首页
社区
课程
招聘
[原创]一个手机游戏追码
发表于: 2009-3-17 00:27 7894

[原创]一个手机游戏追码

2009-3-17 00:27
7894

【文章标题】: 一个手机游戏追码
【文章作者】: wangdell
【软件名称】: ChessGenius.exe
【下载地址】: 自己搜索下载
【使用工具】: IDA WM5 emulator
【操作平台】: wm
【软件介绍】: 国际象棋
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
   1、准备
    1.1IDA 打开Texttwister.exe。静态分析。
    1.2开Activesync。文件=>连接设置 中 选择DMA。
    1.3开启WM6SDK带的设仿真器管理器,选Pocket pc 20003 SE仿真程序,右键“连接”。
    1.4选Pocket pc 20003 SE仿真程序,右键“插入底座”。等待activysync和仿真器连接和同步。
    1.5真机中试运行后,会马上提示输入用户名和密码提示注册,注册不成功会有失败信息对话框。
   2、分析
    2.1寻找关键代码:通过IDA的imports寻找MessageBoxW,DialogBoxIndirectParamW等函数的引用处,
  并结合在string中搜索错误信息,可找到注册对话框的处理函数如下:
  

  .text:000169C4                 LDR     R0, [R4,#0x144] ; hModule
  .text:000169C8                 MOV     R2, #5          ; lpType
  .text:000169CC                 MOV     R1, #0x71       ; lpName
  .text:000169D0                 BL      FindResourceW
  .text:000169D4                 MOV     R1, R0          ; hResInfo
  .text:000169D8                 LDR     R0, [R4,#0x144] ; hModule
  .text:000169DC                 BL      LoadResource
  .text:000169E0                 LDR     R3, =dlgproc1   ; lpDialogFunc
  .text:000169E4                 MOV     R1, R0          ; hDialogTemplate
  .text:000169E8                 LDR     R2, [R4,#0x14C] ; hWndParent
  .text:000169EC                 LDR     R0, [R4,#0x144] ; hInstance
  .text:000169F0                 STR     R6, [SP,#0x24+dwInitParam]
  .text:000169F4                 BL      DialogBoxIndirectParamW
  
  .text:00014134 dlgproc1                                ; DATA XREF: sub_168F0:off_16BA0o
  .text:00014134
  .text:00014134 String          = -0x100
  .text:00014134
  .text:00014134                 STMFD   SP!, {R4-R6,LR}
  .text:00014138                 SUB     SP, SP, #0xF0
  .text:0001413C                 MOV     R5, R0
  .text:00014140                 MOV     R6, #1
  .text:00014144                 CMP     R1, #5
  .text:00014148                 BEQ     loc_1435C
  .text:0001414C                 CMP     R1, #0x14
  .text:00014150                 BEQ     loc_14328
  .text:00014154                 CMP     R1, #0x53
  .text:00014158                 BEQ     loc_14318
  .text:0001415C                 MOV     R3, #WM_INITDIALOG
  .text:00014160                 CMP     R1, R3
  .text:00014164                 BEQ     loc_142D0
  .text:00014168                 MOVL    R3, WM_COMMAND
  .text:00014170                 CMP     R1, R3
  .text:00014174                 BNE     loc_1436C
  .text:00014178                 MOV     R3, R2,LSL#16
  .text:0001417C                 LDR     R4, =unk_336D8
  .text:00014180                 MOV     R6, R3,LSR#16
  .text:00014184                 CMP     R6, #1
  .text:00014188                 BEQ     loc_141FC
  .text:0001418C                 CMP     R6, #0xE6
  .text:00014190                 BEQ     loc_141E4
  .text:00014194                 CMP     R6, #0xE7
  .text:00014198                 BEQ     loc_141C4
  .text:0001419C                 CMP     R6, #0xED
  .text:000141A0                 BEQ     loc_141C4
  .text:000141A4                 CMP     R6, #0xF7
  .text:000141A8                 BNE     loc_1436C
  .text:000141AC
  .text:000141AC loc_141AC                               ; CODE XREF: dlgproc1+ECj
  .text:000141AC                                         ; dlgproc1+16Cj
  .text:000141AC                 MOV     R1, R6
  .text:000141B0                 MOV     R0, R5
  .text:000141B4                 BL      sub_11810
  .text:000141B8                 MOV     R0, #1
  .text:000141BC                 B       loc_1444C
  .text:000141BC ; ---------------------------------------------------------------------------
  .text:000141C0 off_141C0       DCD unk_336D8           ; DATA XREF: dlgproc1+48r
  .text:000141C0                                         ; dlgproc1:loc_142D0r ...
  .text:000141C4 ; ---------------------------------------------------------------------------
  .text:000141C4
  .text:000141C4 loc_141C4                               ; CODE XREF: dlgproc1+64j
  .text:000141C4                                         ; dlgproc1+6Cj
  .text:000141C4                 MOV     R3, R2,LSR#16
  .text:000141C8                 MOV     R2, #0x100
  .text:000141CC                 CMP     R3, R2
  .text:000141D0                 BNE     loc_1436C
  .text:000141D4                 MOV     R1, #0          ; st
  .text:000141D8                 MOV     R0, R5          ; hwnd
  .text:000141DC                 BL      SHSipPreference
  .text:000141E0                 B       loc_1436C
  .text:000141E4 ; ---------------------------------------------------------------------------
  .text:000141E4
  .text:000141E4 loc_141E4                               ; CODE XREF: dlgproc1+5Cj
  .text:000141E4                 MOV     R3, #0xA        ; nMaxCount
  .text:000141E8                 ADD     R2, SP, #0x100+String ; lpString
  .text:000141EC                 MOV     R1, #0xE7       ; nIDDlgItem
  .text:000141F0                 MOV     R0, R5          ; hDlg
  .text:000141F4                 BL      GetDlgItemTextW
  .text:000141F8                 B       loc_14224
  .text:000141FC ; ---------------------------------------------------------------------------
  .text:000141FC
  .text:000141FC loc_141FC                               ; CODE XREF: dlgproc1+54j
  .text:000141FC                 MOV     R3, #0xA        ; nMaxCount
  .text:00014200                 ADD     R2, SP, #0x100+String ; lpString
  .text:00014204                 MOV     R1, #0xE7       ; nIDDlgItem
  .text:00014208                 MOV     R0, R5          ; hDlg
  .text:0001420C                 BL      GetDlgItemTextW
  .text:00014210                 ADD     R0, SP, #0x100+String ; wchar_t *
  .text:00014214                 BL      _wtol
  .text:00014218                 LDR     R1, [R4,#0x58]
  .text:0001421C                 CMP     R1, R0
  .text:00014220                 BEQ     loc_141AC
  .text:00014224
  .text:00014224 loc_14224                               ; CODE XREF: dlgproc1+C4j
  .text:00014224                 ADD     R0, SP, #0x100+String ; wchar_t *
  .text:00014228                 BL      _wtol
  .text:0001422C                 MOV     R3, #0x32       ; nMaxCount
  .text:00014230                 STR     R0, [R4,#0x58]
  .text:00014234                 ADD     R2, SP, #0x100+String ; lpString
  .text:00014238                 STR     R0, [R4,#0x158]
  .text:0001423C                 MOV     R1, #0xED       ; nIDDlgItem
  .text:00014240                 MOV     R0, R5          ; hDlg
  .text:00014244                 BL      GetDlgItemTextW
  .text:00014248                 MOV     R2, #0x32       ; count
  .text:0001424C                 ADD     R1, SP, #0x100+String ; wcstr
  .text:00014250                 ADD     R0, R4, #0x15C  ; mbstr
  .text:00014254                 BL      wcstombs
  .text:00014258                 MOV     R0, #3
  .text:0001425C                 BL      sub_17894
  .text:00014260                 LDR     R0, [R4,#0x158]
  .text:00014264                 CMP     R0, #0
  .text:00014268                 BEQ     loc_142A4
  .text:0001426C                 MOV     R12, #0x15C
  .text:00014270                 LDRSB   R0, [R4,R12]
  .text:00014274                 MOV     R3, R0,LSL#24
  .text:00014278                 MOVS    R3, R3,ASR#24
  .text:0001427C                 BEQ     loc_142A4
  .text:00014280                 MOV     R2, #0
  .text:00014284                 ADD     R1, R4, #0x158  ; code_val
  .text:00014288                 ADD     R0, R4, #0x15C  ; *name
  .text:0001428C                 BL      codecheck
  .text:00014290                 MOVS    R3, R0          ; true/false=1/0
  .text:00014294                 BEQ     loc_142A4
  .text:00014298                 MOV     R0, #1
  .text:0001429C                 BL      sub_17894
  .text:000142A0                 B       loc_141AC
  .text:000142A4 ; ---------------------------------------------------------------------------
  .text:000142A4
  .text:000142A4 loc_142A4                               ; CODE XREF: dlgproc1+134j
  .text:000142A4                                         ; dlgproc1+148j ...
  .text:000142A4                 MOV     R1, #1          ; st
  .text:000142A8                 MOV     R0, R5          ; hwnd
  .text:000142AC                 BL      SHSipPreference
  .text:000142B0                 LDR     R2, =aLicenseKeyNotV ; lpCaption
  .text:000142B4                 MOV     R3, #0x30       ; uType
  .text:000142B8                 LDR     R1, =aIfYouHaveRegis ; lpText
  .text:000142BC                 MOV     R0, R5          ; hWnd
  .text:000142C0                 BL      MessageBoxW
  .text:000142C4                 B       loc_1436C
  .text:000142C4 ; ---------------------------------------------------------------------------
  .text:000142C8 ; LPCWSTR off_142C8
  .text:000142C8 off_142C8       DCD aIfYouHaveRegis     ; DATA XREF: dlgproc1+184r
  .text:000142C8                                         ; "If you have registered please check tha"...
  .text:000142CC ; LPCWSTR off_142CC
  .text:000142CC off_142CC       DCD aLicenseKeyNotV     ; DATA XREF: dlgproc1+17Cr
  .text:000142CC                                         ; "License Key not valid"
  .text:000142D0 ; ---------------------------------------------------------------------------
  .text:000142D0
  .text:000142D0 loc_142D0                               ; CODE XREF: dlgproc1+30j
  .text:000142D0                 LDR     R4, =unk_336D8
  .text:000142D4                 MOV     R0, #0
  .text:000142D8                 MOV     R1, #0
  .text:000142DC                 STR     R0, [R4,#0x58]
  .text:000142E0                 LDR     R0, [R4,#0x158]
  .text:000142E4                 CMP     R0, #0
  .text:000142E8                 MOV     R0, R5
  .text:000142EC                 MOVEQ   R1, #1
  .text:000142F0                 BL      sub_140C4
  .text:000142F4                 MOV     R2, #0x32       ; count
  .text:000142F8                 ADD     R1, R4, #0x15C  ; mbstr
  .text:000142FC                 ADD     R0, SP, #0x100+String ; wcstr
  .text:00014300                 BL      mbstowcs
  .text:00014304                 ADD     R2, SP, #0x100+String ; lpString
  .text:00014308                 MOV     R1, #0xED       ; nIDDlgItem
  .text:0001430C                 MOV     R0, R5          ; hDlg
  .text:00014310                 BL      SetDlgItemTextW
  .text:00014314                 B       loc_1439C
  .text:00014318 ; ---------------------------------------------------------------------------
  .text:00014318
  .text:00014318 loc_14318                               ; CODE XREF: dlgproc1+24j
  .text:00014318                 LDR     R0, =aReg
  .text:0001431C                 BL      sub_11748
  .text:00014320                 B       loc_1436C
  .text:00014320 ; ---------------------------------------------------------------------------
  .text:00014324 off_14324       DCD aReg                ; DATA XREF: dlgproc1:loc_14318r
  .text:00014324                                         ; "Reg"
  .text:00014328 ; ---------------------------------------------------------------------------
  .text:00014328
  .text:00014328 loc_14328                               ; CODE XREF: dlgproc1+1Cj
  .text:00014328                 LDR     R0, =unk_336D8
  .text:0001432C                 LDR     R1, [R0,#0x158]
  .text:00014330                 CMP     R1, #0
  .text:00014334                 BEQ     loc_14350
  .text:00014338                 LDR     R0, [R0,#0x14C] ; hwndRequester
  .text:0001433C                 MOV     R1, #8          ; dwState
  .text:00014340                 BL      SHFullScreen
  .text:00014344                 MOV     R1, #8          ; dwState
  .text:00014348                 MOV     R0, R5          ; hwndRequester
  .text:0001434C                 BL      SHFullScreen
  .text:00014350
  .text:00014350 loc_14350                               ; CODE XREF: dlgproc1+200j
  .text:00014350                 MOV     R0, R5
  .text:00014354                 BL      sub_117C4
  .text:00014358                 B       loc_1436C
  .text:0001435C ; ---------------------------------------------------------------------------
  .text:0001435C
  .text:0001435C loc_1435C                               ; CODE XREF: dlgproc1+14j
  .text:0001435C                 LDR     R4, =unk_336D8
  .text:00014360                 LDR     R0, [R4,#0x158]
  .text:00014364                 CMP     R0, #0
  .text:00014368                 BEQ     loc_14374
  .text:0001436C
  .text:0001436C loc_1436C                               ; CODE XREF: dlgproc1+40j
  .text:0001436C                                         ; dlgproc1+74j ...
  .text:0001436C                 MOV     R0, #0
  .text:00014370                 B       loc_1444C
  .text:00014374 ; ---------------------------------------------------------------------------
  .text:00014374
  .text:00014374 loc_14374                               ; CODE XREF: dlgproc1+234j
  .text:00014374                 MOV     R6, #0x71
  .text:00014378                 BL      sub_1169C
  .text:0001437C                 MOVS    R3, R0
  .text:00014380                 LDR     R0, [R4,#0x144]
  .text:00014384                 MOVNE   R6, #0x72
  .text:00014388                 MOV     R3, R6,LSL#16
  .text:0001438C                 MOV     R2, R3,LSR#16
  .text:00014390                 MOV     R1, R5
  .text:00014394                 BL      sub_11000
  .text:00014398                 MOV     R6, #0
  .text:0001439C
  .text:0001439C loc_1439C                               ; CODE XREF: dlgproc1+1E0j
  .text:0001439C                 LDR     R2, =aChessgeniusVer ; lpString
  .text:000143A0                 MOV     R1, #0xEC       ; nIDDlgItem
  .text:000143A4                 MOV     R0, R5          ; hDlg
  .text:000143A8                 BL      SetDlgItemTextW
  .text:000143AC                 LDR     R0, [R4,#0x158]
  .text:000143B0                 CMP     R0, #0
  .text:000143B4                 BNE     loc_14428
  .text:000143B8                 BL      sub_1187C
  .text:000143BC                 CMP     R0, #4
  .text:000143C0                 BLE     loc_143E0
  .text:000143C4                 MOV     R2, R0
  .text:000143C8                 LDR     R1, =aUnregisteredFo ; lpFormat
  .text:000143CC                 ADD     R0, SP, #0x100+String ; lpBuffer
  .text:000143D0                 BL      wsprintfW
  .text:000143D4                 B       loc_143EC
  .text:000143D4 ; ---------------------------------------------------------------------------
  .text:000143D8 ; LPCWSTR lpFormat
  .text:000143D8 lpFormat        DCD aUnregisteredFo     ; DATA XREF: dlgproc1+294r
  .text:000143D8                                         ; "Unregistered for %d days"
  .text:000143DC ; LPCWSTR lpString
  .text:000143DC lpString        DCD aChessgeniusVer     ; DATA XREF: dlgproc1:loc_1439Cr
  .text:000143DC                                         ; "ChessGenius Version 1.90"
  .text:000143E0 ; ---------------------------------------------------------------------------
  .text:000143E0
  .text:000143E0 loc_143E0                               ; CODE XREF: dlgproc1+28Cj
  .text:000143E0                 LDR     R1, =aUnregistered_0 ; lpFormat
  .text:000143E4                 ADD     R0, SP, #0x100+String ; lpBuffer
  .text:000143E8                 BL      wsprintfW
  .text:000143EC
  .text:000143EC loc_143EC                               ; CODE XREF: dlgproc1+2A0j
  .text:000143EC                 ADD     R2, SP, #0x100+String ; lpString
  .text:000143F0                 MOV     R1, #0xF4       ; nIDDlgItem
  .text:000143F4                 MOV     R0, R5          ; hDlg
  .text:000143F8                 BL      SetDlgItemTextW
  .text:000143FC                 LDR     R2, =aToUnlockTheFul ; lpString
  .text:00014400                 MOV     R1, #0xF3       ; nIDDlgItem
  .text:00014404                 MOV     R0, R5          ; hDlg
  .text:00014408                 BL      SetDlgItemTextW
  .text:0001440C                 LDR     R2, =a2006
  .text:00014410                 LDR     R1, =aCopyrightCSLan
  .text:00014414                 B       loc_14430
  .text:00014414 ; ---------------------------------------------------------------------------
  .text:00014418 off_14418       DCD aCopyrightCSLan     ; DATA XREF: dlgproc1+2DCr
  .text:00014418                                         ; "Copyright (c) %S Lang Software Ltd.\nwww"...
  .text:0001441C off_1441C       DCD a2006               ; DATA XREF: dlgproc1+2D8r
  .text:0001441C                                         ; "2006"
  .text:00014420 ; LPCWSTR off_14420
  .text:00014420 off_14420       DCD aToUnlockTheFul     ; DATA XREF: dlgproc1+2C8r
  .text:00014420                                         ; "To unlock the full features register at"...
  .text:00014424 ; LPCWSTR off_14424
  .text:00014424 off_14424       DCD aUnregistered_0     ; DATA XREF: dlgproc1:loc_143E0r
  .text:00014424                                         ; "Unregistered"
  .text:00014428 ; ---------------------------------------------------------------------------
  .text:00014428
  .text:00014428 loc_14428                               ; CODE XREF: dlgproc1+280j
  .text:00014428                 LDR     R2, =a2006_0
  .text:0001442C                 LDR     R1, =aCopyrightCSL_0 ; lpFormat
  .text:00014430
  .text:00014430 loc_14430                               ; CODE XREF: dlgproc1+2E0j
  .text:00014430                 ADD     R0, SP, #0x100+String ; lpBuffer
  .text:00014434                 BL      wsprintfW
  .text:00014438                 ADD     R2, SP, #0x100+String ; lpString
  .text:0001443C                 MOV     R1, #0xF2       ; nIDDlgItem
  .text:00014440                 MOV     R0, R5          ; hDlg
  .text:00014444                 BL      SetDlgItemTextW
  .text:00014448                 MOV     R0, R6
  .text:0001444C
  .text:0001444C loc_1444C                               ; CODE XREF: dlgproc1+88j
  .text:0001444C                                         ; dlgproc1+23Cj
  .text:0001444C                 ADD     SP, SP, #0xF0
  .text:00014450                 LDMFD   SP!, {R4-R6,PC}
  .text:00014450 ; End of function dlgproc1
  

[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)

上传的附件:
收藏
免费 7
支持
分享
最新回复 (2)
雪    币: 2604
活跃值: (64)
能力值: (RANK:510 )
在线值:
发帖
回帖
粉丝
2
感谢wangdell 凌晨发的分析帖,比前两个游戏分析难度又提高了!

一不小心,发出了本版的第1000个帖子。继续努力,向更高的目标努力!
2009-3-17 15:57
0
雪    币: 331
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
3
[QUOTE=;]...[/QUOTE]
学习,很详细,有意思!
2009-3-31 17:39
0
游客
登录 | 注册 方可回帖
返回
//