|
|
提醒:若下载的软件是收费的"请不要付款",可能是骗子,请立即联系本站举报,执意要付款被骗后本站概不负责。(任何交易请走第三方中介,请勿直接付款交易以免被骗!切记).
本帖最后由 JolaSia 于 2015-2-8 17:25 编辑
写点东西,菜鸟也玩保护...
写点杂言,有错误之处也很难避免,希望大家指正...
说点题外话,很多朋友来经常问,要入门,该怎么做,很惭愧的说,至于网上那些教程,自己也没看过, 不过可以谈谈自己的几年下来的一些经验,可提供大家参考.有人说现在的程序都加强壳,还做 是不是还得去学脱壳?自己对壳没什么了解,不过自己调试过的游戏数量自己也记不清了,基本都是带壳调试,虽然不脱壳,起码加壳还是会的,那因为很现实的原因,必须保护自己的代码,想想现在的动不动就是VM,开句玩笑,那些壳方面的知识好是好,如果业余时间多,纯兴趣研究到可以.不过你得多久才能搞VM呢?等你到了能搞VM了,那不知道有什么M出来了,所以壳方面的东西,在做G方面不是必要的,可以在业余时间去分析研究.
也有朋友问,是不是先把汇编学的滚瓜乱熟,我觉得那东西必须学,尤其基本的必须掌握,象寄存器,函数调用规则,栈结构..等,尤其掌握好汇编和高级语言之间的关系,很简单的说,你能不能看懂代码,讲的具体点,你能不能针对分析的代码进行模拟或者调用.很多都说开发脱机等.你想想也能知道,假设你发现算法部分,如果你不能模拟,把算法部分扣出来,想做脱机我想很难,毕竟搞密码学的少数.
又有朋友问,我是不是得学ring 0方面的知识,我感觉适当了解是需要的,如果要深入,感觉不是必要的.现在的工具还是很多,即使工具搞不定,很多还是可以从ring 3 出发解决问题.
写的有点乱...废话就到这吧.
言归正转..机器里拿了2个游戏,做一些分析.分析的过程可能有一些跳跃和省去,因为都是以前分析了,拿到1个游戏,一般先确定游戏的主程序,现在很多游戏主程序都有commline,那首先取他的commline,方面我们OD直接启动他,跟踪启动过程.但是一些游戏虽然没有commline,但是依然不能正常启动,例如W美系列的游戏.第1个游戏,就拿W美降龙之剑说说.
游戏主程序client.exe,直接丢OD里,分析他的启动过程.分析的过程我就省去了,我们知道直接启动client.exe貌似不行的...经过调试发现1个关键函数..
0040ED40 . 55 push ebp
0040ED41 . 8BEC mov ebp,esp
0040ED43 . 83E4 F8 and esp,FFFFFFF8
0040ED46 . 6A FF push -1
0040ED48 . 68 B6349400 push client.009434B6 ; SE 处理程序安装
0040ED4D . 64:A1 0000000>mov eax,dword ptr fs:[0]
0040ED53 . 50 push eax
0040ED54 . 64:8925 00000>mov dword ptr fs:[0],esp
0040ED5B . 81EC 74060000 sub esp,674
0040ED61 . 53 push ebx
0040ED62 . 55 push ebp
0040ED63 . 8B2D 84529900 mov ebp,dword ptr ds:[<&KERNEL32.GetCurr>; kernel32.GetCurrentDirectoryA
0040ED69 . 56 push esi
0040ED6A . 57 push edi
0040ED6B . 8BF1 mov esi,ecx
0040ED6D . 33C0 xor eax,eax
0040ED6F . 33DB xor ebx,ebx
0040ED71 . 889C24 E00100>mov byte ptr ss:[esp+1E0],bl
0040ED78 . B9 3F000000 mov ecx,3F
0040ED7D . 8DBC24 E10100>lea edi,dword ptr ss:[esp+1E1]
0040ED84 . F3:AB rep stos dword ptr es:[edi]
0040ED86 . 66:AB stos word ptr es:[edi]
0040ED88 . 8D8424 E00100>lea eax,dword ptr ss:[esp+1E0]
0040ED8F . 50 push eax ; /Buffer
0040ED90 . 68 FF000000 push 0FF ; |BufSize = FF (255.)
0040ED95 . FFD5 call ebp ; \GetCurrentDirectoryA
0040ED97 . 8DBC24 E00100>lea edi,dword ptr ss:[esp+1E0]
0040ED9E . 4F dec edi
0040ED9F . 90 nop
0040EDA0 > 8A47 01 mov al,byte ptr ds:[edi+1]
0040EDA3 . 47 inc edi
0040EDA4 . 3AC3 cmp al,bl
0040EDA6 .^ 75 F8 jnz short client.0040EDA0
0040EDA8 . 66:8B0D 6C639>mov cx,word ptr ds:[99636C]
0040EDAF . 66:890F mov word ptr ds:[edi],cx
0040EDB2 . 8DBC24 E00100>lea edi,dword ptr ss:[esp+1E0]
0040EDB9 . 4F dec edi
0040EDBA . 8D9B 00000000 lea ebx,dword ptr ds:[ebx]
0040EDC0 > 8A47 01 mov al,byte ptr ds:[edi+1]
0040EDC3 . 47 inc edi
0040EDC4 . 3AC3 cmp al,bl
0040EDC6 .^ 75 F8 jnz short client.0040EDC0
0040EDC8 . 8B15 58639900 mov edx,dword ptr ds:[996358]
0040EDCE . A1 5C639900 mov eax,dword ptr ds:[99635C]
0040EDD3 . 8B0D 60639900 mov ecx,dword ptr ds:[996360]
0040EDD9 . 8917 mov dword ptr ds:[edi],edx
0040EDDB . 8B15 64639900 mov edx,dword ptr ds:[996364]
0040EDE1 . 8947 04 mov dword ptr ds:[edi+4],eax
0040EDE4 . A0 68639900 mov al,byte ptr ds:[996368]
0040EDE9 . 894F 08 mov dword ptr ds:[edi+8],ecx
0040EDEC . 8957 0C mov dword ptr ds:[edi+C],edx
0040EDEF . 8D4C24 1B lea ecx,dword ptr ss:[esp+1B]
0040EDF3 . 8847 10 mov byte ptr ds:[edi+10],al
0040EDF6 . E8 75F44500 call client.0086E270
0040EDFB . 6A 01 push 1
0040EDFD . 68 4C639900 push client.0099634C ; ASCII "client.exe"
0040EE02 . 8D4C24 23 lea ecx,dword ptr ss:[esp+23]
0040EE06 . 899C24 940600>mov dword ptr ss:[esp+694],ebx
0040EE0D . E8 5EB9FFFF call client.0040A770
0040EE12 . 6A 01 push 1
0040EE14 . 68 3C639900 push client.0099633C ; ASCII "client_r.exe"
0040EE19 . 8D4C24 23 lea ecx,dword ptr ss:[esp+23]
0040EE1D . 8BF8 mov edi,eax
0040EE1F . E8 4CB9FFFF call client.0040A770
0040EE24 . 33C9 xor ecx,ecx
0040EE26 . 03F8 add edi,eax
0040EE28 . 83FF 01 cmp edi,1
0040EE2B . 0F9EC1 setle cl
0040EE2E . 898E 88000000 mov dword ptr ds:[esi+88],ecx
0040EE34 . 8B15 1856A600 mov edx,dword ptr ds:[A65618]
0040EE3A . 52 push edx
0040EE3B . E8 60960500 call client.004684A0
0040EE40 . A1 785AA600 mov eax,dword ptr ds:[A65A78]
0040EE45 . 83C4 04 add esp,4
0040EE48 . 83F8 10 cmp eax,10
0040EE4B . A1 645AA600 mov eax,dword ptr ds:[A65A64]
0040EE50 . 73 05 jnb short client.0040EE57
0040EE52 . B8 645AA600 mov eax,client.00A65A64
0040EE57 > 50 push eax
0040EE58 . 8D8424 640100>lea eax,dword ptr ss:[esp+164]
0040EE5F . 68 78669900 push client.00996678 ; ASCII "%s"
0040EE64 . 50 push eax
0040EE65 . E8 B4BE4F00 call client.0090AD1E
0040EE6A . 8B0D 64669900 mov ecx,dword ptr ds:[996664]
0040EE70 . 8B15 68669900 mov edx,dword ptr ds:[996668]
0040EE76 . A1 6C669900 mov eax,dword ptr ds:[99666C]
0040EE7B . 83C4 0C add esp,0C
0040EE7E . 894C24 30 mov dword ptr ss:[esp+30],ecx
0040EE82 . 8B0D 70669900 mov ecx,dword ptr ds:[996670]
0040EE88 . 895424 34 mov dword ptr ss:[esp+34],edx
0040EE8C . 66:8B15 74669>mov dx,word ptr ds:[996674]
0040EE93 . 6A 02 push 2 ; /Priority = THREAD_PRIORITY_HIGHEST
0040EE95 . 894424 3C mov dword ptr ss:[esp+3C],eax ; |
0040EE99 . 894C24 40 mov dword ptr ss:[esp+40],ecx ; |
0040EE9D . 66:895424 44 mov word ptr ss:[esp+44],dx ; |
0040EEA2 . FF15 AC509900 call dword ptr ds:[<&KERNEL32.GetCurrent>; |[GetCurrentThread
0040EEA8 . 50 push eax ; |hThread
0040EEA9 . FF15 A8509900 call dword ptr ds:[<&KERNEL32.SetThreadP>; \SetThreadPriority
0040EEAF . 6A 60 push 60
0040EEB1 . E8 9A544300 call client.00844350
0040EEB6 . 83C4 04 add esp,4
0040EEB9 . 894424 14 mov dword ptr ss:[esp+14],eax
0040EEBD . 3BC3 cmp eax,ebx
0040EEBF . C68424 8C0600>mov byte ptr ss:[esp+68C],1
0040EEC7 . 74 0B je short client.0040EED4
0040EEC9 . 8BC8 mov ecx,eax
0040EECB . E8 20D42F00 call client.0070C2F0
0040EED0 . 8BF8 mov edi,eax
0040EED2 . EB 02 jmp short client.0040EED6
0040EED4 > 33FF xor edi,edi
0040EED6 > 3BFB cmp edi,ebx
0040EED8 . 889C24 8C0600>mov byte ptr ss:[esp+68C],bl
0040EEDF . 74 07 je short client.0040EEE8
0040EEE1 . 8B07 mov eax,dword ptr ds:[edi]
0040EEE3 . 8BXF mov ecx,edi
0040EEE5 . FF50 04 call dword ptr ds:[eax+4]
0040EEE8 > 8B8E A8000000 mov ecx,dword ptr ds:[esi+A8]
0040EEEE . 3BCB cmp ecx,ebx
0040EEF0 . 74 05 je short client.0040EEF7
0040EEF2 . 8B11 mov edx,dword ptr ds:[ecx]
0040EEF4 . FF52 08 call dword ptr ds:[edx+8]
0040EEF7 > 89BE A8000000 mov dword ptr ds:[esi+A8],edi
0040EEFD . E8 8E3E0000 call client.00412D90
0040EF02 . 68 48669900 push client.00996648 ; /Title = "<<W美-降龙之剑>>自动更新"
0040EF07 . 53 push ebx ; |Class
0040EF08 . FF15 D4539900 call dword ptr ds:[<&USER32.FindWindowA>>; \FindWindowA
0040EF0E . 894424 14 mov dword ptr ss:[esp+14],eax
0040EF12 . 33C0 xor eax,eax
0040EF14 . 885C24 60 mov byte ptr ss:[esp+60],bl
0040EF18 . B9 3F000000 mov ecx,3F
0040EF1D . 8D7C24 61 lea edi,dword ptr ss:[esp+61]
0040EF21 . F3:AB rep stos dword ptr es:[edi]
0040EF23 . 66:AB stos word ptr es:[edi]
0040EF25 . 8D4424 60 lea eax,dword ptr ss:[esp+60]
0040EF29 . 50 push eax
0040EF2A . 68 FF000000 push 0FF
0040EF2F . FFD5 call ebp
0040EF31 . 8D7C24 60 lea edi,dword ptr ss:[esp+60]
0040EF35 . 4F dec edi
0040EF36 > 8A47 01 mov al,byte ptr ds:[edi+1]
0040EF39 . 47 inc edi
0040EF3A . 3AC3 cmp al,bl
0040EF3C .^ 75 F8 jnz short client.0040EF36
0040EF3E . 8B0D 44669900 mov ecx,dword ptr ds:[996644] ; client.0050505C
0040EF44 . 8D4424 60 lea eax,dword ptr ss:[esp+60]
0040EF48 . 890F mov dword ptr ds:[edi],ecx
0040EF4A . C74424 5C 0F0>mov dword ptr ss:[esp+5C],0F
0040EF52 . 895C24 58 mov dword ptr ss:[esp+58],ebx
0040EF56 . 885C24 48 mov byte ptr ss:[esp+48],bl
0040EF5A . 8D50 01 lea edx,dword ptr ds:[eax+1]
0040EF5D . 8D49 00 lea ecx,dword ptr ds:[ecx]
0040EF60 > 8A08 mov cl,byte ptr ds:[eax]
0040EF62 . 40 inc eax
0040EF63 . 3ACB cmp cl,bl
0040EF65 .^ 75 F9 jnz short client.0040EF60
0040EF67 . 2BC2 sub eax,edx
0040EF69 . 50 push eax
0040EF6A . 8D5424 64 lea edx,dword ptr ss:[esp+64]
0040EF6E . 52 push edx
0040EF6F . 8D4C24 4C lea ecx,dword ptr ss:[esp+4C]
0040EF73 . E8 382XFFFF call client.00401BB0
0040EF78 . 8D4424 44 lea eax,dword ptr ss:[esp+44]
0040EF7C . 50 push eax
0040EF7D . C68424 900600>mov byte ptr ss:[esp+690],2
0040EF85 . E8 A6134300 call client.00840330
0040EF8A . 8B4C24 60 mov ecx,dword ptr ss:[esp+60]
0040EF8E . 83C4 04 add esp,4
0040EF91 . F7D8 neg eax
0040EF93 . 1AC0 sbb al,al
0040EF95 . FEC0 inc al
0040EF97 . 83F9 10 cmp ecx,10
0040EF9A . 884424 1F mov byte ptr ss:[esp+1F],al
0040EF9E . 889C24 8C0600>mov byte ptr ss:[esp+68C],bl
0040EFA5 72 11 jb short client.0040EFB8
0040EFA7 . 8B4C24 48 mov ecx,dword ptr ss:[esp+48]
0040EFAB . 51 push ecx
0040EFAC . E8 30B64F00 call client.0090A5E1
0040EFB1 . 8A4424 23 mov al,byte ptr ss:[esp+23]
0040EFB5 . 83C4 04 add esp,4
0040EFB8 > 3AC3 cmp al,bl
0040EFBA . 74 0D je short client.0040EFC9
0040EFBC . 8D5424 60 lea edx,dword ptr ss:[esp+60]
0040EFC0 . 52 push edx
0040EFC1 . E8 AEFD4F00 call client.0090ED74
0040EFC6 . 83C4 04 add esp,4
0040EFC9 8D7C24 60 lea edi,dword ptr ss:[esp+60]
0040EFCD 4F dec edi
0040EFCE . 8BFF mov edi,edi
0040EFD0 > 8A47 01 mov al,byte ptr ds:[edi+1]
0040EFD3 . 47 inc edi
0040EFD4 . 3AC3 cmp al,bl
0040EFD6 .^ 75 F8 jnz short client.0040EFD0
0040EFD8 . 66:A1 6C63990>mov ax,word ptr ds:[99636C]
0040EFDE . 66:8907 mov word ptr ds:[edi],ax
0040EFE1 . 68 D4AF84XF push XF84AFD4
0040EFE6 . E8 7981FFFF call client.00407164
0040EFEB $ FF3424 push dword ptr ss:[esp]
0040EFEE . 894C24 28 mov dword ptr ss:[esp+28],ecx
0040EFF2 . 66:0FB6E8 movzx bp,al
0040EFF6 . 66:0FCE bswap si
0040EFF9 . 5E pop esi
0040EFFA . 9C pushfd
0040EFFB . 8F4424 20 pop dword ptr ss:[esp+20]
0040EFFF . D3ED shr ebp,cl
0040F001 . 66:0FBDE9 bsr bp,cx
0040F005 . 66:0FCD bswap bp
0040F008 . 66:0FB3C5 btr bp,ax
0040F00C . 894424 1C mov dword ptr ss:[esp+1C],eax
0040F010 . 66:D3E6 shl si,cl
0040F013 . 0FACDE 0F shrd esi,ebx,0F
0040F017 . 66:09F5 or bp,si
0040F01A . 895424 18 mov dword ptr ss:[esp+18],edx
0040F01E . E9 A9C30000 jmp client.0041B3CC
0040F023 . FECA dec dl
0040F025 . 30C8 xor al,cl
0040F027 . 8B55 00 mov edx,dword ptr ss:[ebp]
0040F02A . C0F0 06 sal al,6
0040F02D . F5 cmc
0040F02E . F5 cmc
0040F02F . 24 57 and al,57
0040F031 . 83C5 02 add ebp,2
0040F034 . E8 CD83FFFF call client.00407406
0040F039 $ E9 BD900000 jmp client.004180FB
0040F03E > F6D2 not dl
0040F040 . F5 cmc
0040F041 . 66:894C24 08 mov word ptr ss:[esp+8],cx
0040F046 . 83ED 02 sub ebp,2
0040F049 . E8 46910000 call client.00418194
0040F04E > 9C pushfd
0040F04F . D2E0 shl al,cl
0040F051 . 53 push ebx
0040F052 66:8945 04 mov word ptr ss:[ebp+4],ax
0040F056 883424 mov byte ptr ss:[esp],dh
0040F059 E9 AEB80000 jmp client.0041A90C
0040F05E 894C24 24 mov dword ptr ss:[esp+24],ecx
0040F062 66:87F5 xchg bp,si
0040F065 55 push ebp
0040F066 E9 E7B20000 jmp client.0041A352
0040F06B 86E0 xchg al,ah
0040F06D 880424 mov byte ptr ss:[esp],al
0040F070 F6C6 E0 test dh,0E0
0040F073 53 push ebx
0040F074 66:29C3 sub bx,ax
0040F077 F5 cmc
0040F078 68 74D6F477 push 77F4D674 ; ASCII "QuoteRDNValue"
0040F07D 80FD 4C cmp ch,4C
0040F080 ^ E9 55B0FFFF jmp client.0040A0DA
0040F085 E8 93AE0000 call client.00419F1D
0040F08A 12E8 adc ch,al
0040F08C 40 inc eax
0040F08D 36:43 inc ebx
0040F08F 008B 08682C66 add byte ptr ds:[ebx+662C6808],cl
0040F095 99 cdq
0040F096 0050 FF add byte ptr ds:[eax-1],dl
0040F099 51 push ecx
0040F09A 108B 2DA05099 adc byte ptr ds:[ebx+9950A02D],cl
0040F0A0 0083 C4086800 add byte ptr ds:[ebx+6808C4],al
0040F0A6 4E dec esi
0040F0A7 A6 cmps byte ptr ds:[esi],byte ptr es:[edi]
0040F0A8 0053 6A add byte ptr ds:[ebx+6A],dl
0040F0AB 02FF add bh,bh
0040F0AD D5 8B aad 8B
0040F0AF F8 clc
0040F0B0 3BFB cmp edi,ebx
0040F0B2 74 0E je short client.0040F0C2
0040F0B4 . 57 push edi ; /hEvent
0040F0B5 . FF15 9C509900 call dword ptr ds:[<&KERNEL32.SetEvent>] ; \SetEvent
0040F0BB . 57 push edi ; /hObject
0040F0BC . FF15 34529900 call dword ptr ds:[<&KERNEL32.CloseHandl>; \CloseHandle
0040F0C2 > 68 1C669900 push client.0099661C ; ASCII "PPStartEvent"
0040F0C7 . 53 push ebx
0040F0C8 . 6A 02 push 2
0040F0CA . FFD5 call ebp
0040F0CC . 8BF8 mov edi,eax
0040F0CE . 3BFB cmp edi,ebx
0040F0D0 . 74 0E je short client.0040F0E0
0040F0D2 . 57 push edi ; /hEvent
0040F0D3 . FF15 9C509900 call dword ptr ds:[<&KERNEL32.SetEvent>] ; \SetEvent
0040F0D9 . 57 push edi ; /hObject
0040F0DA . FF15 34529900 call dword ptr ds:[<&KERNEL32.CloseHandl>; \CloseHandle
0040F0E0 > 6A 04 push 4
0040F0E2 . 889E 90000000 mov byte ptr ds:[esi+90],bl
0040F0E8 . E8 AE984E00 call client.008F899B
0040F0ED . 83C4 04 add esp,4
0040F0F0 . 894424 14 mov dword ptr ss:[esp+14],eax
0040F0F4 . 3BC3 cmp eax,ebx
0040F0F6 . C68424 8C0600>mov byte ptr ss:[esp+68C],3
0040F0FE . 74 09 je short client.0040F109
0040F100 . 8BC8 mov ecx,eax
0040F102 . E8 59690000 call client.00415A60
0040F107 . EB 02 jmp short client.0040F10B
0040F109 > 33C0 xor eax,eax
0040F10B > 889C24 8C0600>mov byte ptr ss:[esp+68C],bl
0040F112 . 8946 08 mov dword ptr ds:[esi+8],eax
0040F115 . E8 36F00400 call client.0045E150
0040F11A . 50 push eax
0040F11B . E8 D0EF0400 call client.0045E0F0
0040F120 . 8B4E 08 mov ecx,dword ptr ds:[esi+8]
0040F123 . 50 push eax
0040F124 . 8D9424 680100>lea edx,dword ptr ss:[esp+168]
0040F12B . 52 push edx
0040F12C . 8D4424 3C lea eax,dword ptr ss:[esp+3C]
0040F130 . 50 push eax
0040F131 . E8 3A8A0000 call client.00417B70
0040F136 . 85C0 test eax,eax
0040F138 . 75 0E jnz short client.0040F148
0040F13A . 6A 30 push 30
0040F13C . 53 push ebx
0040F13D . 68 08669900 push client.00996608
0040F142 . 53 push ebx
0040F143 . E9 CE000000 jmp client.0040F216
0040F148 > E8 83354300 call client.008426D0
0040F14D . 8B08 mov ecx,dword ptr ds:[eax]
0040F14F . 68 F0659900 push client.009965F0 ; ASCII "Create Window Sucess"
0040F154 . 50 push eax
0040F155 . FF51 10 call dword ptr ds:[ecx+10]
0040F158 . 6A 04 push 4
0040F15A . E8 3C984E00 call client.008F899B
0040F15F . 8BF8 mov edi,eax
0040F161 . 83C4 0C add esp,0C
0040F164 . 3BFB cmp edi,ebx
0040F166 . 74 11 je short client.0040F179
0040F168 . 8D5424 30 lea edx,dword ptr ss:[esp+30]
0040F16C . 52 push edx ; /MutexName
0040F16D . 53 push ebx ; |InitialOwner
0040F16E . 53 push ebx ; |pSecurity
0040F16F . FF15 64519900 call dword ptr ds:[<&KERNEL32.CreateMute>; \CreateMutexA
0040F175 . 8907 mov dword ptr ds:[edi],eax
0040F177 . EB 02 jmp short client.0040F17B
0040F179 > 33FF xor edi,edi
0040F17B > 8B46 08 mov eax,dword ptr ds:[esi+8]
0040F17E . 89BE 9C010000 mov dword ptr ds:[esi+19C],edi
0040F184 . 8B08 mov ecx,dword ptr ds:[eax]
0040F186 . 6A 05 push 5 ; /ShowState = SW_SHOW
0040F188 . 51 push ecx ; |hWnd
0040F189 . FF15 CC539900 call dword ptr ds:[<&USER32.ShowWindow>] ; \ShowWindow
0040F18F . 8B56 08 mov edx,dword ptr ds:[esi+8]
0040F192 . 8B02 mov eax,dword ptr ds:[edx]
0040F194 . 50 push eax ; /hWnd
0040F195 . FF15 C8539900 call dword ptr ds:[<&USER32.UpdateWindow>; \UpdateWindow
0040F19B . 8D8E 40010000 lea ecx,dword ptr ds:[esi+140]
0040F1A1 . 51 push ecx ; /pRect
0040F1A2 . FF15 C4539900 call dword ptr ds:[<&USER32.GetClipCurso>; \GetClipCursor
0040F1A8 . 8D9424 E00300>lea edx,dword ptr ss:[esp+3E0]
0040F1AF . 52 push edx ; /Buffer
0040F1B0 . 68 FF000000 push 0FF ; |BufSize = FF (255.)
0040F1B5 . FF15 84529900 call dword ptr ds:[<&KERNEL32.GetCurrent>; \GetCurrentDirectoryA
0040F1BB . 8D8424 E00300>lea eax,dword ptr ss:[esp+3E0]
0040F1C2 . 50 push eax
0040F1C3 . 8D8C24 840500>lea ecx,dword ptr ss:[esp+584]
0040F1CA . 68 E0659900 push client.009965E0 ; ASCII "%s\system.ini"
0040F1XF . 51 push ecx
0040F1D0 . E8 49BB4F00 call client.0090AD1E
0040F1D5 . A1 60FFA600 mov eax,dword ptr ds:[A6FF60]
0040F1DA . 83C4 0C add esp,0C
0040F1DD . 3BC3 cmp eax,ebx
0040F1DF . 0F85 30010000 jnz client.0040F315
0040F1E5 . E8 D62E4300 call client.008420C0
0040F1EA . 8B56 08 mov edx,dword ptr ds:[esi+8]
0040F1ED . 8B02 mov eax,dword ptr ds:[edx]
0040F1EF . 6A 01 push 1
0040F1F1 . 53 push ebx
0040F1F2 . 50 push eax
0040F1F3 . E8 582F4300 call client.00842150
0040F1F8 . 83C4 0C add esp,0C
0040F1FB . 3BC3 cmp eax,ebx
0040F1FD . A3 60FFA600 mov dword ptr ds:[A6FF60],eax
0040F202 . 75 44 jnz short client.0040F248
0040F204 . 8B4E 08 mov ecx,dword ptr ds:[esi+8]
0040F207 . 8B11 mov edx,dword ptr ds:[ecx]
0040F209 . 6A 10 push 10 ; /Style = MB_OK|MB_ICONHAND|MB_APPLMODAL
0040F20B . 68 D0659900 push client.009965D0 ; |Title = "DirectX3D异常"
0040F210 . 68 70659900 push client.00996570 ; |Text = "未发现DirectX3D设备,请确认未禁用3D加速功能且测试Direct 3D通过, 或更新最新的显卡驱动后再尝试游戏"
0040F215 . 52 push edx ; |hOwner
0040F216 > FF15 8C539900 call dword ptr ds:[<&USER32.MessageBoxA>>; \MessageBoxA
0040F21C . 8D4C24 1B lea ecx,dword ptr ss:[esp+1B]
0040F220 . C78424 8C0600>mov dword ptr ss:[esp+68C],-1
0040F22B . E8 D01DFFFF call client.00401000
0040F230 . 33C0 xor eax,eax
0040F232 . 8B8C24 840600>mov ecx,dword ptr ss:[esp+684]
0040F239 . 64:890D 00000>mov dword ptr fs:[0],ecx
0040F240 . 5F pop edi
0040F241 . 5E pop esi
0040F242 . 5D pop ebp
0040F243 . 5B pop ebx
0040F244 . 8BE5 mov esp,ebp
0040F246 . 5D pop ebp
0040F247 . C3 retn
经过分析, 发现1个关键判断,主要 判断是不是登陆器启动
0040EFA5 /72 11 jb short client.0040EFB8
下面的信息可以看到和启动保护有关,那我们能不能跳过呢?
由于VM的关系, 那OD 分析出来的代码可能有点问题..
看看正常的代码。。。
0040F08B E8 40364300 call client.008426D0
0040F090 8B08 mov ecx,dword ptr ds:[eax]
0040F092 68 2C669900 push client.0099662C ; ASCII "PP Sucess"
0040F097 50 push eax
0040F098 FF51 10 call dword ptr ds:[ecx+10]
0040F09B 8B2D A0509900 mov ebp,dword ptr ds:[<&KERNEL32.OpenEve>; kernel32.OpenEventA
0040F0A1 83C4 08 add esp,8
0040F0A4 68 004EA600 push client.00A64E00 ; ASCII "PP_XLZJ_EventA"
0040F0A9 53 push ebx
0040F0AA 6A 02 push 2
0040F0AC FFD5 call ebp
0040F0AE 8BF8 mov edi,eax
0040F0B0 3BFB cmp edi,ebx
0040F0B2 74 0E je short client.0040F0C2
0040F0B4 . 57 push edi ; /hEvent
0040F0B5 . FF15 9C509900 call dword ptr ds:[<&KERNEL32.SetEvent>] ; \SetEvent
0040F0BB . 57 push edi ; /hObject
0040F0BC . FF15 34529900 call dword ptr ds:[<&KERNEL32.CloseHandl>; \CloseHandle
0040F0C2 > 68 1C669900 push client.0099661C ; ASCII "PPStartEvent"
0040F0C7 . 53 push ebx
0040F0C8 . 6A 02 push 2
0040F0CA . FFD5 call ebp
0040F0CC . 8BF8 mov edi,eax
0040F0CE . 3BFB cmp edi,ebx
0040F0D0 . 74 0E je short client.0040F0E0
0040F0D2 . 57 push edi ; /hEvent
0040F0D3 . FF15 9C509900 call dword ptr ds:[<&KERNEL32.SetEvent>] ; \SetEvent
0040F0D9 . 57 push edi ; /hObject
0040F0DA . FF15 34529900 call dword ptr ds:[<&KERNEL32.CloseHandl>; \CloseHandle
0040F0E0 > 6A 04 push 4
0040F0E2 . 889E 90000000 mov byte ptr ds:[esi+90],bl
0040F0E8 . E8 AE984E00 call client.008F899B
0040F0ED . 83C4 04 add esp,4
0040F0F0 . 894424 14 mov dword ptr ss:[esp+14],eax
0040F0F4 . 3BC3 cmp eax,ebx
0040F0F6 . C68424 8C0600>mov byte ptr ss:[esp+68C],3
0040F0FE . 74 09 je short client.0040F109
那我们找1个位置 给他JMP过来....
这样游戏可以正常跑起来了.
游戏跑起来后,发现大概2分钟左右,游戏即退出,那说明客户端还有校验....
那要稳定一些调试,那肯定需要解决这个问题...
经过分析..
游戏出错是由于异常导致的...其中必须经过1个函数
0090A6A9 /> /55 push ebp
0090A6AA |. |8BEC mov ebp,esp
0090A6AC |. |83EC 04 sub esp,4
0090A6AF |. |53 push ebx
0090A6B0 |. |56 push esi
0090A6B1 |. |57 push edi
0090A6B2 |. |FC cld
0090A6B3 |. |8945 FC mov [local.1],eax
0090A6B6 |. |33C0 xor eax,eax
0090A6B8 |. |50 push eax
0090A6B9 |. |50 push eax
0090A6BA |. |50 push eax
0090A6BB |. |FF75 FC push [local.1]
0090A6BE |. |FF75 14 push [arg.4]
0090A6C1 |. |FF75 10 push [arg.3]
0090A6C4 |. |FF75 0C push [arg.2]
0090A6C7 |. |FF75 08 push [arg.1]
0090A6CA |. |E8 04720000 call client.009118D3
0090A6XF |. |83C4 20 add esp,20
0090A6D2 |. |8945 FC mov [local.1],eax
0090A6D5 |. |5F pop edi
0090A6D6 |. |5E pop esi
0090A6D7 |. |5B pop ebx
0090A6D8 |. |8B45 FC mov eax,[local.1]
0090A6DB |. |8BE5 mov esp,ebp
0090A6DD |. |5D pop ebp
0090A6DE \. |C3 retn
发现调用的地方..
0094354C $ B8 A403A000 mov eax,client.00A003A4 ; 结构异常处理程序
00943551 .^ E9 5371FXFF jmp client.0090A6A9
00943556 CC int3
下断...
我们在堆栈里翻翻...
.....
0012F834 |7C92E48A 返回到 ntdll.KiUserApcDispatcher+3A 来自 ntdll.7C94A970
0012F838 |00000000
0012F83C |0012F864
0012F840 |0012F848
0012F844 |0012F864
0012F848 |C0000005
0012F84C |00000000
0012F850 |00000000
0012F854 |00AC94CD client.00AC94CD
C0000005 这样的异常 我就不解释了,
client.00AC94CD 是什么 我们进去看看...
00AC94CD CD 22 int 22
原来00AC94CD 是int22,执行到这后触发异常,程序无法处理.所以退出了.那把 00AC94CD nop掉2个字节即可...
这下客户端他老实了...正常调试.
现在NP,HS,XTrap的保护越来越多,国内还有TP,GPK 之流,越来越多, 面对这些保护,如果你无法从ring 0上对抗,那是不是真的一点办法都没有呢?
我简单介绍下我处理国外某XTrap保护下的游戏.
首先用OD 启动他的主程序...
发现关键CALL
005F4EF0 /$ 81EC 44070000 sub esp,744
005F4EF6 |. 53 push ebx
005F4EF7 |. 56 push esi
005F4EF8 |. 57 push edi
005F4EF9 |. 33DB xor ebx,ebx
005F4EFB |. B9 4A000000 mov ecx,4A
005F4F00 |. 33C0 xor eax,eax
005F4F02 |. 8DBC24 29020000 lea edi,dword ptr ss:[esp+229]
005F4F09 |. 889C24 28020000 mov byte ptr ss:[esp+228],bl
005F4F10 |. F3:AB rep stos dword ptr es:[edi]
005F4F12 |. 66:AB stos word ptr es:[edi]
005F4F14 |. AA stos byte ptr es:[edi]
005F4F15 |. B9 40000000 mov ecx,40
005F4F1A |. 33C0 xor eax,eax
005F4F1C |. 8DBC24 59040000 lea edi,dword ptr ss:[esp+459]
005F4F23 |. 889C24 58040000 mov byte ptr ss:[esp+458],bl
005F4F2A |. F3:AB rep stos dword ptr es:[edi]
005F4F2C |. 66:AB stos word ptr es:[edi]
005F4F2E |. AA stos byte ptr es:[edi]
005F4F2F |. B9 40000000 mov ecx,40
005F4F34 |. 33C0 xor eax,eax
005F4F36 |. 8DBC24 25010000 lea edi,dword ptr ss:[esp+125]
005F4F3D |. 889C24 24010000 mov byte ptr ss:[esp+124],bl
005F4F44 |. F3:AB rep stos dword ptr es:[edi]
005F4F46 |. 66:AB stos word ptr es:[edi]
005F4F48 |. AA stos byte ptr es:[edi]
005F4F49 |. B9 40000000 mov ecx,40
005F4F4E |. 33C0 xor eax,eax
005F4F50 |. 8DBC24 55030000 lea edi,dword ptr ss:[esp+355]
005F4F57 |. 889C24 54030000 mov byte ptr ss:[esp+354],bl
005F4F5E |. F3:AB rep stos dword ptr es:[edi]
005F4F60 |. 66:AB stos word ptr es:[edi]
005F4F62 |. AA stos byte ptr es:[edi]
005F4F63 |. E8 78060000 call Fiesta.005F55E0
005F4F68 |. 8BB424 54070000 mov esi,dword ptr ss:[esp+754]
005F4F6F |. 56 push esi
005F4F70 |. 68 209F8300 push Fiesta.00839F20 ; ASCII "%s"
005F4F75 |. 68 F2C89000 push Fiesta.0090C8F2
005F4F7A |. E8 C8F31700 call Fiesta.00774347
005F4F7F |. 83C4 0C add esp,0C
005F4F82 |. 81C6 80000000 add esi,80
005F4F88 |. 56 push esi
005F4F89 |. 68 209F8300 push Fiesta.00839F20 ; ASCII "%s"
005F4F8E |. 68 E0C69000 push Fiesta.0090C6E0
005F4F93 |. E8 AFF31700 call Fiesta.00774347
005F4F98 |. 83C4 0C add esp,0C
005F4F9B |. C705 D8C59000 410000D5 mov dword ptr ds:[90C5D8],D5000041
005F4FA5 |. C705 D4C59000 000000E5 mov dword ptr ds:[90C5D4],E5000000
005F4FAF |. 68 A89D8300 push Fiesta.00839DA8 ; ASCII "211.115.86.66"
005F4FB4 |. 68 209F8300 push Fiesta.00839F20 ; ASCII "%s"
005F4FB9 |. 68 ECC79000 push Fiesta.0090C7EC
005F4FBE |. E8 84F31700 call Fiesta.00774347
005F4FC3 |. 8BB424 64070000 mov esi,dword ptr ss:[esp+764]
005F4FCA |. 83C4 0C add esp,0C
005F4FCD |. 66:C705 F0C89000 7809 mov word ptr ds:[90C8F0],978
005F4FD6 |. 56 push esi ; /String
005F4FD7 |. FF15 90F17B00 call dword ptr ds:[<&KERNEL32.lstrlenA>] ; \lstrlenA
005F4FDD |. 85C0 test eax,eax
005F4FDF |. 75 74 jnz short Fiesta.005F5055
005F4FE1 |. 8D8424 54030000 lea eax,dword ptr ss:[esp+354]
005F4FE8 |. 68 04010000 push 104 ; /BufSize = 104 (260.)
005F4FED |. 50 push eax ; |PathBuffer
005F4FEE |. 53 push ebx ; |hModule
005F4FEF |. FF15 CXF17B00 call dword ptr ds:[<&KERNEL32.GetModuleF>; \GetModuleFileNameA
005F4FF5 |. 85C0 test eax,eax
005F4FF7 |. 75 2D jnz short Fiesta.005F5026
005F4FF9 |. FF15 9XF07B00 call dword ptr ds:[<&KERNEL32.GetLastErr>; [GetLastError
005F4FFF |. 6A 01 push 1
005F5001 |. 50 push eax
005F5002 |. 6A 11 push 11
005F5004 |. 68 50CC9000 push Fiesta.0090CC50
005F5009 |. E8 E2400000 call Fiesta.005F90F0
005F500E |. 83C4 10 add esp,10
005F5011 |. 891D 44C49000 mov dword ptr ds:[90C444],ebx
005F5017 |. E8 C42A0000 call Fiesta.005F7AE0
005F501C |. 5F pop edi
005F501D |. 5E pop esi
005F501E |. 5B pop ebx
005F501F |. 81C4 44070000 add esp,744
005F5025 |. C3 retn
005F5026 |> 8D8C24 58040000 lea ecx,dword ptr ss:[esp+458]
005F502D |. 8D9424 54030000 lea edx,dword ptr ss:[esp+354]
005F5034 |. 51 push ecx
005F5035 |. 52 push edx
005F5036 |. E8 85360000 call Fiesta.005F86C0
005F503B |. 83C4 08 add esp,8
005F503E |. 8D8424 58040000 lea eax,dword ptr ss:[esp+458]
005F5045 |. 8D8C24 24010000 lea ecx,dword ptr ss:[esp+124]
005F504C |. 50 push eax
005F504D |. 68 149F8300 push Fiesta.00839F14 ; ASCII "%s\XTrap"
005F5052 |. 51 push ecx
005F5053 |. EB 0E jmp short Fiesta.005F5063
005F5055 |> 56 push esi
005F5056 |. 8D9424 28010000 lea edx,dword ptr ss:[esp+128]
005F505D |. 68 149F8300 push Fiesta.00839F14 ; ASCII "%s\XTrap"
005F5062 |. 52 push edx
005F5063 |> E8 DFF21700 call Fiesta.00774347
005F5068 |. 83C4 0C add esp,0C
005F506B |. 8D8424 28020000 lea eax,dword ptr ss:[esp+228]
005F5072 |. 8D8C24 24010000 lea ecx,dword ptr ss:[esp+124]
005F5079 |. 50 push eax
005F507A |. 68 B0C59000 push Fiesta.0090C5B0
005F507F |. 51 push ecx
005F5080 |. E8 AB230000 call Fiesta.005F7430
005F5085 |. 8B8424 58020000 mov eax,dword ptr ss:[esp+258]
005F508C |. 83C4 0C add esp,0C
005F508F |. 83F8 02 cmp eax,2
005F5092 |. 0F84 B6010000 je Fiesta.005F524E
005F5098 |. 3D 01500A00 cmp eax,0A5001
005F509D |. 0F84 AB010000 je Fiesta.005F524E
005F50A3 |. B9 40000000 mov ecx,40
005F50A8 |. 33C0 xor eax,eax
005F50AA |. 8D7C24 21 lea edi,dword ptr ss:[esp+21]
005F50AE |. 885C24 20 mov byte ptr ss:[esp+20],bl
005F50B2 |. F3:AB rep stos dword ptr es:[edi]
005F50B4 |. 66:AB stos word ptr es:[edi]
005F50B6 |. 33D2 xor edx,edx
005F50B8 |. 68 089F8300 push Fiesta.00839F08 ; ASCII "XTrapVa.dll"
005F50BD |. 895424 14 mov dword ptr ss:[esp+14],edx
005F50C1 |. 8D4C24 24 lea ecx,dword ptr ss:[esp+24]
005F50C5 |. AA stos byte ptr es:[edi]
005F50C6 |. 8D8424 28010000 lea eax,dword ptr ss:[esp+128]
005F50CD |. 895424 18 mov dword ptr ss:[esp+18],edx
005F50D1 |. 50 push eax
005F50D2 |. 895424 20 mov dword ptr ss:[esp+20],edx
005F50D6 |. 68 009F8300 push Fiesta.00839F00 ; ASCII "%s\%s"
005F50DB |. 51 push ecx
005F50DC |. 895C24 1C mov dword ptr ss:[esp+1C],ebx
005F50E0 |. 895424 2C mov dword ptr ss:[esp+2C],edx
005F50E4 |. E8 5EF21700 call Fiesta.00774347
005F50E9 |. 8D5424 1C lea edx,dword ptr ss:[esp+1C]
005F50ED |. 8D4424 30 lea eax,dword ptr ss:[esp+30]
005F50F1 |. 52 push edx
005F50F2 |. 50 push eax
005F50F3 |. E8 F8350000 call Fiesta.005F86F0
005F50F8 |. 83C4 18 add esp,18
005F50FB |. 8D8C24 24010000 lea ecx,dword ptr ss:[esp+124]
005F5102 |. 8D5424 20 lea edx,dword ptr ss:[esp+20]
005F5106 |. 68 F89E8300 push Fiesta.00839EF8 ; ASCII "*.xtp"
005F510B |. 51 push ecx
005F510C |. 68 009F8300 push Fiesta.00839F00 ; ASCII "%s\%s"
005F5111 |. 52 push edx
005F5112 |. E8 30F21700 call Fiesta.00774347
005F5117 |. 8D4424 20 lea eax,dword ptr ss:[esp+20]
005F511B |. 8D4C24 30 lea ecx,dword ptr ss:[esp+30]
005F511F |. 50 push eax
005F5120 |. 51 push ecx
005F5121 |. E8 CA350000 call Fiesta.005F86F0
005F5126 |. 83C4 18 add esp,18
005F5129 |. 8D9424 24010000 lea edx,dword ptr ss:[esp+124]
005F5130 |. 8D4424 20 lea eax,dword ptr ss:[esp+20]
005F5134 |. 68 EC9E8300 push Fiesta.00839EEC ; ASCII "XTrap.XT"
005F5139 |. 52 push edx
005F513A |. 68 009F8300 push Fiesta.00839F00 ; ASCII "%s\%s"
005F513F |. 50 push eax
005F5140 |. E8 02F21700 call Fiesta.00774347
005F5145 |. 8D4C24 24 lea ecx,dword ptr ss:[esp+24]
005F5149 |. 8D5424 30 lea edx,dword ptr ss:[esp+30]
005F514D |. 51 push ecx
005F514E |. 52 push edx
005F514F |. E8 9C350000 call Fiesta.005F86F0
005F5154 |. 83C4 18 add esp,18
005F5157 |. 8D8424 24010000 lea eax,dword ptr ss:[esp+124]
005F515E |. 8D4C24 20 lea ecx,dword ptr ss:[esp+20]
005F5162 |. 68 E49E8300 push Fiesta.00839EE4 ; ASCII "*.dll"
005F5167 |. 50 push eax
005F5168 |. 68 009F8300 push Fiesta.00839F00 ; ASCII "%s\%s"
005F516D |. 51 push ecx
005F516E |. E8 D4F11700 call Fiesta.00774347
005F5173 |. 8D5424 28 lea edx,dword ptr ss:[esp+28]
005F5177 |. 8D4424 30 lea eax,dword ptr ss:[esp+30]
005F517B |. 52 push edx
005F517C |. 50 push eax
005F517D |. E8 6E350000 call Fiesta.005F86F0
005F5182 |. 83C4 18 add esp,18
005F5185 |. 8D8C24 24010000 lea ecx,dword ptr ss:[esp+124]
005F518C |. 8D5424 20 lea edx,dword ptr ss:[esp+20]
005F5190 |. 68 E09E8300 push Fiesta.00839EE0 ; ASCII "*.*"
005F5195 |. 51 push ecx
005F5196 |. 68 009F8300 push Fiesta.00839F00 ; ASCII "%s\%s"
005F519B |. 52 push edx
005F519C |. E8 A6F11700 call Fiesta.00774347
005F51A1 |. 8D4424 2C lea eax,dword ptr ss:[esp+2C]
005F51A5 |. 8D4C24 30 lea ecx,dword ptr ss:[esp+30]
005F51A9 |. 50 push eax
005F51AA |. 51 push ecx
005F51AB |. E8 40350000 call Fiesta.005F86F0
005F51B0 |. 8B8424 64020000 mov eax,dword ptr ss:[esp+264]
005F51B7 |. 83C4 18 add esp,18
005F51BA |. 3D 0B500A00 cmp eax,0A500B
005F51BF |. 75 45 jnz short Fiesta.005F5206
005F51C1 |. 8B4424 1C mov eax,dword ptr ss:[esp+1C]
005F51C5 |. 8B4C24 18 mov ecx,dword ptr ss:[esp+18]
005F51C9 |. 8D9424 24010000 lea edx,dword ptr ss:[esp+124]
005F51D0 |. 52 push edx
005F51D1 |. 8B5424 18 mov edx,dword ptr ss:[esp+18]
005F51D5 |. 50 push eax
005F51D6 |. 8B4424 18 mov eax,dword ptr ss:[esp+18]
005F51DA |. 51 push ecx
005F51DB |. 8B4C24 18 mov ecx,dword ptr ss:[esp+18]
005F51DF |. 52 push edx
005F51E0 |. 8B15 ECCD9000 mov edx,dword ptr ds:[90CDEC]
005F51E6 |. 50 push eax
005F51E7 |. A1 F0CD9000 mov eax,dword ptr ds:[90CDF0]
005F51EC |. 51 push ecx
005F51ED |. 52 push edx
005F51EE |. 50 push eax
005F51EF |. 8D8C24 7C050000 lea ecx,dword ptr ss:[esp+57C]
005F51F6 |. 68 C49E8300 push Fiesta.00839EC4 ; ASCII "%08X.(%d).%d.%d.%d.%d.%d.%s"
005F51FB |. 51 push ecx
005F51FC |. E8 46F11700 call Fiesta.00774347
005F5201 |. 83C4 28 add esp,28
005F5204 |. EB 1E jmp short Fiesta.005F5224
005F5206 |> 8D9424 54020000 lea edx,dword ptr ss:[esp+254]
005F520D |. 52 push edx
005F520E |. 50 push eax
005F520F |. 8D8424 64050000 lea eax,dword ptr ss:[esp+564]
005F5216 |. 68 BC9E8300 push Fiesta.00839EBC ; ASCII "%08X.%s"
005F521B |. 50 push eax
005F521C |. E8 26F11700 call Fiesta.00774347
005F5221 |. 83C4 10 add esp,10
005F5224 |> 8B0D ECCD9000 mov ecx,dword ptr ds:[90CDEC]
005F522A |. 6A 03 push 3
005F522C |. 51 push ecx
005F522D |. 8D9424 64050000 lea edx,dword ptr ss:[esp+564]
005F5234 |. 6A 11 push 11
005F5236 |. 52 push edx
005F5237 |. E8 B43E0000 call Fiesta.005F90F0
005F523C |. 83C4 10 add esp,10
005F523F |. E8 9C280000 call Fiesta.005F7AE0
005F5244 |. 5F pop edi
005F5245 |. 5E pop esi
005F5246 |. 5B pop ebx
005F5247 |. 81C4 44070000 add esp,744
005F524D |. C3 retn
005F524E |> B9 18000000 mov ecx,18
005F5253 |. 8DB424 54020000 lea esi,dword ptr ss:[esp+254]
005F525A |. BF F0CB9000 mov edi,Fiesta.0090CBF0
005F525F |. 83E8 02 sub eax,2
005F5262 |. F3:A5 rep movs dword ptr es:[edi],dword ptr ds>
005F5264 |. 74 0D je short Fiesta.005F5273
005F5266 |. 2D FF4F0A00 sub eax,0A4FFF
005F526B |. 891D 44C49000 mov dword ptr ds:[90C444],ebx
005F5271 |. 75 0A jnz short Fiesta.005F527D
005F5273 |> C705 44C49000 01000000 mov dword ptr ds:[90C444],1
005F527D |> 8D8424 28020000 lea eax,dword ptr ss:[esp+228]
005F5284 |. 50 push eax
005F5285 |. E8 362D0000 call Fiesta.005F7FC0
005F528A |. 8B8424 50020000 mov eax,dword ptr ss:[esp+250]
005F5291 |. 83C4 04 add esp,4
005F5294 |. 83F8 02 cmp eax,2
005F5297 |. 74 41 je short Fiesta.005F52DA
005F5299 |. 8B0D ECCD9000 mov ecx,dword ptr ds:[90CDEC]
005F529F |. 8B15 F0CD9000 mov edx,dword ptr ds:[90CDF0]
005F52A5 |. 51 push ecx
005F52A6 |. 52 push edx
005F52A7 |. 50 push eax
005F52A8 |. 8D8424 68050000 lea eax,dword ptr ss:[esp+568]
005F52AF |. 68 AC9E8300 push Fiesta.00839EAC ; ASCII "%08X.%08x.(%d)"
005F52B4 |. 50 push eax
005F52B5 |. E8 8DF01700 call Fiesta.00774347
005F52BA |. 8B0D F0CD9000 mov ecx,dword ptr ds:[90CDF0]
005F52C0 |. 6A 12 push 12
005F52C2 |. 51 push ecx
005F52C3 |. 8D9424 78050000 lea edx,dword ptr ss:[esp+578]
005F52CA |. 6A 11 push 11
005F52CC |. 52 push edx
005F52CD |. E8 1E3E0000 call Fiesta.005F90F0
005F52D2 |. 83C4 24 add esp,24
005F52D5 |. E8 06280000 call Fiesta.005F7AE0
005F52DA |> 5F pop edi
005F52DB |. 5E pop esi
005F52DC |. C705 E8CD9000 00010000 mov dword ptr ds:[90CDE8],100
005F52E6 |. 5B pop ebx
005F52E7 |. 81C4 44070000 add esp,744
005F52ED \. C3 retn
其中发现 关键CALL
005F5080 |. E8 AB230000 call Fiesta.005F7430
这个Call执行后启动保护.
OD 跟进后 发现为无参函数,所以直接retn,不给保护启动.
发现下面call出来还有1个返回值校验.
005F5098 |. 3D 01500A00 cmp eax,0A5001
那找个位置,写进去
005F5085 |. 8B8424 58020000 mov eax,dword ptr ss:[esp+258]
改成
005F5085 B8 01500A00 mov eax,0A5001
005F508A 90 nop
005F508B 90 nop
这边总结下,各类型保护启动的过程都有返回值校验,象np,hs,gpk等.
到此发现OD可以正常启动游戏... 发现角色游戏后,1分钟左右,客户端关闭,那说明保护有通信,那我们真的是不是无能为力呢?
不急,等等慢慢道来.
因为客户端关闭,还是比较容易处理的,经过几处修改,发现客户端已经很听话了,不关闭,但是角色一段时间后掉线.那说明XTrap和服务端还是存在通信的...
那必须找出通讯关键处,经过调试发现..
005F77F0 /$ A1 C0CD9000 mov eax,dword ptr ds:[90CDC0] ; XTrapVa.dll_Base判断....
005F77F5 |. 85C0 test eax,eax
005F77F7 |. 75 05 jnz short Fiesta.005F77FE ; 强制跳
005F77F9 |. E8 E2020000 call Fiesta.005F7AE0 ; 做坏事
005F77FE |> 8B4424 14 mov eax,dword ptr ss:[esp+14]
005F7802 |. 8B4C24 10 mov ecx,dword ptr ss:[esp+10]
005F7806 |. 8B5424 0C mov edx,dword ptr ss:[esp+C]
005F780A |. 50 push eax
005F780B |. 8B4424 0C mov eax,dword ptr ss:[esp+C]
005F780F |. 51 push ecx
005F7810 |. 8B4C24 0C mov ecx,dword ptr ss:[esp+C]
005F7814 |. 52 push edx
005F7815 |. 50 push eax
005F7816 |. 51 push ecx
005F7817 |. FF15 FCCD9000 call dword ptr ds:[90CDFC] ; XTrapVa.dll_Base+A4A0 通信函数调用
005F781D |. 83C4 14 add esp,14
005F7820 \. C3 retn
所以代码上处理就简单了.
说一下我的处理方式,我是直接复制出XTrapVa.dll,改名为a.dll,这是为了避免XTrap的更新,去重复更新这部分,因为一般情况下这类保护算法上是不会有大变动的.
if XX = 0 then
begin
XX:= LoadLibrary('a.dll');
//PDWORD($0090CDC0)^:= XX; //BASE 不能写进去,写进去后触发更多判断...
PDWORD($0090CDFC)^:= XX+$A4A0; //通信CALL写进去...
end;
至于 //PDWORD($0090CDC0)^:= XX; //为什么不写进去,具体的游戏还是得分析.我是直接强制跳
联系我时,请说是在 挂海论坛 上看到的,谢谢! |
上一篇: 小试DirectX游戏CPU优化下一篇: 脱机写作——参考参考
免责声明:
1、本主题所有言论和图片纯属会员个人意见,与本论坛立场无关。一切关于该内容及资源商业行为与www.52ghai.com无关。
2、本站提供的一切资源内容信息仅限用于学习和研究目的;不得将上述内容用于商业或者非法用途,否则,一切后果请用户自负。
3、本站信息来自第三方用户,非本站自制,版权归原作者享有,版权争议与本站无关。您必须在下载后的24个小时之内,从您的电脑或手机中彻底删除上述内容。
4、如果您喜欢该程序,请支持正版,购买注册,得到更好的正版服务。如有侵犯你版权的,请邮件与我们联系删除(邮箱:xhzlw@foxmail.com),本站将立即改正。
|
好评
贡献
海币
交易币
发表于 2015-2-8 17:20:16
收藏
转播
淘帖
支持
反对
提升卡
置顶卡
变色卡
千斤顶
照妖镜