MBACC 1.30 破解记录
本帖最后由 美鵺赤月 于 2012-4-12 05:28 编辑游戏版本 1.30
破解手记
004E4080 .E8 FB90F2FF call 0040D180 ;F7进入这个Call
0040D180/$55 push ebp
0040D181|.8BEC mov ebp,esp
0040D183|.83E4 F8 and esp,-0x8
0040D186|.83EC 28 sub esp,0x28
0040D189|.E8 8C420D00 call 004E141A
0040D18E|.A3 5CE67600 mov dword ptr ds:,eax
0040D193|.E8 18020000 call 0040D3B0
0040D198|.85C0 test eax,eax
0040D19A|.75 06 jnz short 0040D1A2
0040D19C|.8BE5 mov esp,ebp
0040D19E|.5D pop ebp
0040D19F|.C2 1000 retn 0x10
0040D1A2|>8B45 08 mov eax,
0040D1A5|.8B4D 14 mov ecx,
0040D1A8|.890424 mov dword ptr ss:,eax
0040D1AB|.33C0 xor eax,eax
0040D1AD|.894C24 04 mov dword ptr ss:,ecx
0040D1B1|.894424 08 mov dword ptr ss:,eax
0040D1B5|.894424 0C mov dword ptr ss:,eax
0040D1B9|.894424 10 mov dword ptr ss:,eax
0040D1BD|.894424 14 mov dword ptr ss:,eax
0040D1C1|.894424 18 mov dword ptr ss:,eax
0040D1C5|.894424 1C mov dword ptr ss:,eax
0040D1C9|.894424 20 mov dword ptr ss:,eax
0040D1CD|.8B45 10 mov eax,
0040D1D0|.8D0C24 lea ecx,dword ptr ss:
0040D1D3|.C74424 24 C44>mov dword ptr ss:, 00554>
0040D1DB|.E8 9045FFFF call 00401770 ;继续F7进入这个CALL
0040D1E0|.8BE5 mov esp,ebp
0040D1E2|.5D pop ebp
0040D1E3\.C2 1000 retn 0x10
00401770/$53 push ebx
00401771|.56 push esi
00401772|.57 push edi
00401773|.8BF1 mov esi,ecx
00401775|.E8 F6D00800 call 0048E870
0040177A|.33DB xor ebx,ebx
0040177C|.84C0 test al,al
0040177E|.74 44 je short 004017C4
00401780|.8BFE mov edi,esi
00401782|.E8 69BA0000 call 0040D1F0 ;主要判断的CALL F7进入
00401787|.84C0 test al,al
0040D215|.E8 A6140D00 call 004DE6C0 ;主要的CALL F7进入Call
004DE6C0 83EC 30 sub esp,0x30 ;修改这一段 达到屏蔽Reg.dll的目的 改成 Mov eax,1 \n retn
004DE6C3 A1 58B45400 mov eax,dword ptr ds:
004DE6C8|.33C4 xor eax,esp
004DE6CA|.894424 2C mov dword ptr ss:,eax
004DE6CE|.53 push ebx
004DE6CF|.55 push ebp
004DE6D0|.8B6C24 3C mov ebp,dword ptr ss:
004DE6D4|.56 push esi
004DE6D5|.57 push edi
004DE6D6|.68 1CD65300 push 0053D61C ; /FileName = "reg.dll"
004DE6DB|.FF15 F4B05100 call dword ptr ds:[<&KERNEL32.LoadLibrar>; \LoadLibraryA
004DE6E1|.8BF0 mov esi,eax
004DE6E3|.33FF xor edi,edi
004DE6E5|.3BF7 cmp esi,edi
004DE6E7|.74 19 je short 004DE702
004DE6E9|.68 24D65300 push 0053D624 ; /ProcNameOrOrdinal = "sarcheck"
004DE6EE|.56 push esi ; |hModule
004DE6EF|.FF15 F0B05100 call dword ptr ds:[<&KERNEL32.GetProcAdd>; \GetProcAddress
004DE6F5|.8BD8 mov ebx,eax
004DE6F7|.3BDF cmp ebx,edi
004DE6F9|.75 1D jnz short 004DE718
004DE6FB|.56 push esi ; /hLibModule
004DE6FC|.FF15 E8B05100 call dword ptr ds:[<&KERNEL32.FreeLibrar>; \FreeLibrary
004DE702|>83C8 FF or eax,-0x1
004DE705|.5F pop edi
004DE706|.5E pop esi
004DE707|.5D pop ebp
004DE708|.5B pop ebx
004DE709|.8B4C24 2C mov ecx,dword ptr ss:
004DE70D|.33CC xor ecx,esp
004DE70F|.E8 541F0000 call 004E0668
004DE714|.83C4 30 add esp,0x30
004DE717|.C3 retn
00401791|.E8 2A6D0C00 call 004C84C0 ;屏蔽Reg.dll后提示错误的CALL F7进入Call
004C84C0/$8B46 24 mov eax,dword ptr ds:
004C84C3|.8B08 mov ecx,dword ptr ds:
004C84C5|.83EC 24 sub esp,0x24
004C84C8|.890D ACDF7400 mov dword ptr ds:,ecx
004C84CE|.E8 4DB6FDFF call 004A3B20 ;提示错误CALL F7进入Call
004A3B20/$83EC 14 sub esp,0x14
004A3B23|.E8 2AFD0300 call 004E3852
004A3B28|.68 00030000 push 0x300
004A3B2D|.8D4424 04 lea eax,dword ptr ss:
004A3B31|.6A 00 push 0x0
004A3B33|.50 push eax
004A3B34|.E8 81FB0300 call 004E36BA
004A3B39|.83C4 0C add esp,0xC
004A3B3C|.68 00000300 push 0x30000
004A3B41|.8D4C24 04 lea ecx,dword ptr ss:
004A3B45|.6A 00 push 0x0
004A3B47|.51 push ecx
004A3B48|.E8 6DFB0300 call 004E36BA
004A3B4D|.83C4 0C add esp,0xC
004A3B50|.8D5424 08 lea edx,dword ptr ss:
004A3B54|.52 push edx ; /pClusters
004A3B55|.8D4424 10 lea eax,dword ptr ss: ; |
004A3B59|.50 push eax ; |pFreeClusters
004A3B5A|.8D4C24 0C lea ecx,dword ptr ss: ; |
004A3B5E|.51 push ecx ; |pBytesPerSector
004A3B5F|.8D5424 1C lea edx,dword ptr ss: ; |
004A3B63|.52 push edx ; |pSectorsPerCluster
004A3B64|.6A 00 push 0x0 ; |RootPathName = NULL
004A3B66|.FF15 A0B05100 call dword ptr ds:[<&KERNEL32.GetDiskFre>; \GetDiskFreeSpaceA
004A3B6C|.8B4424 04 mov eax,dword ptr ss:
004A3B70|.85C0 test eax,eax
004A3B72|.C705 BC495500>mov dword ptr ds:,0x1000
004A3B7C|.74 05 je short 004A3B83
004A3B7E|.A3 BC495500 mov dword ptr ds:,eax
004A3B83|>C705 88E67600>mov dword ptr ds:,0x1
004A3B8D|.E8 5EF1F7FF call 00422CF0
004A3B92|.85C0 test eax,eax
004A3B94 75 29 jnz short 004A3BBF ;跳过破解检测 Jnz 改成 Jmp
004A3B96|.68 E8030000 push 0x3E8 ; /Timeout = 1000. ms
004A3B9B|.FF15 D0B15100 call dword ptr ds:[<&KERNEL32.Sleep>] ; \Sleep
004A3BA1|.A1 ACDF7400 mov eax,dword ptr ds:
004A3BA6|.6A 00 push 0x0 ; /Style = MB_OK|MB_APPLMODAL
004A3BA8|.68 D4A95300 push0053A9D4 ; |Title = "儔僀僙儞僗俬俢僄儔乕"
004A3BAD|.68 ECA95300 push0053A9EC ; |Text = "儔僀僙儞僗俬俢偺撉傒崬傒偵幐攕偟傑偟偨丅廔椆偟傑偡丅"
004A3BB2|.50 push eax ; |hOwner => 003003EA ('MELTY BLOOD Actress Again Cur...',class='MELTY BLOOD Actress Again Cur...')
004A3BB3|.FF15 78B25100 call dword ptr ds:[<&USER32.MessageBoxA>>; \MessageBoxA
004A3BB9|.32C0 xor al,al
004A3BBB|.83C4 14 add esp,0x14
004A3BBE|.C3 retn
004A3BBF|>E8 0CF3F7FF call 0422ED0
004A3BC4|.85C0 test eax,eax
004A3BC6 75 2A jnz short 004A3BF2 ;跳过破解检测 Jnz 改成 Jmp
004A3BC8|.68 E8030000 push 0x3E8 ; /Timeout = 1000. ms
004A3BCD|.FF15 D0B15100 call dword ptr ds:[<&KERNEL32.Sleep>] ; \Sleep
004A3BD3|.8B0D ACDF7400 mov ecx,dword ptr ds:
004A3BD9|.6A 00 push 0x0 ; /Style = MB_OK|MB_APPLMODAL
004A3BDB|.68 D4A95300 push 0053A9D4 ; |Title = "儔僀僙儞僗俬俢僄儔乕"
004A3BE0|.68 ECA95300 push 0053A9EC ; |Text = "儔僀僙儞僗俬俢偺撉傒崬傒偵幐攕偟傑偟偨丅廔椆偟傑偡丅"
004A3BE5|.51 push ecx ; |hOwner => 003003EA ('MELTY BLOOD Actress Again Cur...',class='MELTY BLOOD Actress Again Cur...')
004A3BE6|.FF15 78B25100 call dword ptr ds:[<&USER32.MessageBoxA>>; \MessageBoxA
004A3BEC|.32C0 xor al,al
004A3BEE|.83C4 14 add esp,0x14
004A3BF1|.C3 retn
004A3BF2|>B0 01 mov al,0x1
004A3BF4|.83C4 14 add esp,0x14
004A3BF7\.C3 retn
004C84D3|.84C0 test al,al
004C84D5|.74 39 je short 004C8510
004C84D7|.8BC6 mov eax,esi
004C84D9|.E8 22B7FDFF call 004A3C00
004C84DE|.84C0 test al,al
004C84E0|.74 2E je short 004C8510
004C84E2|.56 push esi
004C84E3|.E8 58B7FDFF call 004A3C40
004C84E8|.83C4 04 add esp,0x4
004C84EB|.84C0 test al,al
004C84ED|.74 21 je short 004C8510
004C84EF|.E8 BC62F5FF call0041E7B0
004C84F4|.84C0 test al,al
004C84F6|.75 1E jnz short .004C8516
004C84F8|.8B56 24 mov edx,dword ptr ds:
004C84FB|.8B02 mov eax,dword ptr ds:
004C84FD|.6A 00 push 0x0 ; /Style = MB_OK|MB_APPLMODAL
004C84FF|.68 1C875300 push 0053871C ; |Title = "Error"
004C8504|.68 68A95300 push 0053A968 ; |Text = "僨乕僞僼傽僀儖偺儘乕僪偵幐攕偟傑偟偨丅
僀儞僗僩乕儖偟捈偟偰壓偝偄丅"
004C8509|.50 push eax ; |hOwner
004C850A|.FF15 78B25100 call dword ptr ds:[<&USER32.MessageBoxA>>; \MessageBoxA
004C8510|>32C0 xor al,al
004C8512|.83C4 24 add esp,0x24
004C8515|.C3 retn
004C8516|> \8BC6 mov eax,esi
004C8518|.E8 53B7FDFF call 004A3C70 ;错误信息提示框
004A3C70/$83EC 08 sub esp,0x8
004A3C73|.8B48 24 mov ecx,dword ptr ds:
004A3C76|.56 push esi
004A3C77|.8B31 mov esi,dword ptr ds:
004A3C79|.897424 08 mov dword ptr ss:,esi
004A3C7D|.E8 9EFAFFFF call 004A3720
004A3C82|.E8 B9B2FEFF call 0048EF40
004A3C87|.E8 F4F0F7FF call 00422D80
004A3C8C|.85C0 test eax,eax
004A3C8E|.75 2B jnz short 004A3CBB ;跳过破解检测 Jnz 改成 Jmp
004A3C90|.68 E8030000 push 0x3E8 ; /Timeout = 1000. ms
004A3C95|.FF15 D0B15100 call dword ptr ds:[<&KERNEL32.Sleep>] ; \Sleep
004A3C9B|.8B15 ACDF7400 mov edx,dword ptr ds:
004A3CA1|.6A 00 push 0x0 ; /Style = MB_OK|MB_APPLMODAL
004A3CA3|.68 D4A95300 push 0053A9D4 ; |Title = "儔僀僙儞僗俬俢僄儔乕"
004A3CA8|.68 ECA95300 push 0053A9EC ; |Text = "儔僀僙儞僗俬俢偺撉傒崬傒偵幐攕偟傑偟偨丅廔椆偟傑偡丅"
004A3CAD|.52 push edx ; |hOwner => 003003EA ('MELTY BLOOD Actress Again Cur...',class='MELTY BLOOD Actress Again Cur...')
004A3CAE|.FF15 78B25100 call dword ptr ds:[<&USER32.MessageBoxA>>; \MessageBoxA
004A3CB4|>32C0 xor al,al
004A3CB6|.5E pop esi
004A3CB7|.83C4 08 add esp,0x8
004A3CBA|.C3 retn
004A3CBB|> \E8 50010000 call 004A3E10
004A3CC0|.84C0 test al,al
004A3CC2|.^ 74 F0 je short 004A3CB4
004A3CC4|.6A 00 push 0x0 ; /lParam = NULL
004A3CC6|.68 501A4A00 push 004A1A50 ; |DlgProc = 004A1A50
004A3CCB|.56 push esi ; |hOwner
004A3CCC|.6A 66 push 0x66 ; |pTemplate = 66
004A3CCE|.6A FA push -0x6 ; |/Index = GWL_HINSTANCE
004A3CD0|.56 push esi ; ||hWnd
004A3CD1|.FF15 DCB25100 call dword ptr ds:[<&USER32.GetWindowLon>; |\GetWindowLongA
004A3CD7|.50 push eax ; |hInst
004A3CD8|.FF15 74B25100 call dword ptr ds:[<&USER32.DialogBoxPar>; \加载到这里出现设置窗口
004A3CDE|.85C0 test eax,eax
004A3CE0|.^ 74 D2 je short 004A3CB4
004A3CE2|.E8 D9FCFFFF call 004A39C0
004A3CE7|.E8 64B8FEFF call 0048F550
004A3CEC|.8D4424 08 lea eax,dword ptr ss:
004A3CF0|.E8 AB9BF6FF call 0040D8A0
004A3CF5|.E8 D6000000 call 004A3DD0 ;错误提示CALL F7进入Call
004A3CFA|.84C0 test al,al
004A3CFC|.0F95C0 setne al
004A3CFF|.5E pop esi
004A3D00|.83C4 08 add esp,0x8
004A3D03\.C3 retn
004A3CBB|> \E8 50010000 call 004A3E10
004A3CC0|.84C0 test al,al
004A3CC2|.^ 74 F0 je short 004A3CB4
004A3CC4|.6A 00 push 0x0 ; /lParam = NULL
004A3CC6|.68 501A4A00 push .004A1A50 ; |DlgProc = 004A1A50
004A3CCB|.56 push esi ; |hOwner
004A3CCC|.6A 66 push 0x66 ; |pTemplate = 66
004A3CCE|.6A FA push -0x6 ; |/Index = GWL_HINSTANCE
004A3CD0|.56 push esi ; ||hWnd
004A3CD1|.FF15 DCB25100 call dword ptr ds:[<&USER32.GetWindowLon>; |\GetWindowLongA
004A3CD7|.50 push eax ; |hInst
004A3CD8|.FF15 74B25100 call dword ptr ds:[<&USER32.DialogBoxPar>; \加载到这里出现设置窗口
004A3CDE|.85C0 test eax,eax
004A3CE0|.^ 74 D2 je short 004A3CB4
004A3CE2|.E8 D9FCFFFF call 004A39C0
004A3CE7|.E8 64B8FEFF cal 0048F550
004A3CEC|.8D4424 08 lea eax,dword ptr ss:
004A3CF0|.E8 AB9BF6FF call 0040D8A0
004A3CF5|.E8 D6000000 call 004A3DD0 ;错误提示CALL F7进入Call
004A3CFA|.84C0 test al,al
004A3CFC|.0F95C0 setne al
004A3CFF|.5E pop esi
004A3D00|.83C4 08 add esp,0x8
004A3D03\.C3 retn
004A3DD0/$51 push ecx
004A3DD1|.E8 4AF0F7FF call 00422E20
004A3DD6|.85C0 test eax,eax
004A3DD8|.75 27 jnz short 004A3E01 ;跳过破解检测Jnz 改成 Jmp
004A3DDA|.68 E8030000 push 0x3E8 ; /Timeout = 1000. ms
004A3DDF|.FF15 D0B15100 call dword ptr ds:[<&KERNEL32.Sleep>] ; \Sleep
004A3DE5|.A1 ACDF7400 mov eax,dword ptr ds:
004A3DEA|.6A 00 push 0x0 ; /Style = MB_OK|MB_APPLMODAL
004A3DEC|.68 D4A95300 push 0053A9D4 ; |Title = "儔僀僙儞僗俬俢僄儔乕"
004A3DF1|.68 ECA95300 push 0053A9EC ; |Text = "儔僀僙儞僗俬俢偺撉傒崬傒偵幐攕偟傑偟偨丅廔椆偟傑偡丅"
004A3DF6|.50 push eax ; |hOwner => 00980360 ('MELTY BLOOD Actress Again Cur...',class='MELTY BLOOD Actress Again Cur...')
004A3DF7|.FF15 78B25100 call dword ptr ds:[<&USER32.MessageBoxA>>; \MessageBoxA
004A3DFD|.32C0 xor al,al
004A3DFF|.59 pop ecx
004A3E00|.C3 retn
004A3E01|>B0 01 mov al,0x1
004A3E03|.59 pop ecx
004A3E04\.C3 retn ; 然后一直 F8单步运行到游戏执行
然后是破解好的程序
**** Hidden Message *****
........
私居然看懂了一句!:"Jnz 改成Jmp"
好触> <
页:
[1]