- UID
- 5199
注册时间2005-12-14
阅读权限10
最后登录1970-1-1
周游历练
该用户从未签到
|
【软件名称】传世VIP 2.08
【应用平台】Win 98/2000/me/xp/nt
【软件大小】920 KB
【软件限制】验证
【破解声明】只是研究别无他意,请勿用于商用.
【破解工具】W32dasm peid0.93 freeRes AspackDie C32Asm
【软件简介】传奇世界外挂
【分析过程】首先下载软件,用PEID打开软件发现软件加壳ASPack 2.12 -> Alexey Solodovnikov由于本人比较
懒,所以用AspackDie脱壳工具脱之.返回PEID检测发现程序为VC++编写.用freeRes检测软件压缩,建立可编辑资源.
用W32dasm加载查看字符串,无明显字符...改用C32Asm查看.发现登陆提示点击发现有2处调用.0040780E.00407978
返回W32dasm进入
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004077BB(C)
|
:004077CE 50 push eax
:004077CF 53 push ebx
:004077D0 8D45E0 lea eax, dword ptr [ebp-20]
:004077D3 50 push eax
:004077D4 8D8DB4FEFFFF lea ecx, dword ptr [ebp+FFFFFEB4]
:004077DA E819BBFFFF call 004032F8
:004077DF 8B451C mov eax, dword ptr [ebp+1C]
:004077E2 6A20 push 00000020
:004077E4 40 inc eax
:004077E5 50 push eax
:004077E6 8D45E0 lea eax, dword ptr [ebp-20]
:004077E9 50 push eax
:004077EA 8D8D98FEFFFF lea ecx, dword ptr [ebp+FFFFFE98]
:004077F0 E803BBFFFF call 004032F8
:004077F5 68143E4100 push 00413E14
:004077FA 8D8DECFEFFFF lea ecx, dword ptr [ebp+FFFFFEEC]
:00407800 E805F1FFFF call 0040690A
:00407805 85C0 test eax, eax ←程序比对
:00407807 7526 jne 0040782F ←认证关键跳修75改为74
:00407809 BE10714100 mov esi, 00417110
:0040780E 68043E4100 push 00413E04 ←来到这里
:00407813 8BCE mov ecx, esi
:00407815 E875B2FFFF call 00402A8F
:0040781A 57 push edi
:0040781B 53 push ebx
:0040781C 8D8508FFFFFF lea eax, dword ptr [ebp+FFFFFF08]
:00407822 50 push eax
:00407823 8BCE mov ecx, esi
:00407825 E8EFF1FFFF call 00406A19
:0040782A E998010000 jmp 004079C7
运行修改后程序.随意输入帐号密码.不行....在往下看看~
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00407807(C)
|
:0040782F 68FC3D4100 push 00413DFC
:00407834 8D8DECFEFFFF lea ecx, dword ptr [ebp+FFFFFEEC]
:0040783A E8CBF0FFFF call 0040690A
:0040783F 85C0 test eax, eax ←返回认证数据对比
:00407841 0F8571010000 jne 004079B8 ←关键跳修改之
:00407847 56 push esi
:00407848 8D85ECFEFFFF lea eax, dword ptr [ebp+FFFFFEEC]
:0040784E 50 push eax
:0040784F 8D45C4 lea eax, dword ptr [ebp-3C]
:00407852 50 push eax
:00407853 E822F3FFFF call 00406B7A
:00407858 83C40C add esp, 0000000C
:0040785B 57 push edi
:0040785C 53 push ebx
:0040785D 8D452C lea eax, dword ptr [ebp+2C]
:00407860 50 push eax
:00407861 8D4DC4 lea ecx, dword ptr [ebp-3C]
:00407864 E8B0F1FFFF call 00406A19
:00407869 56 push esi
:0040786A 8D4DC4 lea ecx, dword ptr [ebp-3C]
:0040786D E8CCF2FFFF call 00406B3E
:00407872 57 push edi
:00407873 53 push ebx
:00407874 8D4584 lea eax, dword ptr [ebp-7C]
:00407877 50 push eax
:00407878 8D4DC4 lea ecx, dword ptr [ebp-3C]
:0040787B E899F1FFFF call 00406A19
:00407880 56 push esi
:00407881 8D4DC4 lea ecx, dword ptr [ebp-3C]
:00407884 E8B5F2FFFF call 00406B3E
:00407889 68F83D4100 push 00413DF8
:0040788E 8D4DC4 lea ecx, dword ptr [ebp-3C]
:00407891 E8A8F2FFFF call 00406B3E
运行程序...出现错误对话框.但根据经验判断已经运行成功.所以不管了先进游戏去玩玩~呵呵~
【分析总结】字符串比对修改返回值!比较简单
[ 本帖最后由 tigerisme 于 2006-8-26 21:28 编辑 ] |
|
IP卡
发表于 2005-12-15 02:27:38
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2005-12-15 19:50:09
发表于 2008-9-19 09:33:52
发表于 2016-12-25 10:37:46
发表于 2016-12-26 00:21:38