上海大富翁1940

标题：上海大富翁1940硬盘版制作　
作者：空手剑客　
时间：2002/04/28 04:17pm
链接：http://bbs.pediy.com

这是我学crack后的第一篇关于crack的文章,不对的地方请各位兄弟姐妹多指教。另外，哪位帮忙pj一下smart goj2000？我折腾了好久都没搞定。

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401E42(U)
|
:004325C0 81EC00010000 sub esp, 00000100
:004325C6 56 push esi
:004325C7 57 push edi

* Reference To: KERNEL32.GetDriveTypeA, Ord:0104h
|
:004325C8 8B3D5CC44600 mov edi, dword ptr [0046C45C]
:004325CE BE41000000 mov esi, 00000041

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00432653(C)
|
:004325D3 56 push esi
:004325D4 8D84248C000000 lea eax, dword ptr [esp+0000008C]

* Possible StringData Ref from Data Obj ->"%c:\"
|
:004325DB 68880D4600 push 00460D88
:004325E0 50 push eax
:004325E1 E89A1A0000 call 00434080
:004325E6 83C40C add esp, 0000000C
:004325E9 8D8C2488000000 lea ecx, dword ptr [esp+00000088]
:004325F0 51 push ecx
:004325F1 FFD7 call edi
:004325F3 83F805 cmp eax, 00000005 <--------判断是否为光驱,可以改为判断是否为硬盘
:004325F6 7554 jne 0043264C<------------进一步寻找光驱
:004325F8 56 push esi
:004325F9 8D54240C lea edx, dword ptr [esp+0C]

* Possible StringData Ref from Data Obj ->"%c:\sprite\1940.col"<---在当前盘根目录下读取此文件
|
:004325FD 68700D4600 push 00460D70
:00432602 52 push edx
:00432603 E8781A0000 call 00434080
:00432608 8D442414 lea eax, dword ptr [esp+14]

* Possible StringData Ref from Data Obj ->"rb"
|
:0043260C 68B0B74500 push 0045B7B0
:00432611 50 push eax
:00432612 E8C9240000 call 00434AE0
:00432617 83C414 add esp, 00000014
:0043261A 85C0 test eax, eax　
:0043261C 0F85BB000000 jne 004326DD　<---------文件读取成功，游戏转入正常执行，否则进一步寻找
:00432622 56 push esi
:00432623 8D4C240C lea ecx, dword ptr [esp+0C]

* Possible StringData Ref from Data Obj ->"%c:\1940\sprite\1940.col"<---在当前盘根目录下读取此文件
|
:00432627 68500D4600 push 00460D50
:0043262C 51 push ecx
:0043262D E84E1A0000 call 00434080
:00432632 8D542414 lea edx, dword ptr [esp+14]

* Possible StringData Ref from Data Obj ->"rb"
|
:00432636 68B0B74500 push 0045B7B0
:0043263B 52 push edx
:0043263C E89F240000 call 00434AE0
:00432641 83C414 add esp, 00000014
:00432644 85C0 test eax, eax
:00432646 0F8591000000 jne 004326DD　<---------文件读取成功，游戏转入正常执行，否则进一步寻找

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004325F6(C)
|
:0043264C 46 inc esi
:0043264D 8D46C0 lea eax, dword ptr [esi-40]
:00432650 83F81A cmp eax, 0000001A　<-------------从a-z顺次查询
:00432653 0F8E7AFFFFFF jle 004325D3
:00432659 68AA000000 push 000000AA<-----没有找到，提示错误
:0043265E 68B4000000 push 000000B4
:00432663 B94C8A4600 mov ecx, 00468A4C
:00432668 E807F3FCFF call 00401974
:0043266D B94C8A4600 mov ecx, 00468A4C
:00432672 E8C7F1FCFF call 0040183E
:00432677 6A02 push 00000002
:00432679 B94C8A4600 mov ecx, 00468A4C
:0043267E E8A0F3FCFF call 00401A23
:00432683 68F6000000 push 000000F6
:00432688 68F4000000 push 000000F4
:0043268D 68F4000000 push 000000F4
:00432692 6A00 push 00000000

* Possible StringData Ref from Data Obj ->"请插入游戏光碟!"
|
:00432694 683C0D4600 push 00460D3C
:00432699 B94C8A4600 mov ecx, 00468A4C
:0043269E E840F2FCFF call 004018E3
:004326A3 B94C8A4600 mov ecx, 00468A4C
:004326A8 E899F3FCFF call 00401A46
:004326AD B9C87D4600 mov ecx, 00467DC8
:004326B2 E85EEDFCFF call 00401415
:004326B7 B9C87D4600 mov ecx, 00467DC8
:004326BC E84EF3FCFF call 00401A0F
:004326C1 A144CA4500 mov eax, dword ptr [0045CA44]
:004326C6 8D0C40 lea ecx, dword ptr [eax+2*eax]
:004326C9 D1E1 shl ecx, 1
:004326CB 51 push ecx

* Reference To: KERNEL32.Sleep, Ord:0296h
|
:004326CC FF1538C44600 Call dword ptr [0046C438]
:004326D2 5F pop edi
:004326D3 32C0 xor al, al
:004326D5 5E pop esi
:004326D6 81C400010000 add esp, 00000100
:004326DC C3 ret

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0043261C(C), :00432646(C)
|
:004326DD 50 push eax
:004326DE E89D1D0000 call 00434480
:004326E3 83C404 add esp, 00000004
:004326E6 B001 mov al, 01
:004326E8 5F pop edi
:004326E9 5E pop esi
:004326EA 81C400010000 add esp, 00000100
:004326F0 C3 ret

根据以上的分析，“1940.col”存放路径有两个，"%c:\sprite\1940.col"或"%c:\1940\sprite\1940.col"。除此以外
即使是光盘也将提示"请插入游戏光碟!"，所以“1940.col”存放路径也需要修改，可以选择第一个来修改。

这样需要修改的地方有两处：
:004325F3 83F805 cmp eax, 00000005 <--------判断是否为光驱,改为判断是否为硬盘
:00432627 68500D4600 push 00460D50　<-------1940.col存放路径，改为实际硬盘路径

由于"1940.col"的存放路径可能很深，而程序本身分配的地方实在可怜，所以需要征用大片土地来存放完整路径

00460D3C："请插入游戏光碟!"，crack后，就没有用了，征用这块地方。
00460D70："%c:\sprite\1940.col"，本来就要使用
00460D50："%c:\1940\sprite\1940.col"，crack后，就没有用了，征用！

这样可以使用的空间大约80个字节。所以"1940.col"的路径就要进行限制了,我把1940.exe的安装路径长度限制在60，不过一般不会超出此长度，至于二般情况我就$#$^%$^%$。

下面是补丁，不足之处请各位大虾多指点
//borland c++ builder5.0
#pragma hdrstop
#include <fstream.h>
#include <string.h>
#include <assert.h>
//---------------------------------------------------------------------------

#pragma argsused
int main(int argc, char* argv[])
{
char str[80];
GetCurrentDirectory(65,str);
if(strlen(str)>60)
{
cout<<"error";
exit(0);
}
strcat(str,"\\sprite\\1940.col");

ifstream in("1940.exe",ios::in|ios::out);
ostream out(in.rdbuf());

//modify check for cdrom
out.seekp(0x325F5,ios::beg);
out<<(char)0x03;

//modify path of "1940.col"
out.seekp(0x60D37,ios::beg);
for(unsigned int i=0;i<strlen(str);i++)
out<<(char)str[i];
out<<(char)0;

out.seekp(0x60D36,ios::beg);
out<<(char)0x25<<(char)0x63;

//modify reference to path of(1940.col)
out.seekp(0x325FE,ios::beg);
out<<(char)0x36;

in.close();
return 0;
}
//-------------<