这是我学crack后的第一篇关于crack的文章,不对的地方请各位兄弟姐妹多指教。另外,哪位帮忙pj一下smart goj2000?我折腾了好久都没搞定。
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:00401E42(U)
|
:004325C0
81EC00010000 sub esp, 00000100
:004325C6
56 push
esi
:004325C7 57
push edi
*
Reference To: KERNEL32.GetDriveTypeA, Ord:0104h
|
:004325C8 8B3D5CC44600 mov
edi, dword ptr [0046C45C]
:004325CE BE41000000
mov esi, 00000041
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00432653(C)
|
:004325D3
56 push
esi
:004325D4 8D84248C000000 lea eax, dword
ptr [esp+0000008C]
*
Possible StringData Ref from Data Obj ->"%c:\"
|
:004325DB 68880D4600
push 00460D88
:004325E0 50
push eax
:004325E1 E89A1A0000
call 00434080
:004325E6 83C40C
add esp, 0000000C
:004325E9
8D8C2488000000 lea ecx, dword ptr [esp+00000088]
:004325F0
51 push
ecx
:004325F1 FFD7
call edi
:004325F3 83F805
cmp eax, 00000005 <--------判断是否为光驱,可以改为判断是否为硬盘
:004325F6
7554 jne
0043264C<------------进一步寻找光驱
:004325F8 56
push esi
:004325F9 8D54240C
lea edx, dword ptr [esp+0C]
*
Possible StringData Ref from Data Obj ->"%c:\sprite\1940.col"<---在当前盘根目录下读取此文件
|
:004325FD 68700D4600
push 00460D70
:00432602 52
push edx
:00432603 E8781A0000
call 00434080
:00432608 8D442414
lea eax, dword ptr [esp+14]
*
Possible StringData Ref from Data Obj ->"rb"
|
:0043260C 68B0B74500
push 0045B7B0
:00432611 50
push eax
:00432612 E8C9240000
call 00434AE0
:00432617 83C414
add esp, 00000014
:0043261A
85C0 test
eax, eax
:0043261C 0F85BB000000 jne
004326DD <---------文件读取成功,游戏转入正常执行,否则进一步寻找
:00432622 56
push esi
:00432623 8D4C240C
lea ecx, dword ptr [esp+0C]
*
Possible StringData Ref from Data Obj ->"%c:\1940\sprite\1940.col"<---在当前盘根目录下读取此文件
|
:00432627 68500D4600
push 00460D50
:0043262C 51
push ecx
:0043262D E84E1A0000
call 00434080
:00432632 8D542414
lea edx, dword ptr [esp+14]
*
Possible StringData Ref from Data Obj ->"rb"
|
:00432636 68B0B74500
push 0045B7B0
:0043263B 52
push edx
:0043263C E89F240000
call 00434AE0
:00432641 83C414
add esp, 00000014
:00432644
85C0 test
eax, eax
:00432646 0F8591000000 jne
004326DD <---------文件读取成功,游戏转入正常执行,否则进一步寻找
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004325F6(C)
|
:0043264C
46 inc
esi
:0043264D 8D46C0
lea eax, dword ptr [esi-40]
:00432650 83F81A
cmp eax, 0000001A <-------------从a-z顺次查询
:00432653
0F8E7AFFFFFF jle 004325D3
:00432659 68AA000000 push
000000AA<-----没有找到,提示错误
:0043265E 68B4000000
push 000000B4
:00432663 B94C8A4600
mov ecx, 00468A4C
:00432668 E807F3FCFF
call 00401974
:0043266D B94C8A4600
mov ecx, 00468A4C
:00432672 E8C7F1FCFF
call 0040183E
:00432677 6A02
push 00000002
:00432679
B94C8A4600 mov ecx, 00468A4C
:0043267E
E8A0F3FCFF call 00401A23
:00432683
68F6000000 push 000000F6
:00432688
68F4000000 push 000000F4
:0043268D
68F4000000 push 000000F4
:00432692
6A00 push
00000000
* Possible
StringData Ref from Data Obj ->"请插入游戏光碟!"
|
:00432694 683C0D4600
push 00460D3C
:00432699 B94C8A4600
mov ecx, 00468A4C
:0043269E E840F2FCFF
call 004018E3
:004326A3 B94C8A4600
mov ecx, 00468A4C
:004326A8 E899F3FCFF
call 00401A46
:004326AD B9C87D4600
mov ecx, 00467DC8
:004326B2 E85EEDFCFF
call 00401415
:004326B7 B9C87D4600
mov ecx, 00467DC8
:004326BC
E84EF3FCFF call 00401A0F
:004326C1
A144CA4500 mov eax, dword ptr
[0045CA44]
:004326C6 8D0C40
lea ecx, dword ptr [eax+2*eax]
:004326C9 D1E1
shl ecx, 1
:004326CB 51
push ecx
*
Reference To: KERNEL32.Sleep, Ord:0296h
|
:004326CC
FF1538C44600 Call dword ptr [0046C438]
:004326D2
5F pop
edi
:004326D3 32C0
xor al, al
:004326D5 5E
pop esi
:004326D6 81C400010000
add esp, 00000100
:004326DC C3
ret
*
Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0043261C(C),
:00432646(C)
|
:004326DD 50
push eax
:004326DE E89D1D0000
call 00434480
:004326E3 83C404
add esp, 00000004
:004326E6 B001
mov al, 01
:004326E8
5F pop
edi
:004326E9 5E
pop esi
:004326EA 81C400010000
add esp, 00000100
:004326F0 C3
ret
根据以上的分析,“1940.col”存放路径有两个,"%c:\sprite\1940.col"或"%c:\1940\sprite\1940.col"。除此以外
即使是光盘也将提示"请插入游戏光碟!",所以“1940.col”存放路径也需要修改,可以选择第一个来修改。
这样需要修改的地方有两处:
:004325F3
83F805 cmp eax,
00000005 <--------判断是否为光驱,改为判断是否为硬盘
:00432627 68500D4600
push 00460D50 <-------1940.col存放路径,改为实际硬盘路径
由于"1940.col"的存放路径可能很深,而程序本身分配的地方实在可怜,所以需要征用大片土地来存放完整路径
00460D3C:"请插入游戏光碟!",crack后,就没有用了,征用这块地方。
00460D70:"%c:\sprite\1940.col",本来就要使用
00460D50:"%c:\1940\sprite\1940.col",crack后,就没有用了,征用!
这样可以使用的空间大约80个字节。所以"1940.col"的路径就要进行限制了,我把1940.exe的安装路径长度限制在60,不过一般不会超出此长度,至于二般情况我就$#$^%$^%$。
下面是补丁,不足之处请各位大虾多指点
//borland
c++ builder5.0
#pragma hdrstop
#include <fstream.h>
#include <string.h>
#include
<assert.h>
//---------------------------------------------------------------------------
#pragma
argsused
int main(int argc, char* argv[])
{
char str[80];
GetCurrentDirectory(65,str);
if(strlen(str)>60)
{
cout<<"error";
exit(0);
}
strcat(str,"\\sprite\\1940.col");
ifstream in("1940.exe",ios::in|ios::out);
ostream out(in.rdbuf());
//modify check for cdrom
out.seekp(0x325F5,ios::beg);
out<<(char)0x03;
//modify path of "1940.col"
out.seekp(0x60D37,ios::beg);
for(unsigned int i=0;i<strlen(str);i++)
out<<(char)str[i];
out<<(char)0;
out.seekp(0x60D36,ios::beg);
out<<(char)0x25<<(char)0x63;
//modify reference to path of(1940.col)
out.seekp(0x325FE,ios::beg);
out<<(char)0x36;
in.close();
return 0;
}
//-------------<