破解一个外挂,脱壳和破解中遇到问题(文件自效验)菜鸟 高手进来帮我看下!
破解一个外挂,脱壳和破解中遇到问题(文件自效验)用PEID查为:NsPacK V3.6 -> LiuXingPing *
脱壳后
用PEID查为: Borland Delphi 6.0 - 7.0
外挂可以正常运行,点“ 登录 ” 没有反映,也不退出。不知道是什么原因?(还是有CRC32效验)
★☆我已经知道我是多么的菜了,如果各位想帮助我这只菜鸟的,我会很感谢你☆★
以下是我脱壳的一些纪录,有错的地方请指点一下我~~ 菜!
用OD打开
004FF26E >9C pushfd 停在这里
004FF26F 60 pushad
004FF270 E8 00000000 call Dbtjx2(?004FF275 直接F8单步到这里 用ESP定律 下硬件访问断点 > word ,F9运行
004FF275 5D pop ebp
004FF276 83ED 07 sub ebp, 7
004FF279 8D85 66FBFFFF lea eax, dword ptr ss:
004FF27F 8338 01 cmp dword ptr ds:, 1
004FF282 0F84 47020000 je Dbtjx2(?004FF4CF
....
....
....
004FF4E3 61 popad
004FF4E4 9D popfd 断在这里,删除硬件断点 F8
004FF4E5- E9 1287FBFF jmp Dbtjx2(?004B7BFC F8
004FF4EA 8BB5 F2FAFFFF mov esi, dword ptr ss:
004FF4F0 0BF6 or esi, esi
。。。
004B7BFC .55 push ebp 到这里 我就脱壳了
004B7BFD .8BEC mov ebp, esp
004B7BFF .83C4 F0 add esp, -10
004B7C02 .B8 A8684B00 mov eax, Dbtjx2(?004B68A8
004B7C07 .E8 DCF2F4FF call Dbtjx2(?00406EE8
004B7C0C .6A 00 push 0 ; /Title = NULL
004B7C0E .68 B07C4B00 push Dbtjx2(?004B7CB0 ; |Class = "_Jx2_Plugin_"
004B7C13 .E8 B0FAF4FF call Dbtjx2(?004076C8 ; \FindWindowA
004B7C18 .85C0 test eax, eax
004B7C1A .74 14 je short Dbtjx2(?004B7C30
004B7C1C .6A 00 push 0 ; /lParam = 0
004B7C1E .6A 00 push 0 ; |wParam = 0
004B7C20 .68 5F200000 push 205F ; |Message = MSG(205F)
004B7C25 .50 push eax ; |hWnd
004B7C26 .E8 35FDF4FF call Dbtjx2(?00407960 ; \PostMessageA
004B7C2B .E8 2CCEF4FF call Dbtjx2(?00404A5C
004B7C30 >E8 17B7F4FF call Dbtjx2(?0040334C
004B7C35 .A1 BCD14B00 mov eax, dword ptr ds:
004B7C3A .8B00 mov eax, dword ptr ds:
下面是我破解的一些纪录,也没有成功,也做了一些纪录所以我就发上来给大家看下我错在那里。。
由于脱壳后外挂可以正常运行,点“ 登录 ” 没有反映,没办法解决只有 带壳调试了
用OD打开 “运行” 在004B392C这里下断 点 “登录”就断在这里了
004B392C /0F8C 72010000 jl Dbtjx2.004B3AA4 不能跳
004B3932|. |C605 C8CB4B00 01mov byte ptr ds:, 1
004B3939|. |A1 00D34B00 mov eax, dword ptr ds:
004B393E|. |8B00 mov eax, dword ptr ds:
004B3940|. |8B93 38050000 mov edx, dword ptr ds:
004B3946|. |8910 mov dword ptr ds:, edx
004B3948|. |A1 00D34B00 mov eax, dword ptr ds:
004B394D|. |8B00 mov eax, dword ptr ds:
004B394F|. |83C0 08 add eax, 8
004B3952|. |8B93 3C050000 mov edx, dword ptr ds:
004B3958|. |E8 7F64F5FF call Dbtjx2.00409DDC
004B395D|. |A1 00D34B00 mov eax, dword ptr ds:
004B3962|. |8B00 mov eax, dword ptr ds:
004B3964|. |05 28040000 add eax, 428
004B3969|. |8B55 FC mov edx, dword ptr ss: ;取用户名
004B396C|. |E8 6B64F5FF call Dbtjx2.00409DDC
004B3971|. |A1 00D34B00 mov eax, dword ptr ds:
004B3976|. |8B00 mov eax, dword ptr ds:
004B3978|. |05 78040000 add eax, 478
004B397D|. |8B55 F8 mov edx, dword ptr ss:
004B3980|. |E8 5764F5FF call Dbtjx2.00409DDC
004B3985|. |8B83 B0030000 mov eax, dword ptr ds:
004B398B|. |8B10 mov edx, dword ptr ds:
004B398D|. |FF92 DC000000 call dword ptr ds:
004B3993|. |8B15 00D34B00 mov edx, dword ptr ds: ;Dbtjx2.004C2D38
004B3999|. |8B12 mov edx, dword ptr ds:
004B399B|. |8942 04 mov dword ptr ds:, eax
004B399E|. |FF15 78304C00 call dword ptr ds: ;Hook.InstallHook安装 钩子 是不是
004B39A4|. |84C0 test al, al
004B39A6|. |8BC3 mov eax, ebx
004B39A8|. |E8 BFFDFFFF call Dbtjx2.004B376C
004B39AD|. |8D45 F4 lea eax, dword ptr ss:
004B39B0|. |BA 883B4B00 mov edx, Dbtjx2.004B3B88 ;登录成功!
004B39B5|. |E8 0213F5FF call Dbtjx2.00404CBC
004B39BA|. |8B83 B0030000 mov eax, dword ptr ds:
004B39C0|. |8B10 mov edx, dword ptr ds:
004B39C2|. |FF92 DC000000 call dword ptr ds:
004B39C8|. |85C0 test eax, eax
004B39CA|. |75 0E jnz short Dbtjx2.004B39DA 这个本身就跳了
004B39CC|. |8B83 B0030000 mov eax, dword ptr ds:
004B39D2|. |8970 0C mov dword ptr ds:, esi
004B39D5|. |E9 A2000000 jmp Dbtjx2.004B3A7C
004B39DA|> |8B83 B0030000 mov eax, dword ptr ds:
004B39E0|. |8B10 mov edx, dword ptr ds:
004B39E2|. |FF92 DC000000 call dword ptr ds:
004B39E8|. |48 dec eax
004B39E9|. |75 43 jnz short Dbtjx2.004B3A2E ;选择天数则跳(选包月就不跳)
004B39EB|. |8D45 E0 lea eax, dword ptr ss:
004B39EE|. |50 push eax
004B39EF|. |8B45 F4 mov eax, dword ptr ss:
004B39F2|. |8945 D0 mov dword ptr ss:, eax
004B39F5|. |C645 D4 0B mov byte ptr ss:, 0B
004B39F9|. |8D4D CC lea ecx, dword ptr ss:
004B39FC|. |8BD6 mov edx, esi
004B39FE|. |8BC3 mov eax, ebx
004B3A00|. |E8 CFE7FFFF call Dbtjx2.004B21D4 ;有点问题 进去F7
。。。。。。
。。。。。。
004B356A|. /0F85 FC000000 jnz Dbtjx2.004B366C 单步到这里吧
004B3570|. |83BB 40050000 00cmp dword ptr ds:, 0
004B3577|. |0F84 EF000000 je Dbtjx2.004B366C
004B357D|. |83BB 44050000 00cmp dword ptr ds:, 0
004B3584|. |0F84 E2000000 je Dbtjx2.004B366C
004B358A|. |8B83 44050000 mov eax, dword ptr ds:
004B3590|. |BA AC364B00 mov edx, Dbtjx2.004B36AC ;so2game.exe这几个不知道是什么
004B3595|. |E8 B21AF5FF call Dbtjx2.0040504C
004B359A|. |74 28 je short Dbtjx2.004B35C4
004B359C|. |8B83 44050000 mov eax, dword ptr ds:
004B35A2|. |BA C0364B00 mov edx, Dbtjx2.004B36C0 ;so2gamexp.exe这几个不知道是什么
004B35A7|. |E8 A01AF5FF call Dbtjx2.0040504C
004B35AC|. |74 16 je short Dbtjx2.004B35C4
004B35AE|. |8B83 44050000 mov eax, dword ptr ds:
004B35B4|. |BA D8364B00 mov edx, Dbtjx2.004B36D8 ;so2gamefree.exe这几个不知道是什么
004B35B9|. |E8 8E1AF5FF call Dbtjx2.0040504C
004B35BE|. |0F85 A8000000 jnz Dbtjx2.004B366C
004B35C4|> |8D45 F8 lea eax, dword ptr ss:
004B35C7|. |8B8B 44050000 mov ecx, dword ptr ds:
004B35CD|. |8B93 40050000 mov edx, dword ptr ds:
004B35D3|. |E8 6419F5FF call Dbtjx2.00404F3C
004B35D8|. |8B45 F8 mov eax, dword ptr ss:
004B35DB|. |E8 7C5DFDFF call Dbtjx2.0048935C
004B35E0|. |84C0 test al, al
004B35E2|. |0F84 84000000 je Dbtjx2.004B366C ;不能跳
004B35E8|. |6A 04 push 4
004B35EA|. |8D45 F4 lea eax, dword ptr ss:
004B35ED|. |B9 F0364B00 mov ecx, Dbtjx2.004B36F0 ;\n\n想快速进入游戏吗?选择"是"会自动启动剑侠情缘网络版2
004B35F2|. |8BD6 mov edx, esi
004B35F4|. |E8 4319F5FF call Dbtjx2.00404F3C ***这里我单步跟进去 ,这个是不是关键CAll,
004B35F9|. |8B55 F4 mov edx, dword ptr ss:
004B35FC|. |B9 30374B00 mov ecx, Dbtjx2.004B3730 ;信息
004B3601|. |8BC3 mov eax, ebx
004B3603|. |E8 6CEAFFFF call Dbtjx2.004B2074 这里提示》登入成功+剩余天数0天+想快速进入游戏吗?选择"是"会自动启动剑侠情
004B3608|. |83F8 06 cmp eax, 6
004B360B|. |75 6F jnz short Dbtjx2.004B367C
004B360D|. |8B83 44050000 mov eax, dword ptr ds:
004B3613|. |BA AC364B00 mov edx, Dbtjx2.004B36AC ;so2game.exe
004B3618|. |E8 2F1AF5FF call Dbtjx2.0040504C
004B361D|. |75 0D jnz short Dbtjx2.004B362C
004B361F|. |8D45 FC lea eax, dword ptr ss:
004B3622|. |BA 40374B00 mov edx, Dbtjx2.004B3740 ; package.ini 1
004B3627|. |E8 9016F5FF call Dbtjx2.00404CBC
004B362C|> |BA D8364B00 mov edx, Dbtjx2.004B36D8 ;so2gamefree.exe
004B3631|. |8B83 44050000 mov eax, dword ptr ds:
004B3637|. |E8 101AF5FF call Dbtjx2.0040504C
004B363C|. |75 0D jnz short Dbtjx2.004B364B
004B363E|. |8D45 FC lea eax, dword ptr ss:
004B3641|. |BA 58374B00 mov edx, Dbtjx2.004B3758 ; packagefree.ini 2
004B3646|. |E8 7116F5FF call Dbtjx2.00404CBC
004B364B|> |8D45 F0 lea eax, dword ptr ss:
004B364E|. |8B8B 44050000 mov ecx, dword ptr ds:
004B3654|. |8B93 40050000 mov edx, dword ptr ds:
004B365A|. |E8 DD18F5FF call Dbtjx2.00404F3C
004B365F|. |8B45 F0 mov eax, dword ptr ss:
004B3662|. |8B55 FC mov edx, dword ptr ss:
004B3665|. |E8 32E9FFFF call Dbtjx2.004B1F9C
004B366A|. |EB 10 jmp short Dbtjx2.004B367C
004B366C|> \6A 00 push 0
004B366E|.B9 30374B00 mov ecx, Dbtjx2.004B3730 ;信息
剑侠2外挂地址:
http://ys-c.ys168.com/?JX2DBT.rar_4shkk8d7ehshkisht0c0cm2bto0coll5b5btht1btlju14z97f14z 上面下不了的点这里,不好意思我用手机登进来,上传不了文件/:L
外挂地址
http://335206828.ys168.com/
外挂工具》JX2DBT.rar 么事```我先看看```
页:
[1]