【文章标题】: 一个手机游戏追码
【文章作者】: wangdell
【软件名称】: ChessGenius.exe
【下载地址】: 自己搜索下载
【使用工具】: IDA WM5 emulator
【操作平台】: wm
【软件介绍】: 国际象棋
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
1、准备
1.1IDA 打开Texttwister.exe。静态分析。
1.2开Activesync。文件=>连接设置 中 选择DMA。
1.3开启WM6SDK带的设仿真器管理器,选Pocket pc 20003 SE仿真程序,右键“连接”。
1.4选Pocket pc 20003 SE仿真程序,右键“插入底座”。等待activysync和仿真器连接和同步。
1.5真机中试运行后,会马上提示输入用户名和密码提示注册,注册不成功会有失败信息对话框。
2、分析
2.1寻找关键代码:通过IDA的imports寻找MessageBoxW,DialogBoxIndirectParamW等函数的引用处,
并结合在string中搜索错误信息,可找到注册对话框的处理函数如下:
.text:000169C4 LDR R0, [R4,#0x144] ; hModule
.text:000169C8 MOV R2, #5 ; lpType
.text:000169CC MOV R1, #0x71 ; lpName
.text:000169D0 BL FindResourceW
.text:000169D4 MOV R1, R0 ; hResInfo
.text:000169D8 LDR R0, [R4,#0x144] ; hModule
.text:000169DC BL LoadResource
.text:000169E0 LDR R3, =dlgproc1 ; lpDialogFunc
.text:000169E4 MOV R1, R0 ; hDialogTemplate
.text:000169E8 LDR R2, [R4,#0x14C] ; hWndParent
.text:000169EC LDR R0, [R4,#0x144] ; hInstance
.text:000169F0 STR R6, [SP,#0x24+dwInitParam]
.text:000169F4 BL DialogBoxIndirectParamW
.text:00014134 dlgproc1 ; DATA XREF: sub_168F0:off_16BA0o
.text:00014134
.text:00014134 String = -0x100
.text:00014134
.text:00014134 STMFD SP!, {R4-R6,LR}
.text:00014138 SUB SP, SP, #0xF0
.text:0001413C MOV R5, R0
.text:00014140 MOV R6, #1
.text:00014144 CMP R1, #5
.text:00014148 BEQ loc_1435C
.text:0001414C CMP R1, #0x14
.text:00014150 BEQ loc_14328
.text:00014154 CMP R1, #0x53
.text:00014158 BEQ loc_14318
.text:0001415C MOV R3, #WM_INITDIALOG
.text:00014160 CMP R1, R3
.text:00014164 BEQ loc_142D0
.text:00014168 MOVL R3, WM_COMMAND
.text:00014170 CMP R1, R3
.text:00014174 BNE loc_1436C
.text:00014178 MOV R3, R2,LSL#16
.text:0001417C LDR R4, =unk_336D8
.text:00014180 MOV R6, R3,LSR#16
.text:00014184 CMP R6, #1
.text:00014188 BEQ loc_141FC
.text:0001418C CMP R6, #0xE6
.text:00014190 BEQ loc_141E4
.text:00014194 CMP R6, #0xE7
.text:00014198 BEQ loc_141C4
.text:0001419C CMP R6, #0xED
.text:000141A0 BEQ loc_141C4
.text:000141A4 CMP R6, #0xF7
.text:000141A8 BNE loc_1436C
.text:000141AC
.text:000141AC loc_141AC ; CODE XREF: dlgproc1+ECj
.text:000141AC ; dlgproc1+16Cj
.text:000141AC MOV R1, R6
.text:000141B0 MOV R0, R5
.text:000141B4 BL sub_11810
.text:000141B8 MOV R0, #1
.text:000141BC B loc_1444C
.text:000141BC ; ---------------------------------------------------------------------------
.text:000141C0 off_141C0 DCD unk_336D8 ; DATA XREF: dlgproc1+48r
.text:000141C0 ; dlgproc1:loc_142D0r ...
.text:000141C4 ; ---------------------------------------------------------------------------
.text:000141C4
.text:000141C4 loc_141C4 ; CODE XREF: dlgproc1+64j
.text:000141C4 ; dlgproc1+6Cj
.text:000141C4 MOV R3, R2,LSR#16
.text:000141C8 MOV R2, #0x100
.text:000141CC CMP R3, R2
.text:000141D0 BNE loc_1436C
.text:000141D4 MOV R1, #0 ; st
.text:000141D8 MOV R0, R5 ; hwnd
.text:000141DC BL SHSipPreference
.text:000141E0 B loc_1436C
.text:000141E4 ; ---------------------------------------------------------------------------
.text:000141E4
.text:000141E4 loc_141E4 ; CODE XREF: dlgproc1+5Cj
.text:000141E4 MOV R3, #0xA ; nMaxCount
.text:000141E8 ADD R2, SP, #0x100+String ; lpString
.text:000141EC MOV R1, #0xE7 ; nIDDlgItem
.text:000141F0 MOV R0, R5 ; hDlg
.text:000141F4 BL GetDlgItemTextW
.text:000141F8 B loc_14224
.text:000141FC ; ---------------------------------------------------------------------------
.text:000141FC
.text:000141FC loc_141FC ; CODE XREF: dlgproc1+54j
.text:000141FC MOV R3, #0xA ; nMaxCount
.text:00014200 ADD R2, SP, #0x100+String ; lpString
.text:00014204 MOV R1, #0xE7 ; nIDDlgItem
.text:00014208 MOV R0, R5 ; hDlg
.text:0001420C BL GetDlgItemTextW
.text:00014210 ADD R0, SP, #0x100+String ; wchar_t *
.text:00014214 BL _wtol
.text:00014218 LDR R1, [R4,#0x58]
.text:0001421C CMP R1, R0
.text:00014220 BEQ loc_141AC
.text:00014224
.text:00014224 loc_14224 ; CODE XREF: dlgproc1+C4j
.text:00014224 ADD R0, SP, #0x100+String ; wchar_t *
.text:00014228 BL _wtol
.text:0001422C MOV R3, #0x32 ; nMaxCount
.text:00014230 STR R0, [R4,#0x58]
.text:00014234 ADD R2, SP, #0x100+String ; lpString
.text:00014238 STR R0, [R4,#0x158]
.text:0001423C MOV R1, #0xED ; nIDDlgItem
.text:00014240 MOV R0, R5 ; hDlg
.text:00014244 BL GetDlgItemTextW
.text:00014248 MOV R2, #0x32 ; count
.text:0001424C ADD R1, SP, #0x100+String ; wcstr
.text:00014250 ADD R0, R4, #0x15C ; mbstr
.text:00014254 BL wcstombs
.text:00014258 MOV R0, #3
.text:0001425C BL sub_17894
.text:00014260 LDR R0, [R4,#0x158]
.text:00014264 CMP R0, #0
.text:00014268 BEQ loc_142A4
.text:0001426C MOV R12, #0x15C
.text:00014270 LDRSB R0, [R4,R12]
.text:00014274 MOV R3, R0,LSL#24
.text:00014278 MOVS R3, R3,ASR#24
.text:0001427C BEQ loc_142A4
.text:00014280 MOV R2, #0
.text:00014284 ADD R1, R4, #0x158 ; code_val
.text:00014288 ADD R0, R4, #0x15C ; *name
.text:0001428C BL codecheck
.text:00014290 MOVS R3, R0 ; true/false=1/0
.text:00014294 BEQ loc_142A4
.text:00014298 MOV R0, #1
.text:0001429C BL sub_17894
.text:000142A0 B loc_141AC
.text:000142A4 ; ---------------------------------------------------------------------------
.text:000142A4
.text:000142A4 loc_142A4 ; CODE XREF: dlgproc1+134j
.text:000142A4 ; dlgproc1+148j ...
.text:000142A4 MOV R1, #1 ; st
.text:000142A8 MOV R0, R5 ; hwnd
.text:000142AC BL SHSipPreference
.text:000142B0 LDR R2, =aLicenseKeyNotV ; lpCaption
.text:000142B4 MOV R3, #0x30 ; uType
.text:000142B8 LDR R1, =aIfYouHaveRegis ; lpText
.text:000142BC MOV R0, R5 ; hWnd
.text:000142C0 BL MessageBoxW
.text:000142C4 B loc_1436C
.text:000142C4 ; ---------------------------------------------------------------------------
.text:000142C8 ; LPCWSTR off_142C8
.text:000142C8 off_142C8 DCD aIfYouHaveRegis ; DATA XREF: dlgproc1+184r
.text:000142C8 ; "If you have registered please check tha"...
.text:000142CC ; LPCWSTR off_142CC
.text:000142CC off_142CC DCD aLicenseKeyNotV ; DATA XREF: dlgproc1+17Cr
.text:000142CC ; "License Key not valid"
.text:000142D0 ; ---------------------------------------------------------------------------
.text:000142D0
.text:000142D0 loc_142D0 ; CODE XREF: dlgproc1+30j
.text:000142D0 LDR R4, =unk_336D8
.text:000142D4 MOV R0, #0
.text:000142D8 MOV R1, #0
.text:000142DC STR R0, [R4,#0x58]
.text:000142E0 LDR R0, [R4,#0x158]
.text:000142E4 CMP R0, #0
.text:000142E8 MOV R0, R5
.text:000142EC MOVEQ R1, #1
.text:000142F0 BL sub_140C4
.text:000142F4 MOV R2, #0x32 ; count
.text:000142F8 ADD R1, R4, #0x15C ; mbstr
.text:000142FC ADD R0, SP, #0x100+String ; wcstr
.text:00014300 BL mbstowcs
.text:00014304 ADD R2, SP, #0x100+String ; lpString
.text:00014308 MOV R1, #0xED ; nIDDlgItem
.text:0001430C MOV R0, R5 ; hDlg
.text:00014310 BL SetDlgItemTextW
.text:00014314 B loc_1439C
.text:00014318 ; ---------------------------------------------------------------------------
.text:00014318
.text:00014318 loc_14318 ; CODE XREF: dlgproc1+24j
.text:00014318 LDR R0, =aReg
.text:0001431C BL sub_11748
.text:00014320 B loc_1436C
.text:00014320 ; ---------------------------------------------------------------------------
.text:00014324 off_14324 DCD aReg ; DATA XREF: dlgproc1:loc_14318r
.text:00014324 ; "Reg"
.text:00014328 ; ---------------------------------------------------------------------------
.text:00014328
.text:00014328 loc_14328 ; CODE XREF: dlgproc1+1Cj
.text:00014328 LDR R0, =unk_336D8
.text:0001432C LDR R1, [R0,#0x158]
.text:00014330 CMP R1, #0
.text:00014334 BEQ loc_14350
.text:00014338 LDR R0, [R0,#0x14C] ; hwndRequester
.text:0001433C MOV R1, #8 ; dwState
.text:00014340 BL SHFullScreen
.text:00014344 MOV R1, #8 ; dwState
.text:00014348 MOV R0, R5 ; hwndRequester
.text:0001434C BL SHFullScreen
.text:00014350
.text:00014350 loc_14350 ; CODE XREF: dlgproc1+200j
.text:00014350 MOV R0, R5
.text:00014354 BL sub_117C4
.text:00014358 B loc_1436C
.text:0001435C ; ---------------------------------------------------------------------------
.text:0001435C
.text:0001435C loc_1435C ; CODE XREF: dlgproc1+14j
.text:0001435C LDR R4, =unk_336D8
.text:00014360 LDR R0, [R4,#0x158]
.text:00014364 CMP R0, #0
.text:00014368 BEQ loc_14374
.text:0001436C
.text:0001436C loc_1436C ; CODE XREF: dlgproc1+40j
.text:0001436C ; dlgproc1+74j ...
.text:0001436C MOV R0, #0
.text:00014370 B loc_1444C
.text:00014374 ; ---------------------------------------------------------------------------
.text:00014374
.text:00014374 loc_14374 ; CODE XREF: dlgproc1+234j
.text:00014374 MOV R6, #0x71
.text:00014378 BL sub_1169C
.text:0001437C MOVS R3, R0
.text:00014380 LDR R0, [R4,#0x144]
.text:00014384 MOVNE R6, #0x72
.text:00014388 MOV R3, R6,LSL#16
.text:0001438C MOV R2, R3,LSR#16
.text:00014390 MOV R1, R5
.text:00014394 BL sub_11000
.text:00014398 MOV R6, #0
.text:0001439C
.text:0001439C loc_1439C ; CODE XREF: dlgproc1+1E0j
.text:0001439C LDR R2, =aChessgeniusVer ; lpString
.text:000143A0 MOV R1, #0xEC ; nIDDlgItem
.text:000143A4 MOV R0, R5 ; hDlg
.text:000143A8 BL SetDlgItemTextW
.text:000143AC LDR R0, [R4,#0x158]
.text:000143B0 CMP R0, #0
.text:000143B4 BNE loc_14428
.text:000143B8 BL sub_1187C
.text:000143BC CMP R0, #4
.text:000143C0 BLE loc_143E0
.text:000143C4 MOV R2, R0
.text:000143C8 LDR R1, =aUnregisteredFo ; lpFormat
.text:000143CC ADD R0, SP, #0x100+String ; lpBuffer
.text:000143D0 BL wsprintfW
.text:000143D4 B loc_143EC
.text:000143D4 ; ---------------------------------------------------------------------------
.text:000143D8 ; LPCWSTR lpFormat
.text:000143D8 lpFormat DCD aUnregisteredFo ; DATA XREF: dlgproc1+294r
.text:000143D8 ; "Unregistered for %d days"
.text:000143DC ; LPCWSTR lpString
.text:000143DC lpString DCD aChessgeniusVer ; DATA XREF: dlgproc1:loc_1439Cr
.text:000143DC ; "ChessGenius Version 1.90"
.text:000143E0 ; ---------------------------------------------------------------------------
.text:000143E0
.text:000143E0 loc_143E0 ; CODE XREF: dlgproc1+28Cj
.text:000143E0 LDR R1, =aUnregistered_0 ; lpFormat
.text:000143E4 ADD R0, SP, #0x100+String ; lpBuffer
.text:000143E8 BL wsprintfW
.text:000143EC
.text:000143EC loc_143EC ; CODE XREF: dlgproc1+2A0j
.text:000143EC ADD R2, SP, #0x100+String ; lpString
.text:000143F0 MOV R1, #0xF4 ; nIDDlgItem
.text:000143F4 MOV R0, R5 ; hDlg
.text:000143F8 BL SetDlgItemTextW
.text:000143FC LDR R2, =aToUnlockTheFul ; lpString
.text:00014400 MOV R1, #0xF3 ; nIDDlgItem
.text:00014404 MOV R0, R5 ; hDlg
.text:00014408 BL SetDlgItemTextW
.text:0001440C LDR R2, =a2006
.text:00014410 LDR R1, =aCopyrightCSLan
.text:00014414 B loc_14430
.text:00014414 ; ---------------------------------------------------------------------------
.text:00014418 off_14418 DCD aCopyrightCSLan ; DATA XREF: dlgproc1+2DCr
.text:00014418 ; "Copyright (c) %S Lang Software Ltd.\nwww"...
.text:0001441C off_1441C DCD a2006 ; DATA XREF: dlgproc1+2D8r
.text:0001441C ; "2006"
.text:00014420 ; LPCWSTR off_14420
.text:00014420 off_14420 DCD aToUnlockTheFul ; DATA XREF: dlgproc1+2C8r
.text:00014420 ; "To unlock the full features register at"...
.text:00014424 ; LPCWSTR off_14424
.text:00014424 off_14424 DCD aUnregistered_0 ; DATA XREF: dlgproc1:loc_143E0r
.text:00014424 ; "Unregistered"
.text:00014428 ; ---------------------------------------------------------------------------
.text:00014428
.text:00014428 loc_14428 ; CODE XREF: dlgproc1+280j
.text:00014428 LDR R2, =a2006_0
.text:0001442C LDR R1, =aCopyrightCSL_0 ; lpFormat
.text:00014430
.text:00014430 loc_14430 ; CODE XREF: dlgproc1+2E0j
.text:00014430 ADD R0, SP, #0x100+String ; lpBuffer
.text:00014434 BL wsprintfW
.text:00014438 ADD R2, SP, #0x100+String ; lpString
.text:0001443C MOV R1, #0xF2 ; nIDDlgItem
.text:00014440 MOV R0, R5 ; hDlg
.text:00014444 BL SetDlgItemTextW
.text:00014448 MOV R0, R6
.text:0001444C
.text:0001444C loc_1444C ; CODE XREF: dlgproc1+88j
.text:0001444C ; dlgproc1+23Cj
.text:0001444C ADD SP, SP, #0xF0
.text:00014450 LDMFD SP!, {R4-R6,PC}
.text:00014450 ; End of function dlgproc1
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)