本帖最后由 美鵺赤月 于 2012-4-12 05:28 编辑
游戏版本 1.30
破解手记
004E4080 . E8 FB90F2FF call 0040D180 ; F7进入这个Call
0040D180 /$ 55 push ebp
0040D181 |. 8BEC mov ebp,esp
0040D183 |. 83E4 F8 and esp,-0x8
0040D186 |. 83EC 28 sub esp,0x28
0040D189 |. E8 8C420D00 call 004E141A
0040D18E |. A3 5CE67600 mov dword ptr ds:[0x76E65C],eax
0040D193 |. E8 18020000 call 0040D3B0
0040D198 |. 85C0 test eax,eax
0040D19A |. 75 06 jnz short 0040D1A2
0040D19C |. 8BE5 mov esp,ebp
0040D19E |. 5D pop ebp
0040D19F |. C2 1000 retn 0x10
0040D1A2 |> 8B45 08 mov eax,[arg.1]
0040D1A5 |. 8B4D 14 mov ecx,[arg.4]
0040D1A8 |. 890424 mov dword ptr ss:[esp],eax
0040D1AB |. 33C0 xor eax,eax
0040D1AD |. 894C24 04 mov dword ptr ss:[esp+0x4],ecx
0040D1B1 |. 894424 08 mov dword ptr ss:[esp+0x8],eax
0040D1B5 |. 894424 0C mov dword ptr ss:[esp+0xC],eax
0040D1B9 |. 894424 10 mov dword ptr ss:[esp+0x10],eax
0040D1BD |. 894424 14 mov dword ptr ss:[esp+0x14],eax
0040D1C1 |. 894424 18 mov dword ptr ss:[esp+0x18],eax
0040D1C5 |. 894424 1C mov dword ptr ss:[esp+0x1C],eax
0040D1C9 |. 894424 20 mov dword ptr ss:[esp+0x20],eax
0040D1CD |. 8B45 10 mov eax,[arg.3]
0040D1D0 |. 8D0C24 lea ecx,dword ptr ss:[esp]
0040D1D3 |. C74424 24 C44>mov dword ptr ss:[esp+0x24], 00554>
0040D1DB |. E8 9045FFFF call 00401770 ; 继续F7进入这个CALL
0040D1E0 |. 8BE5 mov esp,ebp
0040D1E2 |. 5D pop ebp
0040D1E3 \. C2 1000 retn 0x10
00401770 /$ 53 push ebx
00401771 |. 56 push esi
00401772 |. 57 push edi
00401773 |. 8BF1 mov esi,ecx
00401775 |. E8 F6D00800 call 0048E870
0040177A |. 33DB xor ebx,ebx
0040177C |. 84C0 test al,al
0040177E |. 74 44 je short 004017C4
00401780 |. 8BFE mov edi,esi
00401782 |. E8 69BA0000 call 0040D1F0 ; 主要判断的CALL F7进入
00401787 |. 84C0 test al,al
0040D215 |. E8 A6140D00 call 004DE6C0 ; 主要的CALL F7进入Call
004DE6C0 83EC 30 sub esp,0x30 ; 修改这一段 达到屏蔽Reg.dll的目的 改成 Mov eax,1 \n retn
004DE6C3 A1 58B45400 mov eax,dword ptr ds:[0x54B458]
004DE6C8 |. 33C4 xor eax,esp
004DE6CA |. 894424 2C mov dword ptr ss:[esp+0x2C],eax
004DE6CE |. 53 push ebx
004DE6CF |. 55 push ebp
004DE6D0 |. 8B6C24 3C mov ebp,dword ptr ss:[esp+0x3C]
004DE6D4 |. 56 push esi
004DE6D5 |. 57 push edi
004DE6D6 |. 68 1CD65300 push 0053D61C ; /FileName = "reg.dll"
004DE6DB |. FF15 F4B05100 call dword ptr ds:[<&KERNEL32.LoadLibrar>; \LoadLibraryA
004DE6E1 |. 8BF0 mov esi,eax
004DE6E3 |. 33FF xor edi,edi
004DE6E5 |. 3BF7 cmp esi,edi
004DE6E7 |. 74 19 je short 004DE702
004DE6E9 |. 68 24D65300 push 0053D624 ; /ProcNameOrOrdinal = "sarcheck"
004DE6EE |. 56 push esi ; |hModule
004DE6EF |. FF15 F0B05100 call dword ptr ds:[<&KERNEL32.GetProcAdd>; \GetProcAddress
004DE6F5 |. 8BD8 mov ebx,eax
004DE6F7 |. 3BDF cmp ebx,edi
004DE6F9 |. 75 1D jnz short 004DE718
004DE6FB |. 56 push esi ; /hLibModule
004DE6FC |. FF15 E8B05100 call dword ptr ds:[<&KERNEL32.FreeLibrar>; \FreeLibrary
004DE702 |> 83C8 FF or eax,-0x1
004DE705 |. 5F pop edi
004DE706 |. 5E pop esi
004DE707 |. 5D pop ebp
004DE708 |. 5B pop ebx
004DE709 |. 8B4C24 2C mov ecx,dword ptr ss:[esp+0x2C]
004DE70D |. 33CC xor ecx,esp
004DE70F |. E8 541F0000 call 004E0668
004DE714 |. 83C4 30 add esp,0x30
004DE717 |. C3 retn
00401791 |. E8 2A6D0C00 call 004C84C0 ; 屏蔽Reg.dll后提示错误的CALL F7进入Call
004C84C0 /$ 8B46 24 mov eax,dword ptr ds:[esi+0x24]
004C84C3 |. 8B08 mov ecx,dword ptr ds:[eax]
004C84C5 |. 83EC 24 sub esp,0x24
004C84C8 |. 890D ACDF7400 mov dword ptr ds:[0x74DFAC],ecx
004C84CE |. E8 4DB6FDFF call 004A3B20 ; 提示错误CALL F7进入Call
004A3B20 /$ 83EC 14 sub esp,0x14
004A3B23 |. E8 2AFD0300 call 004E3852
004A3B28 |. 68 00030000 push 0x300
004A3B2D |. 8D4424 04 lea eax,dword ptr ss:[esp+0x4]
004A3B31 |. 6A 00 push 0x0
004A3B33 |. 50 push eax
004A3B34 |. E8 81FB0300 call 004E36BA
004A3B39 |. 83C4 0C add esp,0xC
004A3B3C |. 68 00000300 push 0x30000
004A3B41 |. 8D4C24 04 lea ecx,dword ptr ss:[esp+0x4]
004A3B45 |. 6A 00 push 0x0
004A3B47 |. 51 push ecx
004A3B48 |. E8 6DFB0300 call 004E36BA
004A3B4D |. 83C4 0C add esp,0xC
004A3B50 |. 8D5424 08 lea edx,dword ptr ss:[esp+0x8]
004A3B54 |. 52 push edx ; /pClusters
004A3B55 |. 8D4424 10 lea eax,dword ptr ss:[esp+0x10] ; |
004A3B59 |. 50 push eax ; |pFreeClusters
004A3B5A |. 8D4C24 0C lea ecx,dword ptr ss:[esp+0xC] ; |
004A3B5E |. 51 push ecx ; |pBytesPerSector
004A3B5F |. 8D5424 1C lea edx,dword ptr ss:[esp+0x1C] ; |
004A3B63 |. 52 push edx ; |pSectorsPerCluster
004A3B64 |. 6A 00 push 0x0 ; |RootPathName = NULL
004A3B66 |. FF15 A0B05100 call dword ptr ds:[<&KERNEL32.GetDiskFre>; \GetDiskFreeSpaceA
004A3B6C |. 8B4424 04 mov eax,dword ptr ss:[esp+0x4]
004A3B70 |. 85C0 test eax,eax
004A3B72 |. C705 BC495500>mov dword ptr ds:[0x5549BC],0x1000
004A3B7C |. 74 05 je short 004A3B83
004A3B7E |. A3 BC495500 mov dword ptr ds:[0x5549BC],eax
004A3B83 |> C705 88E67600>mov dword ptr ds:[0x76E688],0x1
004A3B8D |. E8 5EF1F7FF call 00422CF0
004A3B92 |. 85C0 test eax,eax
004A3B94 75 29 jnz short 004A3BBF ; 跳过破解检测 Jnz 改成 Jmp
004A3B96 |. 68 E8030000 push 0x3E8 ; /Timeout = 1000. ms
004A3B9B |. FF15 D0B15100 call dword ptr ds:[<&KERNEL32.Sleep>] ; \Sleep
004A3BA1 |. A1 ACDF7400 mov eax,dword ptr ds:[0x74DFAC]
004A3BA6 |. 6A 00 push 0x0 ; /Style = MB_OK|MB_APPLMODAL
004A3BA8 |. 68 D4A95300 push 0053A9D4 ; |Title = "儔僀僙儞僗俬俢僄儔乕"
004A3BAD |. 68 ECA95300 push 0053A9EC ; |Text = "儔僀僙儞僗俬俢偺撉傒崬傒偵幐攕偟傑偟偨丅廔椆偟傑偡丅"
004A3BB2 |. 50 push eax ; |hOwner => 003003EA ('MELTY BLOOD Actress Again Cur...',class='MELTY BLOOD Actress Again Cur...')
004A3BB3 |. FF15 78B25100 call dword ptr ds:[<&USER32.MessageBoxA>>; \MessageBoxA
004A3BB9 |. 32C0 xor al,al
004A3BBB |. 83C4 14 add esp,0x14
004A3BBE |. C3 retn
004A3BBF |> E8 0CF3F7FF call 0422ED0
004A3BC4 |. 85C0 test eax,eax
004A3BC6 75 2A jnz short 004A3BF2 ; 跳过破解检测 Jnz 改成 Jmp
004A3BC8 |. 68 E8030000 push 0x3E8 ; /Timeout = 1000. ms
004A3BCD |. FF15 D0B15100 call dword ptr ds:[<&KERNEL32.Sleep>] ; \Sleep
004A3BD3 |. 8B0D ACDF7400 mov ecx,dword ptr ds:[0x74DFAC]
004A3BD9 |. 6A 00 push 0x0 ; /Style = MB_OK|MB_APPLMODAL
004A3BDB |. 68 D4A95300 push 0053A9D4 ; |Title = "儔僀僙儞僗俬俢僄儔乕"
004A3BE0 |. 68 ECA95300 push 0053A9EC ; |Text = "儔僀僙儞僗俬俢偺撉傒崬傒偵幐攕偟傑偟偨丅廔椆偟傑偡丅"
004A3BE5 |. 51 push ecx ; |hOwner => 003003EA ('MELTY BLOOD Actress Again Cur...',class='MELTY BLOOD Actress Again Cur...')
004A3BE6 |. FF15 78B25100 call dword ptr ds:[<&USER32.MessageBoxA>>; \MessageBoxA
004A3BEC |. 32C0 xor al,al
004A3BEE |. 83C4 14 add esp,0x14
004A3BF1 |. C3 retn
004A3BF2 |> B0 01 mov al,0x1
004A3BF4 |. 83C4 14 add esp,0x14
004A3BF7 \. C3 retn
004C84D3 |. 84C0 test al,al
004C84D5 |. 74 39 je short 004C8510
004C84D7 |. 8BC6 mov eax,esi
004C84D9 |. E8 22B7FDFF call 004A3C00
004C84DE |. 84C0 test al,al
004C84E0 |. 74 2E je short 004C8510
004C84E2 |. 56 push esi
004C84E3 |. E8 58B7FDFF call 004A3C40
004C84E8 |. 83C4 04 add esp,0x4
004C84EB |. 84C0 test al,al
004C84ED |. 74 21 je short 004C8510
004C84EF |. E8 BC62F5FF call 0041E7B0
004C84F4 |. 84C0 test al,al
004C84F6 |. 75 1E jnz short .004C8516
004C84F8 |. 8B56 24 mov edx,dword ptr ds:[esi+0x24]
004C84FB |. 8B02 mov eax,dword ptr ds:[edx]
004C84FD |. 6A 00 push 0x0 ; /Style = MB_OK|MB_APPLMODAL
004C84FF |. 68 1C875300 push 0053871C ; |Title = "Error"
004C8504 |. 68 68A95300 push 0053A968 ; |Text = "僨乕僞僼傽僀儖偺儘乕僪偵幐攕偟傑偟偨丅
僀儞僗僩乕儖偟捈偟偰壓偝偄丅"
004C8509 |. 50 push eax ; |hOwner
004C850A |. FF15 78B25100 call dword ptr ds:[<&USER32.MessageBoxA>>; \MessageBoxA
004C8510 |> 32C0 xor al,al
004C8512 |. 83C4 24 add esp,0x24
004C8515 |. C3 retn
004C8516 |> \8BC6 mov eax,esi
004C8518 |. E8 53B7FDFF call 004A3C70 ; 错误信息提示框
004A3C70 /$ 83EC 08 sub esp,0x8
004A3C73 |. 8B48 24 mov ecx,dword ptr ds:[eax+0x24]
004A3C76 |. 56 push esi
004A3C77 |. 8B31 mov esi,dword ptr ds:[ecx]
004A3C79 |. 897424 08 mov dword ptr ss:[esp+0x8],esi
004A3C7D |. E8 9EFAFFFF call 004A3720
004A3C82 |. E8 B9B2FEFF call 0048EF40
004A3C87 |. E8 F4F0F7FF call 00422D80
004A3C8C |. 85C0 test eax,eax
004A3C8E |. 75 2B jnz short 004A3CBB ; 跳过破解检测 Jnz 改成 Jmp
004A3C90 |. 68 E8030000 push 0x3E8 ; /Timeout = 1000. ms
004A3C95 |. FF15 D0B15100 call dword ptr ds:[<&KERNEL32.Sleep>] ; \Sleep
004A3C9B |. 8B15 ACDF7400 mov edx,dword ptr ds:[0x74DFAC]
004A3CA1 |. 6A 00 push 0x0 ; /Style = MB_OK|MB_APPLMODAL
004A3CA3 |. 68 D4A95300 push 0053A9D4 ; |Title = "儔僀僙儞僗俬俢僄儔乕"
004A3CA8 |. 68 ECA95300 push 0053A9EC ; |Text = "儔僀僙儞僗俬俢偺撉傒崬傒偵幐攕偟傑偟偨丅廔椆偟傑偡丅"
004A3CAD |. 52 push edx ; |hOwner => 003003EA ('MELTY BLOOD Actress Again Cur...',class='MELTY BLOOD Actress Again Cur...')
004A3CAE |. FF15 78B25100 call dword ptr ds:[<&USER32.MessageBoxA>>; \MessageBoxA
004A3CB4 |> 32C0 xor al,al
004A3CB6 |. 5E pop esi
004A3CB7 |. 83C4 08 add esp,0x8
004A3CBA |. C3 retn
004A3CBB |> \E8 50010000 call 004A3E10
004A3CC0 |. 84C0 test al,al
004A3CC2 |.^ 74 F0 je short 004A3CB4
004A3CC4 |. 6A 00 push 0x0 ; /lParam = NULL
004A3CC6 |. 68 501A4A00 push 004A1A50 ; |DlgProc = 004A1A50
004A3CCB |. 56 push esi ; |hOwner
004A3CCC |. 6A 66 push 0x66 ; |pTemplate = 66
004A3CCE |. 6A FA push -0x6 ; |/Index = GWL_HINSTANCE
004A3CD0 |. 56 push esi ; ||hWnd
004A3CD1 |. FF15 DCB25100 call dword ptr ds:[<&USER32.GetWindowLon>; |\GetWindowLongA
004A3CD7 |. 50 push eax ; |hInst
004A3CD8 |. FF15 74B25100 call dword ptr ds:[<&USER32.DialogBoxPar>; \加载到这里出现设置窗口
004A3CDE |. 85C0 test eax,eax
004A3CE0 |.^ 74 D2 je short 004A3CB4
004A3CE2 |. E8 D9FCFFFF call 004A39C0
004A3CE7 |. E8 64B8FEFF call 0048F550
004A3CEC |. 8D4424 08 lea eax,dword ptr ss:[esp+0x8]
004A3CF0 |. E8 AB9BF6FF call 0040D8A0
004A3CF5 |. E8 D6000000 call 004A3DD0 ; 错误提示CALL F7进入Call
004A3CFA |. 84C0 test al,al
004A3CFC |. 0F95C0 setne al
004A3CFF |. 5E pop esi
004A3D00 |. 83C4 08 add esp,0x8
004A3D03 \. C3 retn
004A3CBB |> \E8 50010000 call 004A3E10
004A3CC0 |. 84C0 test al,al
004A3CC2 |.^ 74 F0 je short 004A3CB4
004A3CC4 |. 6A 00 push 0x0 ; /lParam = NULL
004A3CC6 |. 68 501A4A00 push .004A1A50 ; |DlgProc = 004A1A50
004A3CCB |. 56 push esi ; |hOwner
004A3CCC |. 6A 66 push 0x66 ; |pTemplate = 66
004A3CCE |. 6A FA push -0x6 ; |/Index = GWL_HINSTANCE
004A3CD0 |. 56 push esi ; ||hWnd
004A3CD1 |. FF15 DCB25100 call dword ptr ds:[<&USER32.GetWindowLon>; |\GetWindowLongA
004A3CD7 |. 50 push eax ; |hInst
004A3CD8 |. FF15 74B25100 call dword ptr ds:[<&USER32.DialogBoxPar>; \加载到这里出现设置窗口
004A3CDE |. 85C0 test eax,eax
004A3CE0 |.^ 74 D2 je short 004A3CB4
004A3CE2 |. E8 D9FCFFFF call 004A39C0
004A3CE7 |. E8 64B8FEFF cal 0048F550
004A3CEC |. 8D4424 08 lea eax,dword ptr ss:[esp+0x8]
004A3CF0 |. E8 AB9BF6FF call 0040D8A0
004A3CF5 |. E8 D6000000 call 004A3DD0 ; 错误提示CALL F7进入Call
004A3CFA |. 84C0 test al,al
004A3CFC |. 0F95C0 setne al
004A3CFF |. 5E pop esi
004A3D00 |. 83C4 08 add esp,0x8
004A3D03 \. C3 retn
004A3DD0 /$ 51 push ecx
004A3DD1 |. E8 4AF0F7FF call 00422E20
004A3DD6 |. 85C0 test eax,eax
004A3DD8 |. 75 27 jnz short 004A3E01 ; 跳过破解检测 Jnz 改成 Jmp
004A3DDA |. 68 E8030000 push 0x3E8 ; /Timeout = 1000. ms
004A3DDF |. FF15 D0B15100 call dword ptr ds:[<&KERNEL32.Sleep>] ; \Sleep
004A3DE5 |. A1 ACDF7400 mov eax,dword ptr ds:[0x74DFAC]
004A3DEA |. 6A 00 push 0x0 ; /Style = MB_OK|MB_APPLMODAL
004A3DEC |. 68 D4A95300 push 0053A9D4 ; |Title = "儔僀僙儞僗俬俢僄儔乕"
004A3DF1 |. 68 ECA95300 push 0053A9EC ; |Text = "儔僀僙儞僗俬俢偺撉傒崬傒偵幐攕偟傑偟偨丅廔椆偟傑偡丅"
004A3DF6 |. 50 push eax ; |hOwner => 00980360 ('MELTY BLOOD Actress Again Cur...',class='MELTY BLOOD Actress Again Cur...')
004A3DF7 |. FF15 78B25100 call dword ptr ds:[<&USER32.MessageBoxA>>; \MessageBoxA
004A3DFD |. 32C0 xor al,al
004A3DFF |. 59 pop ecx
004A3E00 |. C3 retn
004A3E01 |> B0 01 mov al,0x1
004A3E03 |. 59 pop ecx
004A3E04 \. C3 retn ; 然后一直 F8单步运行到游戏执行
然后是破解好的程序
|
发表于 2012-4-12 05:00:52
染红的潜规则
帝爷的潜规则
变色卡