[原创]一个手机游戏追码-智能设备-看雪-安全社区|安全招聘|kanxue.com

[原创]一个手机游戏追码

发表于: 2009-3-17 00:27 8059

[原创]一个手机游戏追码

wangdell

2009-3-17 00:27

8059

【文章标题】: 一个手机游戏追码
【文章作者】: wangdell
【软件名称】: ChessGenius.exe
【下载地址】: 自己搜索下载
【使用工具】: IDA WM5 emulator
【操作平台】: wm
【软件介绍】: 国际象棋
【作者声明】: 只是感兴趣，没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
1、准备
1.1IDA 打开Texttwister.exe。静态分析。
1.2开Activesync。文件=>连接设置中选择DMA。
1.3开启WM6SDK带的设仿真器管理器，选Pocket pc 20003 SE仿真程序，右键“连接”。
1.4选Pocket pc 20003 SE仿真程序，右键“插入底座”。等待activysync和仿真器连接和同步。
1.5真机中试运行后，会马上提示输入用户名和密码提示注册，注册不成功会有失败信息对话框。
2、分析
2.1寻找关键代码：通过IDA的imports寻找MessageBoxW,DialogBoxIndirectParamW等函数的引用处，
并结合在string中搜索错误信息，可找到注册对话框的处理函数如下：

.text:000169C4                 LDR     R0, [R4,#0x144] ; hModule
.text:000169C8                 MOV     R2, #5          ; lpType
.text:000169CC                 MOV     R1, #0x71       ; lpName
.text:000169D0                 BL      FindResourceW
.text:000169D4                 MOV     R1, R0          ; hResInfo
.text:000169D8                 LDR     R0, [R4,#0x144] ; hModule
.text:000169DC                 BL      LoadResource
.text:000169E0                 LDR     R3, =dlgproc1   ; lpDialogFunc
.text:000169E4                 MOV     R1, R0          ; hDialogTemplate
.text:000169E8                 LDR     R2, [R4,#0x14C] ; hWndParent
.text:000169EC                 LDR     R0, [R4,#0x144] ; hInstance
.text:000169F0                 STR     R6, [SP,#0x24+dwInitParam]
.text:000169F4                 BL      DialogBoxIndirectParamW

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

.text:00014134 dlgproc1                                ; DATA XREF: sub_168F0:off_16BA0o
.text:00014134
.text:00014134 String          = -0x100
.text:00014134
.text:00014134                 STMFD   SP!, {R4-R6,LR}
.text:00014138                 SUB     SP, SP, #0xF0
.text:0001413C                 MOV     R5, R0
.text:00014140                 MOV     R6, #1
.text:00014144                 CMP     R1, #5
.text:00014148                 BEQ     loc_1435C
.text:0001414C                 CMP     R1, #0x14
.text:00014150                 BEQ     loc_14328
.text:00014154                 CMP     R1, #0x53
.text:00014158                 BEQ     loc_14318
.text:0001415C                 MOV     R3, #WM_INITDIALOG
.text:00014160                 CMP     R1, R3
.text:00014164                 BEQ     loc_142D0
.text:00014168                 MOVL    R3, WM_COMMAND
.text:00014170                 CMP     R1, R3
.text:00014174                 BNE     loc_1436C
.text:00014178                 MOV     R3, R2,LSL#16
.text:0001417C                 LDR     R4, =unk_336D8
.text:00014180                 MOV     R6, R3,LSR#16
.text:00014184                 CMP     R6, #1
.text:00014188                 BEQ     loc_141FC
.text:0001418C                 CMP     R6, #0xE6
.text:00014190                 BEQ     loc_141E4
.text:00014194                 CMP     R6, #0xE7
.text:00014198                 BEQ     loc_141C4
.text:0001419C                 CMP     R6, #0xED
.text:000141A0                 BEQ     loc_141C4
.text:000141A4                 CMP     R6, #0xF7
.text:000141A8                 BNE     loc_1436C
.text:000141AC
.text:000141AC loc_141AC                               ; CODE XREF: dlgproc1+ECj
.text:000141AC                                         ; dlgproc1+16Cj
.text:000141AC                 MOV     R1, R6
.text:000141B0                 MOV     R0, R5
.text:000141B4                 BL      sub_11810
.text:000141B8                 MOV     R0, #1
.text:000141BC                 B       loc_1444C
.text:000141BC ; ---------------------------------------------------------------------------
.text:000141C0 off_141C0       DCD unk_336D8           ; DATA XREF: dlgproc1+48r
.text:000141C0                                         ; dlgproc1:loc_142D0r ...
.text:000141C4 ; ---------------------------------------------------------------------------
.text:000141C4
.text:000141C4 loc_141C4                               ; CODE XREF: dlgproc1+64j
.text:000141C4                                         ; dlgproc1+6Cj
.text:000141C4                 MOV     R3, R2,LSR#16
.text:000141C8                 MOV     R2, #0x100
.text:000141CC                 CMP     R3, R2
.text:000141D0                 BNE     loc_1436C
.text:000141D4                 MOV     R1, #0          ; st
.text:000141D8                 MOV     R0, R5          ; hwnd
.text:000141DC                 BL      SHSipPreference
.text:000141E0                 B       loc_1436C
.text:000141E4 ; ---------------------------------------------------------------------------
.text:000141E4
.text:000141E4 loc_141E4                               ; CODE XREF: dlgproc1+5Cj
.text:000141E4                 MOV     R3, #0xA        ; nMaxCount
.text:000141E8                 ADD     R2, SP, #0x100+String ; lpString
.text:000141EC                 MOV     R1, #0xE7       ; nIDDlgItem
.text:000141F0                 MOV     R0, R5          ; hDlg
.text:000141F4                 BL      GetDlgItemTextW
.text:000141F8                 B       loc_14224
.text:000141FC ; ---------------------------------------------------------------------------
.text:000141FC
.text:000141FC loc_141FC                               ; CODE XREF: dlgproc1+54j
.text:000141FC                 MOV     R3, #0xA        ; nMaxCount
.text:00014200                 ADD     R2, SP, #0x100+String ; lpString
.text:00014204                 MOV     R1, #0xE7       ; nIDDlgItem
.text:00014208                 MOV     R0, R5          ; hDlg
.text:0001420C                 BL      GetDlgItemTextW
.text:00014210                 ADD     R0, SP, #0x100+String ; wchar_t *
.text:00014214                 BL      _wtol
.text:00014218                 LDR     R1, [R4,#0x58]
.text:0001421C                 CMP     R1, R0
.text:00014220                 BEQ     loc_141AC
.text:00014224
.text:00014224 loc_14224                               ; CODE XREF: dlgproc1+C4j
.text:00014224                 ADD     R0, SP, #0x100+String ; wchar_t *
.text:00014228                 BL      _wtol
.text:0001422C                 MOV     R3, #0x32       ; nMaxCount
.text:00014230                 STR     R0, [R4,#0x58]
.text:00014234                 ADD     R2, SP, #0x100+String ; lpString
.text:00014238                 STR     R0, [R4,#0x158]
.text:0001423C                 MOV     R1, #0xED       ; nIDDlgItem
.text:00014240                 MOV     R0, R5          ; hDlg
.text:00014244                 BL      GetDlgItemTextW
.text:00014248                 MOV     R2, #0x32       ; count
.text:0001424C                 ADD     R1, SP, #0x100+String ; wcstr
.text:00014250                 ADD     R0, R4, #0x15C  ; mbstr
.text:00014254                 BL      wcstombs
.text:00014258                 MOV     R0, #3
.text:0001425C                 BL      sub_17894
.text:00014260                 LDR     R0, [R4,#0x158]
.text:00014264                 CMP     R0, #0
.text:00014268                 BEQ     loc_142A4
.text:0001426C                 MOV     R12, #0x15C
.text:00014270                 LDRSB   R0, [R4,R12]
.text:00014274                 MOV     R3, R0,LSL#24
.text:00014278                 MOVS    R3, R3,ASR#24
.text:0001427C                 BEQ     loc_142A4
.text:00014280                 MOV     R2, #0
.text:00014284                 ADD     R1, R4, #0x158  ; code_val
.text:00014288                 ADD     R0, R4, #0x15C  ; *name
.text:0001428C                 BL      codecheck
.text:00014290                 MOVS    R3, R0          ; true/false=1/0
.text:00014294                 BEQ     loc_142A4
.text:00014298                 MOV     R0, #1
.text:0001429C                 BL      sub_17894
.text:000142A0                 B       loc_141AC
.text:000142A4 ; ---------------------------------------------------------------------------
.text:000142A4
.text:000142A4 loc_142A4                               ; CODE XREF: dlgproc1+134j
.text:000142A4                                         ; dlgproc1+148j ...
.text:000142A4                 MOV     R1, #1          ; st
.text:000142A8                 MOV     R0, R5          ; hwnd
.text:000142AC                 BL      SHSipPreference
.text:000142B0                 LDR     R2, =aLicenseKeyNotV ; lpCaption
.text:000142B4                 MOV     R3, #0x30       ; uType
.text:000142B8                 LDR     R1, =aIfYouHaveRegis ; lpText
.text:000142BC                 MOV     R0, R5          ; hWnd
.text:000142C0                 BL      MessageBoxW
.text:000142C4                 B       loc_1436C
.text:000142C4 ; ---------------------------------------------------------------------------
.text:000142C8 ; LPCWSTR off_142C8
.text:000142C8 off_142C8       DCD aIfYouHaveRegis     ; DATA XREF: dlgproc1+184r
.text:000142C8                                         ; "If you have registered please check tha"...
.text:000142CC ; LPCWSTR off_142CC
.text:000142CC off_142CC       DCD aLicenseKeyNotV     ; DATA XREF: dlgproc1+17Cr
.text:000142CC                                         ; "License Key not valid"
.text:000142D0 ; ---------------------------------------------------------------------------
.text:000142D0
.text:000142D0 loc_142D0                               ; CODE XREF: dlgproc1+30j
.text:000142D0                 LDR     R4, =unk_336D8
.text:000142D4                 MOV     R0, #0
.text:000142D8                 MOV     R1, #0
.text:000142DC                 STR     R0, [R4,#0x58]
.text:000142E0                 LDR     R0, [R4,#0x158]
.text:000142E4                 CMP     R0, #0
.text:000142E8                 MOV     R0, R5
.text:000142EC                 MOVEQ   R1, #1
.text:000142F0                 BL      sub_140C4
.text:000142F4                 MOV     R2, #0x32       ; count
.text:000142F8                 ADD     R1, R4, #0x15C  ; mbstr
.text:000142FC                 ADD     R0, SP, #0x100+String ; wcstr
.text:00014300                 BL      mbstowcs
.text:00014304                 ADD     R2, SP, #0x100+String ; lpString
.text:00014308                 MOV     R1, #0xED       ; nIDDlgItem
.text:0001430C                 MOV     R0, R5          ; hDlg
.text:00014310                 BL      SetDlgItemTextW
.text:00014314                 B       loc_1439C
.text:00014318 ; ---------------------------------------------------------------------------
.text:00014318
.text:00014318 loc_14318                               ; CODE XREF: dlgproc1+24j
.text:00014318                 LDR     R0, =aReg
.text:0001431C                 BL      sub_11748
.text:00014320                 B       loc_1436C
.text:00014320 ; ---------------------------------------------------------------------------
.text:00014324 off_14324       DCD aReg                ; DATA XREF: dlgproc1:loc_14318r
.text:00014324                                         ; "Reg"
.text:00014328 ; ---------------------------------------------------------------------------
.text:00014328
.text:00014328 loc_14328                               ; CODE XREF: dlgproc1+1Cj
.text:00014328                 LDR     R0, =unk_336D8
.text:0001432C                 LDR     R1, [R0,#0x158]
.text:00014330                 CMP     R1, #0
.text:00014334                 BEQ     loc_14350
.text:00014338                 LDR     R0, [R0,#0x14C] ; hwndRequester
.text:0001433C                 MOV     R1, #8          ; dwState
.text:00014340                 BL      SHFullScreen
.text:00014344                 MOV     R1, #8          ; dwState
.text:00014348                 MOV     R0, R5          ; hwndRequester
.text:0001434C                 BL      SHFullScreen
.text:00014350
.text:00014350 loc_14350                               ; CODE XREF: dlgproc1+200j
.text:00014350                 MOV     R0, R5
.text:00014354                 BL      sub_117C4
.text:00014358                 B       loc_1436C
.text:0001435C ; ---------------------------------------------------------------------------
.text:0001435C
.text:0001435C loc_1435C                               ; CODE XREF: dlgproc1+14j
.text:0001435C                 LDR     R4, =unk_336D8
.text:00014360                 LDR     R0, [R4,#0x158]
.text:00014364                 CMP     R0, #0
.text:00014368                 BEQ     loc_14374
.text:0001436C
.text:0001436C loc_1436C                               ; CODE XREF: dlgproc1+40j
.text:0001436C                                         ; dlgproc1+74j ...
.text:0001436C                 MOV     R0, #0
.text:00014370                 B       loc_1444C
.text:00014374 ; ---------------------------------------------------------------------------
.text:00014374
.text:00014374 loc_14374                               ; CODE XREF: dlgproc1+234j
.text:00014374                 MOV     R6, #0x71
.text:00014378                 BL      sub_1169C
.text:0001437C                 MOVS    R3, R0
.text:00014380                 LDR     R0, [R4,#0x144]
.text:00014384                 MOVNE   R6, #0x72
.text:00014388                 MOV     R3, R6,LSL#16
.text:0001438C                 MOV     R2, R3,LSR#16
.text:00014390                 MOV     R1, R5
.text:00014394                 BL      sub_11000
.text:00014398                 MOV     R6, #0
.text:0001439C
.text:0001439C loc_1439C                               ; CODE XREF: dlgproc1+1E0j
.text:0001439C                 LDR     R2, =aChessgeniusVer ; lpString
.text:000143A0                 MOV     R1, #0xEC       ; nIDDlgItem
.text:000143A4                 MOV     R0, R5          ; hDlg
.text:000143A8                 BL      SetDlgItemTextW
.text:000143AC                 LDR     R0, [R4,#0x158]
.text:000143B0                 CMP     R0, #0
.text:000143B4                 BNE     loc_14428
.text:000143B8                 BL      sub_1187C
.text:000143BC                 CMP     R0, #4
.text:000143C0                 BLE     loc_143E0
.text:000143C4                 MOV     R2, R0
.text:000143C8                 LDR     R1, =aUnregisteredFo ; lpFormat
.text:000143CC                 ADD     R0, SP, #0x100+String ; lpBuffer
.text:000143D0                 BL      wsprintfW
.text:000143D4                 B       loc_143EC
.text:000143D4 ; ---------------------------------------------------------------------------
.text:000143D8 ; LPCWSTR lpFormat
.text:000143D8 lpFormat        DCD aUnregisteredFo     ; DATA XREF: dlgproc1+294r
.text:000143D8                                         ; "Unregistered for %d days"
.text:000143DC ; LPCWSTR lpString
.text:000143DC lpString        DCD aChessgeniusVer     ; DATA XREF: dlgproc1:loc_1439Cr
.text:000143DC                                         ; "ChessGenius Version 1.90"
.text:000143E0 ; ---------------------------------------------------------------------------
.text:000143E0
.text:000143E0 loc_143E0                               ; CODE XREF: dlgproc1+28Cj
.text:000143E0                 LDR     R1, =aUnregistered_0 ; lpFormat
.text:000143E4                 ADD     R0, SP, #0x100+String ; lpBuffer
.text:000143E8                 BL      wsprintfW
.text:000143EC
.text:000143EC loc_143EC                               ; CODE XREF: dlgproc1+2A0j
.text:000143EC                 ADD     R2, SP, #0x100+String ; lpString
.text:000143F0                 MOV     R1, #0xF4       ; nIDDlgItem
.text:000143F4                 MOV     R0, R5          ; hDlg
.text:000143F8                 BL      SetDlgItemTextW
.text:000143FC                 LDR     R2, =aToUnlockTheFul ; lpString
.text:00014400                 MOV     R1, #0xF3       ; nIDDlgItem
.text:00014404                 MOV     R0, R5          ; hDlg
.text:00014408                 BL      SetDlgItemTextW
.text:0001440C                 LDR     R2, =a2006
.text:00014410                 LDR     R1, =aCopyrightCSLan
.text:00014414                 B       loc_14430
.text:00014414 ; ---------------------------------------------------------------------------
.text:00014418 off_14418       DCD aCopyrightCSLan     ; DATA XREF: dlgproc1+2DCr
.text:00014418                                         ; "Copyright (c) %S Lang Software Ltd.\nwww"...
.text:0001441C off_1441C       DCD a2006               ; DATA XREF: dlgproc1+2D8r
.text:0001441C                                         ; "2006"
.text:00014420 ; LPCWSTR off_14420
.text:00014420 off_14420       DCD aToUnlockTheFul     ; DATA XREF: dlgproc1+2C8r
.text:00014420                                         ; "To unlock the full features register at"...
.text:00014424 ; LPCWSTR off_14424
.text:00014424 off_14424       DCD aUnregistered_0     ; DATA XREF: dlgproc1:loc_143E0r
.text:00014424                                         ; "Unregistered"
.text:00014428 ; ---------------------------------------------------------------------------
.text:00014428
.text:00014428 loc_14428                               ; CODE XREF: dlgproc1+280j
.text:00014428                 LDR     R2, =a2006_0
.text:0001442C                 LDR     R1, =aCopyrightCSL_0 ; lpFormat
.text:00014430
.text:00014430 loc_14430                               ; CODE XREF: dlgproc1+2E0j
.text:00014430                 ADD     R0, SP, #0x100+String ; lpBuffer
.text:00014434                 BL      wsprintfW
.text:00014438                 ADD     R2, SP, #0x100+String ; lpString
.text:0001443C                 MOV     R1, #0xF2       ; nIDDlgItem
.text:00014440                 MOV     R0, R5          ; hDlg
.text:00014444                 BL      SetDlgItemTextW
.text:00014448                 MOV     R0, R6
.text:0001444C
.text:0001444C loc_1444C                               ; CODE XREF: dlgproc1+88j
.text:0001444C                                         ; dlgproc1+23Cj
.text:0001444C                 ADD     SP, SP, #0xF0
.text:00014450                 LDMFD   SP!, {R4-R6,PC}
.text:00014450 ; End of function dlgproc1

登录后可查看完整内容

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课

上传的附件：

ChessGenius.rar （98.29kb，36次下载）

收藏・2

免费・7

支持

赞赏记录

参与人

雪币

留言

时间

Youlor

为你点赞~

2024-1-22 00:10

伟叔叔

为你点赞~

2023-12-26 00:05

QinBeast

为你点赞~

2023-10-6 00:45

PLEBFE

为你点赞~

2023-9-8 00:51

shinratensei

为你点赞~

2023-9-5 00:32

心游尘世外

为你点赞~

2023-8-27 00:43

飘零丶

为你点赞~

2023-8-16 00:00

最新回复 (2)
加百力雪币： 2604 活跃值： (64) 能力值： (RANK：510 ) 在线值：发帖 86 回帖 896 粉丝 4 关注私信	加百力 12 2 楼感谢wangdell 凌晨发的分析帖，比前两个游戏分析难度又提高了！一不小心，发出了本版的第1000个帖子。继续努力，向更高的目标努力！ 2009-3-17 15:57 0
涛越雪币： 331 活跃值： (25) 能力值： ( LV2，RANK：10 ) 在线值：发帖 9 回帖 105 粉丝 0 关注私信	涛越 3 楼 [QUOTE=;]...[/QUOTE] 学习，很详细，有意思！ 2009-3-31 17:39 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

wangdell

发帖

328

回帖

250

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (2)
加百力雪币： 2604 活跃值： (64) 能力值： (RANK：510 ) 在线值：发帖 86 回帖 896 粉丝 4 关注私信	加百力 12 2 楼感谢wangdell 凌晨发的分析帖，比前两个游戏分析难度又提高了！一不小心，发出了本版的第1000个帖子。继续努力，向更高的目标努力！ 2009-3-17 15:57 0
涛越雪币： 331 活跃值： (25) 能力值： ( LV2，RANK：10 ) 在线值：发帖 9 回帖 105 粉丝 0 关注私信	涛越 3 楼 [QUOTE=;]...[/QUOTE] 学习，很详细，有意思！ 2009-3-31 17:39 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

[原创]一个手机游戏追码

账号登录 验证码登录

账号登录

验证码登录