|
榮譽會員
|
RO外掛破解一例,但願這個不是圈內人士做的,需要下載EXE文件的到http://www.ipbcn.org/forum/去找
破解對像:魅力傳說2.802
軟體功能:仙境傳說外掛
下載連接:http://www.51ro.com/download/Ro2802_CN_Setup.exe
破解工具:AsprStripperXP_v123,DEDE3.5,QVIEW2.80
**************************************************************************************************
先用AsprStripperXP_v123脫殼,效果不錯,不用說了。
看了一下,是用delphi6編譯的,那就首選用DEDE來分析嘍
破解入手點我選它的『登入』指令,我下面的敘述比較簡要,用過DEDE的應該能夠理解
點取Proceduers->MainUnit,雙按右邊的ALoginExecute事件,進入反彙編界面:
=======================================================================
0050BB47 8D55F8 lea edx, [ebp-$08]
* Reference to control EdtPlayerName : TbsSkinEdit
0050BB4A 8B8340070000 mov eax, [ebx+$0740]
* Reference to : TCustomMaskEdit._PROC_004949EC()
0050BB50 E8978EF8FF call 004949EC ;讀取NAME
0050BB55 8B55F8 mov edx, [ebp-$08]
0050BB58 A150205100 mov eax, dword ptr [$00512050] ;NAME
0050BB5D E8B690EFFF call 00404C18
0050BB62 8D55F4 lea edx, [ebp-$0C]
* Reference to control EdtPlayerPwd : TbsSkinEdit
0050BB65 8B8344070000 mov eax, [ebx+$0744]
* Reference to : TCustomMaskEdit._PROC_004949EC()
0050BB6B E87C8EF8FF call 004949EC ;讀取PASSWORD
0050BB70 8B55F4 mov edx, [ebp-$0C]
0050BB73 A144225100 mov eax, dword ptr [$00512244] ;PASSWORD
0050BB78 E89B90EFFF call 00404C18
0050BB7D A144225100 mov eax, dword ptr [$00512244]
0050BB82 8B00 mov eax, [eax]
0050BB84 E8F392EFFF call 00404E7C ;取PASSWORD長度
0050BB89 83F804 cmp eax, +$04 ;PASSWORD長度不能小於4
0050BB8C 0F8CC8000000 jl 0050BC5A
* Reference to control cbServIP : TbsSkinComboBox
0050BB92 8B833C070000 mov eax, [ebx+$073C]
* Reference to : TbsSkinUpDown._PROC_004A36D0()
0050BB98 E8337BF9FF call 004A36D0
0050BB9D 50 push eax
* Reference to control cbServIP : TbsSkinComboBox
0050BB9E 8B833C070000 mov eax, [ebx+$073C]
* Reference to : TbsSkinUpDown._PROC_004A3B2C()
0050BBA4 E8837FF9FF call 004A3B2C
0050BBA9 8D4DF0 lea ecx, [ebp-$10]
0050BBAC 5A pop edx
0050BBAD 8B30 mov esi, [eax]
0050BBAF FF560C call dword ptr [esi+$0C]
0050BBB2 8B45F0 mov eax, [ebp-$10]
0050BBB5 E8127BFFFF call 005036CC
* Reference to control cbCharList : TbsSkinComboBox
0050BBBA 8B8338070000 mov eax, [ebx+$0738]
* Reference to : TbsSkinUpDown._PROC_004A36D0()
0050BBC0 E80B7BF9FF call 004A36D0
0050BBC5 8B15F41E5100 mov edx, [$00511EF4]
0050BBCB 8802 mov [edx], al
* Reference to control cbServIP : TbsSkinComboBox
0050BBCD 8B833C070000 mov eax, [ebx+$073C]
* Reference to : TbsSkinUpDown._PROC_004A36D0()
0050BBD3 E8F87AF9FF call 004A36D0
0050BBD8 8B15A0215100 mov edx, [$005121A0]
0050BBDE 894204 mov [edx+$04], eax
0050BBE1 A1F41E5100 mov eax, dword ptr [$00511EF4]
0050BBE6 0FB600 movzx eax, byte ptr [eax]
0050BBE9 8B15A0215100 mov edx, [$005121A0]
0050BBEF 8902 mov [edx], eax
0050BBF1 8D55EC lea edx, [ebp-$14]
* Reference to control EdtPlayerName : TbsSkinEdit
0050BBF4 8B8340070000 mov eax, [ebx+$0740]
* Reference to : TCustomMaskEdit._PROC_004949EC()
0050BBFA E8ED8DF8FF call 004949EC
0050BBFF 8B55EC mov edx, [ebp-$14]
0050BC02 A1FC215100 mov eax, dword ptr [$005121FC]
0050BC07 E80C90EFFF call 00404C18
0050BC0C A144225100 mov eax, dword ptr [$00512244]
0050BC11 C6400401 mov byte ptr [eax+$04], $01
0050BC15 A1C0205100 mov eax, dword ptr [$005120C0]
0050BC1A 33C9 xor ecx, ecx
0050BC1C BAB0310000 mov edx, $000031B0
0050BC21 E89E77EFFF call 004033C4
0050BC26 A184205100 mov eax, dword ptr [$00512084]
0050BC2B 33C9 xor ecx, ecx
0050BC2D BA90100000 mov edx, $00001090
0050BC32 E88D77EFFF call 004033C4
0050BC37 E8A8EFFEFF call 004FABE4 ;登入魅力的驗證伺服器
======================================================================= ;61.145.112.135
點取Proceduers->AuthorDMUnit,雙按右邊的AuthorSockRead事件,進入反彙編界面:
=======================================================================
004FA406 8B45F8 mov eax, [ebp-$08]
004FA409 8D55FC lea edx, [ebp-$04]
004FA40C E837FDFFFF call 004FA148 ;讀接收資料
004FA411 8B45FC mov eax, [ebp-$04]
* Reference to : TAuthorDM._PROC_004FA880()
004FA414 E867040000 call 004FA880 ;資料處理程序
=======================================================================
雙按004FA414這一行,來到這裡:
=======================================================================
004FA880 55 push ebp
004FA881 8BEC mov ebp, esp
... ...
... ...(節省版面)
... ...
004FA8C1 8B45FC mov eax, [ebp-$04] ;接收的資料
004FA8C4 8A18 mov bl, byte ptr [eax] ;取出一個字元
004FA8C6 8D45FC lea eax, [ebp-$04]
004FA8C9 B901000000 mov ecx, $00000001
004FA8CE BA01000000 mov edx, $00000001
004FA8D3 E83CA8F0FF call 00405114
004FA8D8 A1C4205100 mov eax, dword ptr [$005120C4]
004FA8DD 8B00 mov eax, [eax]
004FA8DF 8B800C070000 mov eax, [eax+$070C]
004FA8E5 B201 mov dl, $01
004FA8E7 8B08 mov ecx, [eax]
004FA8E9 FF5164 call dword ptr [ecx+$64]
004FA8EC 33C0 xor eax, eax
004FA8EE 8AC3 mov al, bl
004FA8F0 83F870 cmp eax, +$70
004FA8F3 7F38 jnle 004FA92D
004FA8F5 0F84FA000000 jz 004FA9F5
004FA8FB 83F865 cmp eax, +$65
004FA8FE 7F13 jnle 004FA913
004FA900 0F8486000000 jz 004FA98C ;身份驗證成功
004FA906 48 dec eax
004FA907 744B jz 004FA954
004FA909 83E80B sub eax, +$0B
004FA90C 7460 jz 004FA96E ;身份驗證成功後,返回幾個執行參數
004FA90E E926020000 jmp 004FAB39
004FA913 83C09A add eax, -$66
004FA916 83E803 sub eax, +$03
... ...
... ...(再次節省版面)
... ...
004FA969 E9CB010000 jmp 004FAB39
004FA96E 8B45FC mov eax, [ebp-$04]
004FA971 E82AFEFFFF call 004FA7A0
004FA976 A180225100 mov eax, dword ptr [$00512280] ;
004FA97B 8B00 mov eax, [eax] ;
* Reference to control AuthorSock : TClientSocket
004FA97D 8B4058 mov eax, [eax+$58] ;
004FA980 B201 mov dl, $01 ;
* Reference to : TCustomControlBar._PROC_00439488()
004FA982 E801EBF3FF call 00439488 ;驗證結束,設定定時器,準備登入遊戲
004FA987 E9AD010000 jmp 004FAB39
004FA98C 8B45FC mov eax, [ebp-$04]
* Reference to : TAuthorDM._PROC_004FA800()
004FA98F E86CFEFFFF call 004FA800
004FA994 33D2 xor edx, edx
004FA996 B80B000000 mov eax, $0000000B
* Reference to : TAuthorDM._PROC_004FA578()
004FA99B E8D8FBFFFF call 004FA578
* Possible String Reference to: '身份驗證成功,感謝您支持魅力產品。'
004FA9A0 BA80AB4F00 mov edx, $004FAB80
004FA9A5 B801000000 mov eax, $00000001
004FA9AA E8BD990000 call 0050436C
004FA9AF E985010000 jmp 004FAB39
=======================================================================
先雙按004FA98F這一行,來到這裡:
=======================================================================
004FA800 55 push ebp
004FA801 8BEC mov ebp, esp
... ...
... ...(再再次節省版面)
... ...
004FA822 8D55F4 lea edx, [ebp-$0C]
004FA825 8D45FC lea eax, [ebp-$04] ;接收到的資料
* Reference to : TAuthorDM._PROC_004FA514()
004FA828 E8E7FCFFFF call 004FA514 ;取出一項
004FA82D 8B55F4 mov edx, [ebp-$0C] ;其實就是你的遊戲登入帳號
004FA830 A150205100 mov eax, dword ptr [$00512050] ;登入帳號存儲在這裡
004FA835 E8DEA3F0FF call 00404C18
004FA83A 8D55F8 lea edx, [ebp-$08]
004FA83D 8D45FC lea eax, [ebp-$04]
* Reference to : TAuthorDM._PROC_004FA514()
004FA840 E8CFFCFFFF call 004FA514 ;再取出一項
004FA845 33D2 xor edx, edx
004FA847 8B45F8 mov eax, [ebp-$08] ;其實就是你的遊戲登入密碼
004FA84A E8E5ECF0FF call 00409534
004FA84F 8B1560205100 mov edx, [$00512060] ;把登入密碼存儲在這裡
004FA855 8902 mov [edx], eax ;用戶的登入密碼竟然由他管理
======================================================================= ;真實不放心
再雙按004FA971這一行,來到這裡:
=======================================================================
004FA7A0 55 push ebp
004FA7A1 8BEC mov ebp, esp
004FA7A3 51 push ecx
004FA7A4 8945FC mov [ebp-$04], eax
004FA7A7 8B45FC mov eax, [ebp-$04]
004FA7AA E8B5A8F0FF call 00405064
004FA7AF 33C0 xor eax, eax
004FA7B1 55 push ebp
004FA7B2 68F6A74F00 push $004FA7F6
004FA7B7 64FF30 push dword ptr fs:[eax]
004FA7BA 648920 mov fs:[eax], esp
004FA7BD 8B45FC mov eax, [ebp-$04] ;身份驗證成功後,返回2個字元的執行參數
004FA7C0 8A00 mov al, byte ptr [eax] ;第一字元,應該=0EH
004FA7C2 8B159C1E5100 mov edx, [$00511E9C]
004FA7C8 8802 mov [edx], al
004FA7CA 8B45FC mov eax, [ebp-$04]
004FA7CD 8A4001 mov al, byte ptr [eax+$01] ;第二字元,應該=08H
004FA7D0 8B15D01E5100 mov edx, [$00511ED0]
004FA7D6 8802 mov [edx], al
004FA7D8 A1C81F5100 mov eax, dword ptr [$00511FC8] ;一切OK了,置個標誌吧
004FA7DD C60001 mov byte ptr [eax], $01
=======================================================================
這裡還有暗樁一處:(這處我也說不清是怎麼得到的,瞎貓撞到死老鼠了)
有可能是驗證時其它CASE情況處理的,或是ASPR殼裡處理的,我懶得花時間去看了
=======================================================================
005036B8 833DE81D510021 cmp dword ptr [$00511DE8], +$21 ;這個21H是什麼時候寫入的?我沒找到
005036BF 750A jnz 005036CB ;改為90 90吧
005036C1 A3E81D5100 mov dword ptr [$00511DE8], eax
* Reference to : TAuthorDM._PROC_004FA670()
005036C6 E8A56FFFFF call 004FA670
005036CB C3 ret
=======================================================================
最後整理一下破解方法,注意到這一行:
0050BC37 E8A8EFFEFF call 004FABE4 ;登入魅力的驗證伺服器
我們可以把這個子程序改掉,在這裡添好各項參數,直接設定定時器,登入遊戲
這回終於輪到我那心愛的QVIEW280上場了(因為我不喜歡用HIEW):
=======================================================================
004FABE4 A144225100 mov eax, dword ptr [$00512244] ;你輸入的密碼
004FABE9 8B1560205100 mov edx, [$00512060] ;賦給登入密碼變數
004FABEF 8902 mov [edx], eax
004FABF1 8B059C1E5100 mov eax, [$00511E9C] ;參數1
004FABF7 C6000E mov byte ptr [eax], $0E
004FABFA 8B05D01E5100 mov eax, [$00511ED0] ;參數2
004FAC00 C60008 mov byte ptr [eax], $08
004FAC03 8B05C81F5100 mov eax, [$00511FC8] ;驗證OK
004FAC09 C60001 mov byte ptr [eax], $01
004FAC0C 90 nop
004FAC0D 90 nop
004FAC0E 90 nop
004FAC0F 90 nop
004FAC10 90 nop
004FAC11 90 nop
004FAC12 90 nop
004FAC13 90 nop
004FAC14 90 nop
004FAC15 90 nop
004FAC16 90 nop
004FAC17 90 nop
004FAC18 90 nop
004FAC19 90 nop
004FAC1A 90 nop
004FAC1B A180225100 mov eax, dword ptr [$00512280]
004FAC20 8B00 mov eax, [eax]
004FAC22 8B4058 mov eax, [eax+$58]
004FAC24 B201 mov dl, $01
* Reference to : TCustomControlBar._PROC_00439488()
004FAC27 E85CE8F3FF call 00439488 ;設定定時器,準備登入遊戲
004FAC2C C3 ret
=======================================================================
不要忘了把下面這裡改了:
=======================================================================
005036B8 833DE81D510021 cmp dword ptr [$00511DE8], +$21
005036BF 750A jnz 005036CB ;75 0A改為90 90
005036C1 A3E81D5100 mov dword ptr [$00511DE8], eax
* Reference to : TAuthorDM._PROC_004FA670()
005036C6 E8A56FFFFF call 004FA670
005036CB C3 ret
=======================================================================
保險一點可以搜尋『61.145.112.135』,把它隨便改成什麼,讓它和驗證伺服器徹底切斷聯繫,
呵呵,太狠了點吧,我可要溜了
**************************************************************************************************
-=======heXer/iPB======-
-=======2003.5.17======-
|