- UID
- 57019
注册时间2008-11-1
阅读权限8
最后登录1970-1-1
初入江湖
该用户从未签到
|
破解一个外挂,脱壳和破解中遇到问题(文件自效验)
用PEID查为:NsPacK V3.6 -> LiuXingPing *
脱壳后
用PEID查为: Borland Delphi 6.0 - 7.0
外挂可以正常运行,点“ 登录 ” 没有反映,也不退出。不知道是什么原因?(还是有CRC32效验)
★☆我已经知道我是多么的菜了,如果各位想帮助我这只菜鸟的,我会很感谢你☆★
以下是我脱壳的一些纪录,有错的地方请指点一下我~~ 菜!
用OD打开
004FF26E > 9C pushfd 停在这里
004FF26F 60 pushad
004FF270 E8 00000000 call Dbtjx2(?004FF275 直接F8单步到这里 用ESP定律 下硬件访问断点 > word ,F9运行
004FF275 5D pop ebp
004FF276 83ED 07 sub ebp, 7
004FF279 8D85 66FBFFFF lea eax, dword ptr ss:[ebp-49A]
004FF27F 8338 01 cmp dword ptr ds:[eax], 1
004FF282 0F84 47020000 je Dbtjx2(?004FF4CF
....
....
....
004FF4E3 61 popad
004FF4E4 9D popfd 断在这里,删除硬件断点 F8
004FF4E5 - E9 1287FBFF jmp Dbtjx2(?004B7BFC F8
004FF4EA 8BB5 F2FAFFFF mov esi, dword ptr ss:[ebp-50E]
004FF4F0 0BF6 or esi, esi
。。。
004B7BFC . 55 push ebp 到这里 我就脱壳了
004B7BFD . 8BEC mov ebp, esp
004B7BFF . 83C4 F0 add esp, -10
004B7C02 . B8 A8684B00 mov eax, Dbtjx2(?004B68A8
004B7C07 . E8 DCF2F4FF call Dbtjx2(?00406EE8
004B7C0C . 6A 00 push 0 ; /Title = NULL
004B7C0E . 68 B07C4B00 push Dbtjx2(?004B7CB0 ; |Class = "_Jx2_Plugin_"
004B7C13 . E8 B0FAF4FF call Dbtjx2(?004076C8 ; \FindWindowA
004B7C18 . 85C0 test eax, eax
004B7C1A . 74 14 je short Dbtjx2(?004B7C30
004B7C1C . 6A 00 push 0 ; /lParam = 0
004B7C1E . 6A 00 push 0 ; |wParam = 0
004B7C20 . 68 5F200000 push 205F ; |Message = MSG(205F)
004B7C25 . 50 push eax ; |hWnd
004B7C26 . E8 35FDF4FF call Dbtjx2(?00407960 ; \PostMessageA
004B7C2B . E8 2CCEF4FF call Dbtjx2(?00404A5C
004B7C30 > E8 17B7F4FF call Dbtjx2(?0040334C
004B7C35 . A1 BCD14B00 mov eax, dword ptr ds:[4BD1BC]
004B7C3A . 8B00 mov eax, dword ptr ds:[eax]
下面是我破解的一些纪录,也没有成功,也做了一些纪录所以我就发上来给大家看下我错在那里。。
由于脱壳后外挂可以正常运行,点“ 登录 ” 没有反映,没办法解决只有 带壳调试了
用OD打开 “运行” 在004B392C这里下断 点 “登录”就断在这里了
004B392C /0F8C 72010000 jl Dbtjx2.004B3AA4 不能跳
004B3932 |. |C605 C8CB4B00 01 mov byte ptr ds:[4BCBC8], 1
004B3939 |. |A1 00D34B00 mov eax, dword ptr ds:[4BD300]
004B393E |. |8B00 mov eax, dword ptr ds:[eax]
004B3940 |. |8B93 38050000 mov edx, dword ptr ds:[ebx+538]
004B3946 |. |8910 mov dword ptr ds:[eax], edx
004B3948 |. |A1 00D34B00 mov eax, dword ptr ds:[4BD300]
004B394D |. |8B00 mov eax, dword ptr ds:[eax]
004B394F |. |83C0 08 add eax, 8
004B3952 |. |8B93 3C050000 mov edx, dword ptr ds:[ebx+53C]
004B3958 |. |E8 7F64F5FF call Dbtjx2.00409DDC
004B395D |. |A1 00D34B00 mov eax, dword ptr ds:[4BD300]
004B3962 |. |8B00 mov eax, dword ptr ds:[eax]
004B3964 |. |05 28040000 add eax, 428
004B3969 |. |8B55 FC mov edx, dword ptr ss:[ebp-4] ; 取用户名
004B396C |. |E8 6B64F5FF call Dbtjx2.00409DDC
004B3971 |. |A1 00D34B00 mov eax, dword ptr ds:[4BD300]
004B3976 |. |8B00 mov eax, dword ptr ds:[eax]
004B3978 |. |05 78040000 add eax, 478
004B397D |. |8B55 F8 mov edx, dword ptr ss:[ebp-8]
004B3980 |. |E8 5764F5FF call Dbtjx2.00409DDC
004B3985 |. |8B83 B0030000 mov eax, dword ptr ds:[ebx+3B0]
004B398B |. |8B10 mov edx, dword ptr ds:[eax]
004B398D |. |FF92 DC000000 call dword ptr ds:[edx+DC]
004B3993 |. |8B15 00D34B00 mov edx, dword ptr ds:[4BD300] ; Dbtjx2.004C2D38
004B3999 |. |8B12 mov edx, dword ptr ds:[edx]
004B399B |. |8942 04 mov dword ptr ds:[edx+4], eax
004B399E |. |FF15 78304C00 call dword ptr ds:[4C3078] ; Hook.InstallHook 安装 钩子 是不是
004B39A4 |. |84C0 test al, al
004B39A6 |. |8BC3 mov eax, ebx
004B39A8 |. |E8 BFFDFFFF call Dbtjx2.004B376C
004B39AD |. |8D45 F4 lea eax, dword ptr ss:[ebp-C]
004B39B0 |. |BA 883B4B00 mov edx, Dbtjx2.004B3B88 ; 登录成功!
004B39B5 |. |E8 0213F5FF call Dbtjx2.00404CBC
004B39BA |. |8B83 B0030000 mov eax, dword ptr ds:[ebx+3B0]
004B39C0 |. |8B10 mov edx, dword ptr ds:[eax]
004B39C2 |. |FF92 DC000000 call dword ptr ds:[edx+DC]
004B39C8 |. |85C0 test eax, eax
004B39CA |. |75 0E jnz short Dbtjx2.004B39DA 这个本身就跳了
004B39CC |. |8B83 B0030000 mov eax, dword ptr ds:[ebx+3B0]
004B39D2 |. |8970 0C mov dword ptr ds:[eax+C], esi
004B39D5 |. |E9 A2000000 jmp Dbtjx2.004B3A7C
004B39DA |> |8B83 B0030000 mov eax, dword ptr ds:[ebx+3B0]
004B39E0 |. |8B10 mov edx, dword ptr ds:[eax]
004B39E2 |. |FF92 DC000000 call dword ptr ds:[edx+DC]
004B39E8 |. |48 dec eax
004B39E9 |. |75 43 jnz short Dbtjx2.004B3A2E ; 选择天数则跳(选包月就不跳)
004B39EB |. |8D45 E0 lea eax, dword ptr ss:[ebp-20]
004B39EE |. |50 push eax
004B39EF |. |8B45 F4 mov eax, dword ptr ss:[ebp-C]
004B39F2 |. |8945 D0 mov dword ptr ss:[ebp-30], eax
004B39F5 |. |C645 D4 0B mov byte ptr ss:[ebp-2C], 0B
004B39F9 |. |8D4D CC lea ecx, dword ptr ss:[ebp-34]
004B39FC |. |8BD6 mov edx, esi
004B39FE |. |8BC3 mov eax, ebx
004B3A00 |. |E8 CFE7FFFF call Dbtjx2.004B21D4 ; 有点问题 进去F7
。。。。。。
。。。。。。
004B356A |. /0F85 FC000000 jnz Dbtjx2.004B366C 单步到这里吧
004B3570 |. |83BB 40050000 00 cmp dword ptr ds:[ebx+540], 0
004B3577 |. |0F84 EF000000 je Dbtjx2.004B366C
004B357D |. |83BB 44050000 00 cmp dword ptr ds:[ebx+544], 0
004B3584 |. |0F84 E2000000 je Dbtjx2.004B366C
004B358A |. |8B83 44050000 mov eax, dword ptr ds:[ebx+544]
004B3590 |. |BA AC364B00 mov edx, Dbtjx2.004B36AC ; so2game.exe 这几个不知道是什么
004B3595 |. |E8 B21AF5FF call Dbtjx2.0040504C
004B359A |. |74 28 je short Dbtjx2.004B35C4
004B359C |. |8B83 44050000 mov eax, dword ptr ds:[ebx+544]
004B35A2 |. |BA C0364B00 mov edx, Dbtjx2.004B36C0 ; so2gamexp.exe 这几个不知道是什么
004B35A7 |. |E8 A01AF5FF call Dbtjx2.0040504C
004B35AC |. |74 16 je short Dbtjx2.004B35C4
004B35AE |. |8B83 44050000 mov eax, dword ptr ds:[ebx+544]
004B35B4 |. |BA D8364B00 mov edx, Dbtjx2.004B36D8 ; so2gamefree.exe 这几个不知道是什么
004B35B9 |. |E8 8E1AF5FF call Dbtjx2.0040504C
004B35BE |. |0F85 A8000000 jnz Dbtjx2.004B366C
004B35C4 |> |8D45 F8 lea eax, dword ptr ss:[ebp-8]
004B35C7 |. |8B8B 44050000 mov ecx, dword ptr ds:[ebx+544]
004B35CD |. |8B93 40050000 mov edx, dword ptr ds:[ebx+540]
004B35D3 |. |E8 6419F5FF call Dbtjx2.00404F3C
004B35D8 |. |8B45 F8 mov eax, dword ptr ss:[ebp-8]
004B35DB |. |E8 7C5DFDFF call Dbtjx2.0048935C
004B35E0 |. |84C0 test al, al
004B35E2 |. |0F84 84000000 je Dbtjx2.004B366C ; 不能跳
004B35E8 |. |6A 04 push 4
004B35EA |. |8D45 F4 lea eax, dword ptr ss:[ebp-C]
004B35ED |. |B9 F0364B00 mov ecx, Dbtjx2.004B36F0 ; \n\n想快速进入游戏吗?选择"是"会自动启动剑侠情缘网络版2
004B35F2 |. |8BD6 mov edx, esi
004B35F4 |. |E8 4319F5FF call Dbtjx2.00404F3C *** 这里我单步跟进去 ,这个是不是关键CAll,
004B35F9 |. |8B55 F4 mov edx, dword ptr ss:[ebp-C]
004B35FC |. |B9 30374B00 mov ecx, Dbtjx2.004B3730 ; 信息
004B3601 |. |8BC3 mov eax, ebx
004B3603 |. |E8 6CEAFFFF call Dbtjx2.004B2074 这里提示》登入成功+剩余天数0天+想快速进入游戏吗?选择"是"会自动启动剑侠情
004B3608 |. |83F8 06 cmp eax, 6
004B360B |. |75 6F jnz short Dbtjx2.004B367C
004B360D |. |8B83 44050000 mov eax, dword ptr ds:[ebx+544]
004B3613 |. |BA AC364B00 mov edx, Dbtjx2.004B36AC ; so2game.exe
004B3618 |. |E8 2F1AF5FF call Dbtjx2.0040504C
004B361D |. |75 0D jnz short Dbtjx2.004B362C
004B361F |. |8D45 FC lea eax, dword ptr ss:[ebp-4]
004B3622 |. |BA 40374B00 mov edx, Dbtjx2.004B3740 ; package.ini 1
004B3627 |. |E8 9016F5FF call Dbtjx2.00404CBC
004B362C |> |BA D8364B00 mov edx, Dbtjx2.004B36D8 ; so2gamefree.exe
004B3631 |. |8B83 44050000 mov eax, dword ptr ds:[ebx+544]
004B3637 |. |E8 101AF5FF call Dbtjx2.0040504C
004B363C |. |75 0D jnz short Dbtjx2.004B364B
004B363E |. |8D45 FC lea eax, dword ptr ss:[ebp-4]
004B3641 |. |BA 58374B00 mov edx, Dbtjx2.004B3758 ; packagefree.ini 2
004B3646 |. |E8 7116F5FF call Dbtjx2.00404CBC
004B364B |> |8D45 F0 lea eax, dword ptr ss:[ebp-10]
004B364E |. |8B8B 44050000 mov ecx, dword ptr ds:[ebx+544]
004B3654 |. |8B93 40050000 mov edx, dword ptr ds:[ebx+540]
004B365A |. |E8 DD18F5FF call Dbtjx2.00404F3C
004B365F |. |8B45 F0 mov eax, dword ptr ss:[ebp-10]
004B3662 |. |8B55 FC mov edx, dword ptr ss:[ebp-4]
004B3665 |. |E8 32E9FFFF call Dbtjx2.004B1F9C
004B366A |. |EB 10 jmp short Dbtjx2.004B367C
004B366C |> \6A 00 push 0
004B366E |. B9 30374B00 mov ecx, Dbtjx2.004B3730 ; 信息
剑侠2外挂地址:
http://ys-c.ys168.com/?JX2DBT.ra ... btht1btlju14z97f14z |
|
IP卡
发表于 2008-11-1 22:53:02
提升卡
置顶卡
变色卡
千斤顶
显身卡
楼主
发表于 2008-11-2 18:15:10