1. 去除"Demo"字样: 最容易的部分. 用Hex Editor打开BBrk32.EXE,找"Demo".
把找到的第二处Null掉. 再找"(Demo mode)",同样Null掉. 再看拼图画面,干净了许多. 但是那些本来有"Demo"标志的拼图上还有个小的透明框.
2. 去掉透明框:
:004318B2 85C0 test eax, eax
:004318B4 0F84EF000000 je 004319A9 /改jmp
3. 去掉拼图开始及结束时的NAG
:0043BF86 E889D80300 call 00479814
:0043BF8B 395D0C cmp dword ptr [ebp+0C], ebx
:0043BF8E 7532 jne 0043BFC2 /改jmp
4. 去掉块数限制:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00412A9C(U)
|
:004129C2 0FBE435C movsx eax, byte ptr [ebx+5C]
:004129C6 0FBE735C movsx esi, byte ptr [ebx+5C]
:004129CA 0FBF444350 movsx eax, word ptr [ebx+2*eax+50]
:004129CF 0FBF747344 movsx esi, word ptr [ebx+2*esi+44]
:004129D4 8D3C85FEFFFFFF lea edi, dword ptr [4*eax+FFFFFFFE]
:004129DB 03C0 add eax, eax
:004129DD 0FAFF7 imul esi, edi
:004129E0 0FBF55C8 movsx edx, word ptr [ebp-38]
:004129E4 2BF0 sub esi, eax
:004129E6 8955EC mov dword ptr [ebp-14], edx
:004129E9 3BD6 cmp edx, esi
:004129EB 0F8DB0000000 jnl 00412AA1
:004129F1 0FBE435C movsx eax, byte ptr [ebx+5C]
:004129F5 0FBF544344 movsx edx, word ptr [ebx+2*eax+44]
:004129FA 0FBE435C movsx eax, byte ptr [ebx+5C]
:004129FE 8D3495FEFFFFFF lea esi, dword ptr [4*edx+FFFFFFFE]
:00412A05 03D2 add edx, edx
:00412A07 668B444350 mov ax, word ptr [ebx+2*eax+50]
:00412A0C 660FAFC6 imul ax, si
:00412A10 2BC2 sub eax, edx
:00412A12 6685C0 test ax, ax
:00412A15 741F je 00412A36
:00412A17 DB45EC fild dword ptr [ebp-14]
:00412A1A 0FBFC0 movsx eax, ax
:00412A1D DC0DF0C74900 fmul qword ptr [0049C7F0]
:00412A23 8945F8 mov dword ptr [ebp-08], eax
:00412A26 DB45F8 fild dword ptr [ebp-08]
:00412A29 DEF9 fdivp st(1), st(0)
:00412A2B D81D40C74900 fcomp dword ptr [0049C740]
:00412A31 DFE0 fstsw ax
:00412A33 9E sahf
:00412A34 7707 ja 00412A3D
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00412A15(C)
|
:00412A36 66837DC878 cmp word ptr [ebp-38], 0078 /*
:00412A3B 7E58 jle 00412A95
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00412A34(C)
|
:00412A3D 66837DC828 cmp word ptr [ebp-38], 0028 /*
:00412A42 7F45 jg 00412A89
:00412A44 0FBE435C movsx eax, byte ptr [ebx+5C]
:00412A48 0FBF544344 movsx edx, word ptr [ebx+2*eax+44]
:00412A4D 0FBE435C movsx eax, byte ptr [ebx+5C]
:00412A51 8D3495FEFFFFFF lea esi, dword ptr [4*edx+FFFFFFFE]
:00412A58 03D2 add edx, edx
:00412A5A 668B444350 mov ax, word ptr [ebx+2*eax+50]
:00412A5F 660FAFC6 imul ax, si
:00412A63 2BC2 sub eax, edx
:00412A65 6685C0 test ax, ax
:00412A68 742B je 00412A95
:00412A6A DB45EC fild dword ptr [ebp-14]
:00412A6D 0FBFC0 movsx eax, ax
:00412A70 DC0DF0C74900 fmul qword ptr [0049C7F0]
:00412A76 8945F8 mov dword ptr [ebp-08], eax
:00412A79 DB45F8 fild dword ptr [ebp-08]
:00412A7C DEF9 fdivp st(1), st(0)
:00412A7E D81D90C84900 fcomp dword ptr [0049C890]
:00412A84 DFE0 fstsw ax
:00412A86 9E sahf
:00412A87 760C jbe 00412A95
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00412A42(C)
|
:00412A89 8B45C0 mov eax, dword ptr [ebp-40]
:00412A8C 83B87801000032 cmp dword ptr [eax+00000178], 00000032 /*
:00412A93 7F0C jg 00412AA1 /这里nop掉
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00412A3B(C), :00412A68(C), :00412A87(C)
|
:00412A95 FF45E4 inc [ebp-1C]
:00412A98 8345C802 add dword ptr [ebp-38], 00000002
:00412A9C E921FFFFFF jmp 004129C2
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004129EB(C), :00412A93(C)
|
:00412AA1 0FBE435C movsx eax, byte ptr [ebx+5C]
:00412AA5 0FBE735C movsx esi, byte ptr [ebx+5C]
:00412AA9 0FBF444350 movsx eax, word ptr [ebx+2*eax+50]
:00412AAE 0FBF747344 movsx esi, word ptr [ebx+2*esi+44]
:00412AB3 0FBF55E4 movsx edx, word ptr [ebp-1C]
:00412AB7 8D3C85FEFFFFFF lea edi, dword ptr [4*eax+FFFFFFFE]
:00412ABE 8955F8 mov dword ptr [ebp-08], edx
:00412AC1 0FAFF7 imul esi, edi
:00412AC4 03D2 add edx, edx
:00412AC6 03C0 add eax, eax
:00412AC8 2BF0 sub esi, eax
:00412ACA 8D040A lea eax, dword ptr [edx+ecx]
:00412ACD 3BC6 cmp eax, esi
:00412ACF 0F848F000000 je 00412B64
* Reference To: WINMM.timeGetTime, Ord:0098h
|
:00412AD5 8B354CC54900 mov esi, dword ptr [0049C54C]
:00412ADB 3BD1 cmp edx, ecx
:00412ADD 7C07 jl 00412AE6
:00412ADF 66837DE419 cmp word ptr [ebp-1C], 0019 /*
:00412AE4 7D0F jge 00412AF5
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00412ADD(C)
|
:00412AE6 FFD6 call esi
:00412AE8 2B05109A4A00 sub eax, dword ptr [004A9A10]
:00412AEE 3D30750000 cmp eax, 00007530
:00412AF3 730B jnb 00412B00
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00412AE4(C)
|
:00412AF5 66837DE408 cmp word ptr [ebp-1C], 0008 /*
:00412AFA 0F8F11010000 jg 00412C11
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00412AF3(C)
|
:00412B00 FFD6 call esi /nag
:00412B02 6A30 push 00000030
:00412B04 A3109A4A00 mov dword ptr [004A9A10], eax
:00412B09 E87F690600 call 0047948D
:00412B0E 8BF0 mov esi, eax
:00412B10 59 pop ecx
:00412B11 85F6 test esi, esi
:00412B13 7435 je 00412B4A
:00412B15 FF75F8 push [ebp-08]
:00412B18 66C745EC5C02 mov [ebp-14], 025C
把00412A93行nop掉以后,提醒你还有多少可玩的nag不会出现了,但是无论你用作弊(F5)还是自己拼图,还是无法再多玩一块.
5. 让作弊方式(F5)可以继续:
:0044A238 FF5614 call [esi+14]
:0044A23B F6460C02 test [esi+0C], 02
:0044A23F 7503 jne 0044A244
:0044A241 FF5618 call [esi+18]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0044A23F(C)
|
:0044A244 F6460C04 test [esi+0C], 04
:0044A248 7415 je 0044A25F /这里改为jmp
:0044A24A 85F6 test esi, esi
:0044A24C 0F84AC060000 je 0044A8FE
:0044A252 8B06 mov eax, dword ptr [esi]
这样F5可以一直玩到结束了. 但试自己拼图时,还是不行.
6. 使自己拼图可以继续:
:00411F5B FF559C call [ebp-64]
:00411F5E F6459402 test [ebp-6C], 02
:00411F62 7503 jne 00411F67
:00411F64 FF55A0 call [ebp-60]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00411F62(C)
|
:00411F67 F6459404 test [ebp-6C], 04
:00411F6B 7507 jne 00411F74 /这里nop掉
:00411F6D 8BCF mov ecx, edi
:00411F6F E8DCDCFFFF call 0040FC50
这样可以玩了,但很快便发现选中放下的拼图块会莫名其妙的消失,用作弊方式拼图也会一团糟.
7. 让一切恢 正常:
:00412E21 8B45C0 mov eax, dword ptr [ebp-40]
:00412E24 8B7508 mov esi, dword ptr [ebp+08]
:00412E27 83B87801000032 cmp dword ptr [eax+00000178], 00000032
:00412E2E 7F06 jg 00412E36 /这里nop掉
:00412E30 837E2000 cmp dword ptr [esi+20], 00000000
:00412E34 7466 je 00412E9C
于是一切看来又正常了. 只是程序启动时和拼图过程中会有文件被改动的nag.
8. 去掉启动时的nag
* Possible StringData Ref from Data Obj ->"mbbrk32"
|
:00406B66 689C5A4A00 push 004A5A9C
:00406B6B 53 push ebx
:00406B6C 53 push ebx
:00406B6D A358984A00 mov dword ptr [004A9858], eax
:00406B72 33FF xor edi, edi
:00406B74 E854020800 call 00486DCD
:00406B79 83C40C add esp, 0000000C
:00406B7C 3D22334455 cmp eax, 55443322 /Magic Number
:00406B81 7403 je 00406B86 /改jmp
这样启动时一般不再出现文件被改动的nag,但拼图时还有随 弹出的nag.
9. 难以去掉的随 的nag
* Referenced by a CALL at Addresses:
|:00406D80 , :00407C51 , :0040D1C4 , :004110BF , :00413B1D
|:00424D55 , :0043A1A7 , :0044B31E
|
:00404CCC 56 push esi
:00404CCD 8BF1 mov esi, ecx
:00404CCF 68D8000000 push 000000D8
:00404CD4 E8B4470700 call 0047948D
:00404CD9 85C0 test eax, eax
:00404CDB 59 pop ecx
:00404CDC 740A je 00404CE8
:00404CDE 56 push esi
:00404CDF 8BC8 mov ecx, eax
:00404CE1 E88C030000 call 00405072
:00404CE6 EB02 jmp 00404CEA
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00404CDC(C)
|
:00404CE8 33C0 xor eax, eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00404CE6(U)
|
:00404CEA 837C240800 cmp dword ptr [esp+08], 00000000
:00404CEF 7407 je 00404CF8
:00404CF1 80888500000010 or byte ptr [eax+00000085], 10
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00404CEF(C)
|
:00404CF8 8B4E1C mov ecx, dword ptr [esi+1C]
:00404CFB 894820 mov dword ptr [eax+20], ecx
:00404CFE 8B4E70 mov ecx, dword ptr [esi+70]
:00404D01 898880000000 mov dword ptr [eax+00000080], ecx
:00404D07 8BC8 mov ecx, eax
:00404D09 E858130000 call 00406066 /这里产生对话框
:00404D0E 5E pop esi
:00404D0F C20400 ret 0004
00406D80的Call是产生启动时的nag,前面的patch后已经跳过; 00407C51,004110BF两处的Call产生随
的NAG,不能nop掉. 如果追进00404D09行的Call,里面还有几处子例程的调用,但这几处也被用于产生别的对话框. 只能在00404D09行打补丁.
但patch后会见到不少图块上带有"划痕". :( 这块补丁打不打,只好自个儿权衡了.
|