect
00403E12 |. 6A 04 PUSH 4 ; |Count = 4
00403E14 |. A1 E4694000 MOV EAX,DWORD PTR DS:[4069E4] ; |
00403E19 |. 68 255D4000 PUSH 是男人就.00405D25 ; |Text = "Over" <-------这里为我修改的信息
00403E1E |. 50 PUSH EAX ; |hDC => B9010DE5
00403E1F |. E8 3A0A0000 CALL <JMP.&user32.DrawTextA> ; \DrawTextA
00403E24 |. 8B5424 10 MOV EDX,DWORD PTR SS:[ESP+10]
搜索"CALL 00403D84",接着来到0x40464A,从这里一直往上找.
00404589 |. 5F POP EDI
0040458A |. 5E POP ESI
0040458B |. 5B POP EBX
0040458C \. C3 RETN
0040458D 90 NOP
0040458E 90 NOP
0040458F 90 NOP
00404590 53 PUSH EBX ;<--------来到这里
00404591 |. 83C4 E4 ADD ESP,-1C
00404594 |. 8BD8 MOV EBX,EAX
00404596 |. 6A 01 PUSH 1 ; /Show = TRUE
00404598 |. E8 85020000 CALL <JMP.&user32.ShowCursor> ; \ShowCursor
0040459D |. 833D CC6D4000>CMP DWORD PTR DS:[406DCC],0
004045A4 |. 74 0D JE SHORT 是男人就.004045B3
004045A6 |. 6A 20 PUSH 20 ; /Priority = NORMAL_PRIORITY_CLASS
004045A8 |. E8 51020000 CALL <JMP.&kernel32.GetCurrentProcess> ; |[GetCurrentProcess
004045AD |. 50 PUSH EAX ; |hProcess
004045AE |. E8 27020000 CALL <JMP.&kernel32.SetPriorityClass> ; \SetPriorityClass
004045B3 |> 6A 00 PUSH 0 ; /Priority = THREAD_PRIORITY_NORMAL
004045B5 |. E8 3E020000 CALL <JMP.&kernel32.GetCurrentThread> ; |[GetCurrentThread
接着搜索"call 00404590"
00402D59 |. 5E POP ESI
00402D5A |. 5B POP EBX
00402D5B \. C3 RETN
00402D5C /$ 4A DEC EDX
00402D5D |. 75 05 JNZ SHORT 是男人就.00402D64
00402D5F |. E8 2C180000 CALL 是男人就.00404590 ;<-----来到这里
00402D64 \> C3 RETN
00402D65 90 NOP
00402D66 90 NOP
00402D67 90 NOP
00402D68 /$ 53 PUSH EBX
修改这里的内容后,发现游戏依然会Over...这说明已经找过头了...再找回去.重新回到"call 00404590"这里.
004045DC |. 33D2 XOR EDX,EDX
004045DE |. 8915 006A4000 MOV DWORD PTR DS:[406A00],EDX
004045E4 |> 33C9 XOR ECX,ECX
004045E6 |. 890D A46D4000 MOV DWORD PTR DS:[406DA4],ECX
004045EC |> 6A 01 /PUSH 1 ; /RemoveMsg = PM_REMOVE
004045EE |. 68 08010000 |PUSH 108 ; |MsgFilterMax = MSG(108)
004045F3 |. 68 00010000 |PUSH 100 ; |MsgFilterMin = WM_KEYDOWN <--天啊!就是这里!
004045F8 |. 53 |PUSH EBX ; |hWnd
004045F9 |. 8D4424 10 |LEA EAX,DWORD PTR SS:[ESP+10] ; |
004045FD |. 50 |PUSH EAX ; |pMsg
004045FE |. E8 37020000 |CALL <JMP.&user32.PeekMessageA> ; \PeekMessageA
00404603 |. 85C0 |TEST EAX,EAX
00404605 |.^ 75 E5 \JNZ SHORT 是男人就.004045EC ;<------这里循环到0x004045EC
00404607 |. 8B15 806D4000 MOV EDX,DWORD PTR DS:[406D80]
0040460D 85D2 TEST EDX,EDX
004045EE |. 68 08010000 |PUSH 108 ; |MsgFilterMax = MSG(108)
004045F3 |. 68 00010000 |PUSH 100 ; |MsgFilterMin = WM_KEYDOWN
004045F8 |. 53 |PUSH EBX ; |hWnd
004045F9 |. 8D4424 10 |LEA EAX,DWORD PTR SS:[ESP+10] ; |
004045FD |. 50 |PUSH EAX ; |pMsg
004045FE |. E8 37020000 |CALL <JMP.&user32.PeekMessageA> ; \PeekMessageA
00404603 85C0 TEST EAX,EAX
00404605 ^ 75 E5 JNZ SHORT 是男人就.004045EC
00404607 8B15 806D4000 MOV EDX,DWORD PTR DS:[406D80]
0040460D 85D2 TEST EDX,EDX
0040460F 74 40 JE SHORT 是男人就.00404651 ; 问题就在这里
00404611 |. 68 2000CC00 PUSH 0CC0020 ; /ROP = SRCCOPY
00404616 |. 6A 00 PUSH 0 ; |YSrc = 0
00404618 |. 6A 00 PUSH 0 ; |XSrc = 0
0040461A |. 8B0D E0694000 MOV ECX,DWORD PTR DS:[4069E0] ; |
00404620 |. 51 PUSH ECX ; |hSrcDC => 27010F05
00404621 |. 68 F0000000 PUSH 0F0 ; |Height = F0 (240.)
00404626 |. 68 40010000 PUSH 140 ; |Width = 140 (320.)
0040462B |. 6A 00 PUSH 0 ; |YDest = 0
0040462D |. 6A 00 PUSH 0 ; |XDest = 0
0040462F |. A1 E4694000 MOV EAX,DWORD PTR DS:[4069E4] ; |
JE SHORT 00404651这里修改成RETN的话,游戏在Over了以后会自动关闭,JNE了以后游戏会返回开始画面.....
再往上看:
00404590 53 PUSH EBX ;<------从这里开始切入!
00404591 |. 83C4 E4 ADD ESP,-1C
00404594 |. 8BD8 MOV EBX,EAX
00404596 |. 6A 01 PUSH 1 ; /Show = TRUE
00404598 E8 85020000 CALL <JMP.&user32.ShowCursor> ; 上
0040459D |. 833D CC6D4000 >CMP DWORD PTR DS:[406DCC],0
来到"CALL 00404590"这里.
004035F9 |. /EB 0F JMP SHORT 是男人就.0040360A
004035FB |> |BA 002C0100 MOV EDX,12C00
00403600 |. |A1 FC694000 MOV EAX,DWORD PTR DS:[4069FC]
00403605 |. |E8 4AEBFFFF CALL 是男人就.00402154
0040360A |> \E8 ADF9FFFF CALL 是男人就.00402FBC
0040360F |. A1 806D4000 MOV EAX,DWORD PTR DS:[406D80]
00403614 |. 85C0 TEST EAX,EAX
00403616 75 3B JE SHORT 是男人就.00403653 ;<----------这里负责检查碰撞
00403618 |. 83F8 11 CMP EAX,11
0040361B 75 17 JNZ SHORT 是男人就.00403634
0040361D |. 33D2 XOR EDX,EDX
0040361F |. 8915 906D4000 MOV DWORD PTR DS:[406D90],EDX
00403625 |. A1 DC694000 MOV EAX,DWORD PTR DS:[4069DC]
0040362A |. E8 610F0000 CALL 是男人就.00404590 ;<---------从这里call进去的.
0040362F |. E9 83040000 JMP 是男人就.00403AB7
00403634 |> 8B15 806D4000 MOV EDX,DWORD PTR DS:[406D80]
0040363A |. 0FB71455 125C4>MOVZX EDX,WORD PTR DS:[EDX*2+405C12]
00403642 |. 81C2 00504000 ADD EDX,是男人就.00405000
00403648 |. FF05 806D4000 INC DWORD PTR DS:[406D80]
0040364E |. E9 92010000 JMP 是男人就.004037E5
00403653 |> FF05 886D4000 INC DWORD PTR DS:[406D88]
00403659 |. A1 7C6D4000 MOV EAX,DWORD PTR DS:[406D7C]
0040365E |. A8 08 TEST AL,8
00403660 |. 0F95C2 SETNE DL
00403663 |. 83E2 01 AND EDX,1
在这里把"JE SHORT 00403653"修改成"JNZ SHORT 00403653",就完成了修改碰撞检测了.......(一直这样玩下去啊...天)
结尾:
终于啊......不容易纳!!!这个可以算个精华吗......
Ps:我是男人.....但最多玩到10秒....这还算吗??
[课程]Linux pwn 探索篇!
这个..........
