【文章标题】: 对某外挂的简单分析
【文章作者】: lorde
【软件名称】: 外挂
【下载地址】: 自己搜索下载
【加壳方式】: Armadillo 3.78 - 4.xx -> Silicon Realms Toolworks
【保护方式】: Armadillo 3.78 - 4.xx -> Silicon Realms
【使用工具】: peid,od等
【操作平台】: winxp sp3
【软件介绍】: 某脱机外挂,功能非常强大.
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
此外挂官服已经不存在几年了,不过私服还有不少存在,外挂已经不能直接登录.有老版本的破解版.个人觉得作者的反破解方法很好,
不当之处看牛人多指教.
1.Peid查壳,Armadillo 3.78 - 4.xx -> Silicon Realms Toolworks
2.脱之并优化。可运行。
3.查Microsoft Visual C++ 7.0
4.od载入。查找字符串,得到若干信息。
1),多处出现“0000ff异常的操作系统,请检查”
2),多处出现“0000ee验证资料异常”
看来是破解关键点。下断点,运行程序,程序启动,没断下来.看来要登录游戏才验证。找个私服登录一下,不成功,要专用快手才
行,下个私服服务端在本地登录下。
登录:连线成功,XXX,即将登录[xxx,xx],等了N秒,一句“服务器主动断开”将我扔了出来。
字符串查找N处,下断,跟踪,找到代码:
00402813 |> \A1 24BF4800 ||mov eax, dword ptr [48BF24]
00402818 |. 50 ||push eax ; /hEvent => NULL
00402819 |. FF15 08064700 ||call dword ptr [<&WS2_32.WSAResetEv>; \WSAResetEvent
0040281F |. 8B0D 1CBF4800 ||mov ecx, dword ptr [48BF1C]
00402825 |. 51 ||push ecx ; /hEvent => NULL
00402826 |. FF15 08064700 ||call dword ptr [<&WS2_32.WSAResetEv>; \WSAResetEvent
0040282C |. 8B55 98 ||mov edx, dword ptr [ebp-68]
0040282F |. 66:C782 E0490>||mov word ptr [edx+49E0], 2
00402838 |. 66:A1 CC91480>||mov ax, word ptr [4891CC]
0040283E |. 50 ||push eax ; /NetShort
0040283F |. FF15 10064700 ||call dword ptr [<&WS2_32.#9>] ; \ntohs
00402845 |. 8B4D 98 ||mov ecx, dword ptr [ebp-68]
00402848 |. 66:8981 E2490>||mov word ptr [ecx+49E2], ax
0040284F |. 8B55 98 ||mov edx, dword ptr [ebp-68]
00402852 |. A1 C8914800 ||mov eax, dword ptr [4891C8]
00402857 |. 8982 E4490000 ||mov dword ptr [edx+49E4], eax
0040285D |. 6A 10 ||push 10 ; /AddrLen = 10 (16.)
0040285F |. 8B4D 98 ||mov ecx, dword ptr [ebp-68] ; |
00402862 |. 81C1 E0490000 ||add ecx, 49E0 ; |
00402868 |. 51 ||push ecx ; |pSockAddr
00402869 |. 8B15 08BF4800 ||mov edx, dword ptr [48BF08] ; |
0040286F |. 52 ||push edx ; |Socket => 0
00402870 |. FF15 18064700 ||call dword ptr [<&WS2_32.#4>] ; \connect
00402876 |. 83F8 FF ||cmp eax, -1
00402879 75 1A jnz short 00402895
[4891CC]服务器端口,[4891C8],服务器地址。改成本地的。1在本地设个服务器2,直接跳到验证部分。我懒人,选用2之方法跳
之。
来到。
00402233 |> \6A 00 |push 0 ; /Flags = 0
00402235 |. 68 80000000 |push 80 ; |BufSize = 80 (128.)
0040223A |. 8B4D 98 |mov ecx, dword ptr [ebp-68] ; |
0040223D |. 81C1 80000000 |add ecx, 80 ; |
00402243 |. 51 |push ecx ; |Buffer
00402244 |. 8B15 08BF4800 |mov edx, dword ptr [48BF08] ; |
0040224A |. 52 |push edx ; |Socket => 0
0040224B |. FF15 54064700 |call dword ptr [<&WS2_32.#16>] ; \recv
00402251 8945 A8 mov dword ptr [ebp-58], eax
00402254 837D A8 0E cmp dword ptr [ebp-58], 0E
00402258 7C 0F jl short 00402269
0040225A 8B45 98 mov eax, dword ptr [ebp-68]
0040225D 0FB788 800000>movzx ecx, word ptr [eax+80]
00402264 394D A8 cmp dword ptr [ebp-58], ecx
00402267 74 1B je short 00402284
00402269 |> 68 182D4700 |push 00472D18 ; 0000ee验证资料异常
0040226E |. 6A 00 |push 0
00402270 |. B9 00C36B00 |mov ecx, 006BC300
00402275 |. E8 86BD0100 |call 0041E000
0040227A |. B8 F8FFFFFF |mov eax, -8
0040227F |. E9 E5060000 |jmp 00402969
00402284 |> 8B55 A8 |mov edx, dword ptr [ebp-58]
00402287 |. 52 |push edx
00402288 |. 8B45 98 |mov eax, dword ptr [ebp-68]
0040228B |. 05 80410000 |add eax, 4180
00402290 |. 50 |push eax
00402291 |. 8B4D 98 |mov ecx, dword ptr [ebp-68]
00402294 |. 81C1 80000000 |add ecx, 80
0040229A |. 51 |push ecx
0040229B |. 8B4D 98 |mov ecx, dword ptr [ebp-68]
0040229E |. E8 BD5B0000 |call 00407E60
004022A3 |. 8B55 98 |mov edx, dword ptr [ebp-68]
004022A6 |. 0FB782 864100>|movzx eax, word ptr [edx+4186]
004022AD |. 8945 94 |mov dword ptr [ebp-6C], eax
004022B0 817D 94 0E0E0>cmp dword ptr [ebp-6C], 0E0E
004022B7 0F84 A3010000 |je 00402460
004022BD |. 817D 94 01EE0>|cmp dword ptr [ebp-6C], 0EE01
004022C4 |. 74 05 |je short 004022CB
004022C6 |. E9 F0010000 |jmp 004024BB
004022CB |> 837D A8 30 |cmp dword ptr [ebp-58], 30
004022CF |. 75 0F |jnz short 004022E0
004022D1 |. 8B4D 98 |mov ecx, dword ptr [ebp-68]
004022D4 0FB791 804100>movzx edx, word ptr [ecx+4180]
004022DB 3B55 A8 cmp edx, dword ptr [ebp-58]
004022DE 74 1B je short 004022FB
004022E0 |> 68 2C2D4700 |push 00472D2C ; 0000ee验证资料异常
004022E5 |. 6A 00 |push 0
004022E7 |. B9 00C36B00 |mov ecx, 006BC300
004022EC |. E8 0FBD0100 |call 0041E000
004022F1 |. B8 F8FFFFFF |mov eax, -8
004022F6 |. E9 6E060000 |jmp 00402969
004022FB |> 8B45 98 |mov eax, dword ptr [ebp-68]
004022FE |. 05 88410000 |add eax, 4188
00402303 |. 50 |push eax
00402304 |. 8B4D 98 |mov ecx, dword ptr [ebp-68]
00402307 |. 81C1 80490000 |add ecx, 4980
0040230D |. 51 |push ecx
0040230E |. E8 0D620400 |call 00448520
00402313 |. 83C4 08 |add esp, 8
00402316 85C0 test eax, eax
00402318 75 20 jnz short 0040233A
0040231A 8B55 98 mov edx, dword ptr [ebp-68]
0040231D 83BA A8410000>cmp dword ptr [edx+41A8], 1
00402324 7C 14 |jl short 0040233A
00402326 |. 8B45 98 |mov eax, dword ptr [ebp-68]
00402329 |. 8B4D 98 |mov ecx, dword ptr [ebp-68]
0040232C 8B90 9C410000 mov edx, dword ptr [eax+419C]
00402332 3B91 C8490000 cmp edx, dword ptr [ecx+49C8]
00402338 74 1B je short 00402355
0040233A |> 68 402D4700 |push 00472D40 ; 0000ee验证资料异常
0040233F |. 6A 00 |push 0
00402341 |. B9 00C36B00 |mov ecx, 006BC300
00402346 |. E8 B5BC0100 |call 0041E000
0040234B |. B8 F8FFFFFF |mov eax, -8
00402350 |. E9 14060000 |jmp 00402969
00402355 |> 8B45 98 |mov eax, dword ptr [ebp-68]
00402358 |. 05 40490000 |add eax, 4940
0040235D |. 50 |push eax
0040235E |. 8B4D 98 |mov ecx, dword ptr [ebp-68]
00402361 |. E8 6ACE0000 |call 0040F1D0
00402366 |. 8B4D 98 |mov ecx, dword ptr [ebp-68]
00402369 3981 98410000 cmp dword ptr [ecx+4198], eax
0040236F 74 1B je short 0040238C
00402371 |. 68 542D4700 |push 00472D54 ; 0000ee所选择的角色和注册不同
00402376 |. 6A 00 |push 0
00402378 |. B9 00C36B00 |mov ecx, 006BC300
0040237D |. E8 7EBC0100 |call 0041E000
00402382 |. B8 F8FFFFFF |mov eax, -8
00402387 |. E9 DD050000 |jmp 00402969
0040238C |> 8B55 98 |mov edx, dword ptr [ebp-68]
0040238F |. 8B82 A8410000 |mov eax, dword ptr [edx+41A8]
00402395 |. 99 |cdq
00402396 |. B9 18000000 |mov ecx, 18
0040239B |. F7F9 |idiv ecx
0040239D |. 52 |push edx
0040239E |. 8B55 98 |mov edx, dword ptr [ebp-68]
004023A1 |. 8B82 A8410000 |mov eax, dword ptr [edx+41A8]
004023A7 |. 99 |cdq
004023A8 |. B9 18000000 |mov ecx, 18
004023AD |. F7F9 |idiv ecx
004023AF |. 50 |push eax
004023B0 |. 68 742D4700 |push 00472D74 ; ff0000验证成功,还有%d天%d小时可用
跟踪知:游戏数据和从服务器数据进行比较:数据包合法性,服务器地址合法性,软件使用期限,用户名和角色名验证。
跳之,窃喜“验证成功,还有XXX天XX小时可用”,试一下功能,坐标显示不正确,人物不能动,只能在原地。挂机不打怪。
看来还有暗桩,下面的数据做啥子用呢,可疑。查之
004023B5 |. 8B55 98 |mov edx, dword ptr [ebp-68]
004023B8 |. 81C2 00470000 |add edx, 4700
004023BE |. 52 |push edx
004023BF |. E8 E66A0400 |call 00448EAA
004023C4 |. 83C4 10 |add esp, 10
004023C7 |. 8B45 98 |mov eax, dword ptr [ebp-68]
004023CA |. 05 00470000 |add eax, 4700
004023CF |. 50 |push eax
004023D0 |. 6A 00 |push 0
004023D2 |. B9 00C36B00 |mov ecx, 006BC300
004023D7 |. E8 24BC0100 |call 0041E000
004023DC |. 8B4D 98 |mov ecx, dword ptr [ebp-68]
004023DF |. 8B55 98 |mov edx, dword ptr [ebp-68]
004023E2 |. 8B82 A8410000 |mov eax, dword ptr [edx+41A8]
004023E8 |. 8981 C0490000 |mov dword ptr [ecx+49C0], eax
004023EE |. 8B4D 98 |mov ecx, dword ptr [ebp-68]
004023F1 |. 8B55 98 |mov edx, dword ptr [ebp-68]
004023F4 |. 8B82 98410000 |mov eax, dword ptr [edx+4198]
004023FA |. 8981 CC490000 |mov dword ptr [ecx+49CC], eax
00402400 |. 8B4D 98 |mov ecx, dword ptr [ebp-68]
00402403 |. 8B55 98 |mov edx, dword ptr [ebp-68]
00402406 |. 8B82 9C410000 |mov eax, dword ptr [edx+419C]
0040240C |. 8981 D0490000 |mov dword ptr [ecx+49D0], eax
00402412 |. 8B4D 98 |mov ecx, dword ptr [ebp-68]
00402415 |. 8B91 82410000 |mov edx, dword ptr [ecx+4182]
0040241B |. 8915 181C6B00 |mov dword ptr [6B1C18], edx
00402421 |. 8B45 98 |mov eax, dword ptr [ebp-68]
00402424 |. 8B88 AC410000 |mov ecx, dword ptr [eax+41AC]
0040242A |. 890D 1C1C6B00 |mov dword ptr [6B1C1C], ecx
00402430 |. 8B55 98 |mov edx, dword ptr [ebp-68]
00402433 |. 8B82 A0410000 |mov eax, dword ptr [edx+41A0]
00402439 |. A3 101C6B00 |mov dword ptr [6B1C10], eax
0040243E |. 8B4D 98 |mov ecx, dword ptr [ebp-68]
00402441 |. 8B91 A4410000 |mov edx, dword ptr [ecx+41A4]
00402447 |. 8915 141C6B00 |mov dword ptr [6B1C14], edx
0040244D |. 8B45 98 |mov eax, dword ptr [ebp-68]
00402450 |. 05 40490000 |add eax, 4940
查找到3处可疑数据。
其一:
0040314E |. 8B85 28FFFFFF mov eax, dword ptr [ebp-D8]
00403154 83B8 C0490000>cmp dword ptr [eax+49C0], 0
0040315B 7E 3F jle short 0040319C
0040315D 8B8D 28FFFFFF mov ecx, dword ptr [ebp-D8]
00403163 |. 8B95 28FFFFFF mov edx, dword ptr [ebp-D8]
00403169 8B81 D0490000 mov eax, dword ptr [ecx+49D0]
0040316F 3B82 C8490000 cmp eax, dword ptr [edx+49C8]
00403175 75 25 jnz short 0040319C
00403177 |. 8B8D 28FFFFFF mov ecx, dword ptr [ebp-D8]
0040317D |. 8B95 28FFFFFF mov edx, dword ptr [ebp-D8]
00403183 8B81 CC490000 mov eax, dword ptr [ecx+49CC]
00403189 3B82 C4490000 cmp eax, dword ptr [edx+49C4]
0040318F 75 0B jnz short 0040319C
00403191 |. 8B8D 28FFFFFF mov ecx, dword ptr [ebp-D8]
00403197 |. E8 E4600000 call 00409280
0040319C |> E9 08480000 jmp 004079A9
其二:
00403042 |. 8B15 141C6B00 mov edx, dword ptr [6B1C14]
00403048 |. 3315 1C1C6B00 xor edx, dword ptr [6B1C1C]
0040304E |. 8B85 28FFFFFF mov eax, dword ptr [ebp-D8]
00403054 |. 8B88 D0490000 mov ecx, dword ptr [eax+49D0]
0040305A |. 8B85 28FFFFFF mov eax, dword ptr [ebp-D8]
00403060 |. 0388 84490000 add ecx, dword ptr [eax+4984]
00403066 |. 3BD1 cmp edx, ecx
00403068 75 1E jnz short 00403088
其三:
0040416A |> \8B15 101C6B00 mov edx, dword ptr [6B1C10]
00404170 |. 3315 181C6B00 xor edx, dword ptr [6B1C18]
00404176 |. 8B85 28FFFFFF mov eax, dword ptr [ebp-D8]
0040417C |. 8B88 CC490000 mov ecx, dword ptr [eax+49CC]
00404182 |. 8B85 28FFFFFF mov eax, dword ptr [ebp-D8]
00404188 |. 0388 80490000 add ecx, dword ptr [eax+4980]
0040418E |. 3BD1 cmp edx, ecx
00404190 74 14 je short 004041A6
在程序的关键部分对服务器地址,注册用户名和角色及使用期限进行验证。
直接跳之,可以运行,大部分功能可以使用,不过挂机功能不能自动打怪。还有暗桩。不管他。
“系统异常”是做什么用的?打开程序看一下代码。
00409655 |> \837D FC 01 |cmp dword ptr [ebp-4], 1
00409659 |. 75 35 |jnz short 00409690
0040965B |. 8B0D 20BF4800 |mov ecx, dword ptr [48BF20]
00409661 |. 51 |push ecx ; /hEvent => NULL
00409662 |. FF15 2C064700 |call dword ptr [<&WS2_32.WSASetEvent>; \WSASetEvent
00409668 |. 8B95 CCFDFFFF |mov edx, dword ptr [ebp-234]
0040966E |. 52 |push edx ; /hObject
0040966F |. FF15 00034700 |call dword ptr [<&KERNEL32.CloseHand>; \CloseHandle
00409675 |. 68 28344700 |push 00473428 ; 0000ff异常的操作系统,请检查
0040967A |. 6A 00 |push 0
0040967C |. B9 00C36B00 |mov ecx, 006BC300
00409681 |. E8 7A490100 |call 0041E000
00409686 |. B8 01000000 |mov eax, 1
0040968B |. E9 5F010000 |jmp 004097EF
00409690 |> E9 2D010000 |jmp 004097C2
00409695 |> 837D FC 08 |cmp dword ptr [ebp-4], 8
00409699 |. 75 34 |jnz short 004096CF
0040969B |. A1 20BF4800 |mov eax, dword ptr [48BF20]
004096A0 |. 50 |push eax ; /hEvent => NULL
004096A1 |. FF15 2C064700 |call dword ptr [<&WS2_32.WSASetEvent>; \WSASetEvent
004096A7 |. 8B8D CCFDFFFF |mov ecx, dword ptr [ebp-234]
004096AD |. 51 |push ecx ; /hObject
004096AE |. FF15 00034700 |call dword ptr [<&KERNEL32.CloseHand>; \CloseHandle
004096B4 |. 68 44344700 |push 00473444 ; 0000ff异常的操作系统,请检查
004096B9 |. 6A 00 |push 0
004096BB |. B9 00C36B00 |mov ecx, 006BC300
004096C0 |. E8 3B490100 |call 0041E000
004096C5 |. B8 01000000 |mov eax, 1
004096CA |. E9 20010000 |jmp 004097EF
004096CF |> E9 EE000000 |jmp 004097C2
004096D4 |> 837D FC 05 |cmp dword ptr [ebp-4], 5
004096D8 |. 75 35 |jnz short 0040970F
004096DA |. 8B15 20BF4800 |mov edx, dword ptr [48BF20]
004096E0 |. 52 |push edx ; /hEvent => NULL
004096E1 |. FF15 2C064700 |call dword ptr [<&WS2_32.WSASetEvent>; \WSASetEvent
004096E7 |. 8B85 CCFDFFFF |mov eax, dword ptr [ebp-234]
004096ED |. 50 |push eax ; /hObject
004096EE |. FF15 00034700 |call dword ptr [<&KERNEL32.CloseHand>; \CloseHandle
004096F4 |. 68 60344700 |push 00473460 ; 0000ff异常的操作系统,请检查
004096F9 |. 6A 00 |push 0
004096FB |. B9 00C36B00 |mov ecx, 006BC300
00409700 |. E8 FB480100 |call 0041E000
00409705 |. B8 01000000 |mov eax, 1
0040970A |. E9 E0000000 |jmp 004097EF
0040970F |> E9 AE000000 |jmp 004097C2
00409714 |> 837D FC 01 |cmp dword ptr [ebp-4], 1
00409718 |. 75 35 |jnz short 0040974F
0040971A |. 8B0D 20BF4800 |mov ecx, dword ptr [48BF20]
00409720 |. 51 |push ecx ; /hEvent => NULL
00409721 |. FF15 2C064700 |call dword ptr [<&WS2_32.WSASetEvent>; \WSASetEvent
00409727 |. 8B95 CCFDFFFF |mov edx, dword ptr [ebp-234]
0040972D |. 52 |push edx ; /hObject
0040972E |. FF15 00034700 |call dword ptr [<&KERNEL32.CloseHand>; \CloseHandle
00409734 |. 68 7C344700 |push 0047347C ; 0000ff异常的操作系统,请检查
00409739 |. 6A 00 |push 0
0040973B |. B9 00C36B00 |mov ecx, 006BC300
00409740 |. E8 BB480100 |call 0041E000
00409745 |. B8 01000000 |mov eax, 1
0040974A |. E9 A0000000 |jmp 004097EF
0040974F |> EB 71 |jmp short 004097C2
00409751 |> 837D FC 01 |cmp dword ptr [ebp-4], 1
00409755 |. 75 31 |jnz short 00409788
00409757 |. A1 20BF4800 |mov eax, dword ptr [48BF20]
0040975C |. 50 |push eax ; /hEvent => NULL
0040975D |. FF15 2C064700 |call dword ptr [<&WS2_32.WSASetEvent>; \WSASetEvent
00409763 |. 8B8D CCFDFFFF |mov ecx, dword ptr [ebp-234]
00409769 |. 51 |push ecx ; /hObject
0040976A |. FF15 00034700 |call dword ptr [<&KERNEL32.CloseHand>; \CloseHandle
00409770 |. 68 98344700 |push 00473498 ; 0000ff异常的操作系统,请检查
00409775 |. 6A 00 |push 0
00409777 |. B9 00C36B00 |mov ecx, 006BC300
0040977C |. E8 7F480100 |call 0041E000
00409781 |. B8 01000000 |mov eax, 1
00409786 |. EB 67 |jmp short 004097EF
00409788 |> EB 38 |jmp short 004097C2
0040978A |> 837D FC 01 |cmp dword ptr [ebp-4], 1
0040978E |. 75 32 |jnz short 004097C2
00409790 |. 8B15 20BF4800 |mov edx, dword ptr [48BF20]
00409796 |. 52 |push edx ; /hEvent => NULL
00409797 |. FF15 2C064700 |call dword ptr [<&WS2_32.WSASetEvent>; \WSASetEvent
0040979D |. 8B85 CCFDFFFF |mov eax, dword ptr [ebp-234]
004097A3 |. 50 |push eax ; /hObject
004097A4 |. FF15 00034700 |call dword ptr [<&KERNEL32.CloseHand>; \CloseHandle
004097AA |. 68 B4344700 |push 004734B4 ; 0000ff异常的操作系统,请检查
004097AF |. 6A 00 |push 0
004097B1 |. B9 00C36B00 |mov ecx, 006BC300
004097B6 |. E8 45480100 |call 0041E000
004097BB |. B8 01000000 |mov eax, 1
看来是对封包检测,不能使用抓包软件进行抓包和封包替换。
--------------------------------------------------------------------------------
【经验总结】
此外挂为2006年私服版外挂,外挂作者应该对网络验证方面的应用措施使用较全面,较难使用常规方法破解。值得我们新手
学习。
1、反抓包及替换。
2、远程服务器地址多次验证并用于数据解密。
3、常规远程数据与本地数据验证。
4、多处主要功能点上数据验证。
可能还有我没看出来的验证方式。学习作者思维之缜密,功底之深。
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2009年04月30日 21:28:14
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
