破解对象:魅力传说2.802
软件功能:仙境传说外挂
下载连接:http://www.51ro.com/download/Ro2802_CN_Setup.exe
破解工具:AsprStripperXP_v123,DEDE3.5,QVIEW2.80
**************************************************************************************************
先用AsprStripperXP_v123脱壳,效果不错,不用说了。
看了一下,是用delphi6编译的,那就首选用DEDE来分析喽
破解入手点我选它的‘登陆’命令,我下面的叙述比较简要,用过DEDE的应该能够理解
点取Proceduers->MainUnit,双击右边的ALoginExecute事件,进入反汇编界面:
=======================================================================
0050BB47 8D55F8 lea
edx, [ebp-$08]
* Reference to control EdtPlayerName : TbsSkinEdit
0050BB4A 8B8340070000 mov
eax, [ebx+$0740]
* Reference to : TCustomMaskEdit._PROC_004949EC()
0050BB50
E8978EF8FF call 004949EC
;读取NAME
0050BB55
8B55F8 mov
edx, [ebp-$08]
0050BB58 A150205100
mov eax, dword ptr [$00512050] ;NAME
0050BB5D E8B690EFFF call
00404C18
0050BB62 8D55F4
lea edx, [ebp-$0C]
* Reference to control EdtPlayerPwd
: TbsSkinEdit
0050BB65 8B8344070000
mov eax, [ebx+$0744]
* Reference to : TCustomMaskEdit._PROC_004949EC()
0050BB6B E87C8EF8FF call
004949EC ;读取PASSWORD
0050BB70 8B55F4
mov edx, [ebp-$0C]
0050BB73 A144225100
mov eax, dword ptr [$00512244] ;PASSWORD
0050BB78 E89B90EFFF call
00404C18
0050BB7D A144225100
mov eax, dword ptr [$00512244]
0050BB82 8B00
mov eax,
[eax]
0050BB84 E8F392EFFF
call 00404E7C ;取PASSWORD长度
0050BB89 83F804
cmp eax, +$04 ;PASSWORD长度不能小于4
0050BB8C 0F8CC8000000 jl
0050BC5A
* Reference to control cbServIP : TbsSkinComboBox
0050BB92
8B833C070000 mov eax, [ebx+$073C]
* Reference to : TbsSkinUpDown._PROC_004A36D0()
0050BB98 E8337BF9FF
call 004A36D0
0050BB9D
50 push
eax
* Reference to control cbServIP : TbsSkinComboBox
0050BB9E
8B833C070000 mov eax, [ebx+$073C]
* Reference to : TbsSkinUpDown._PROC_004A3B2C()
0050BBA4 E8837FF9FF
call 004A3B2C
0050BBA9
8D4DF0 lea
ecx, [ebp-$10]
0050BBAC 5A
pop edx
0050BBAD 8B30
mov esi,
[eax]
0050BBAF FF560C
call dword ptr [esi+$0C]
0050BBB2 8B45F0
mov eax, [ebp-$10]
0050BBB5 E8127BFFFF call
005036CC
* Reference to control cbCharList : TbsSkinComboBox
0050BBBA 8B8338070000 mov
eax, [ebx+$0738]
* Reference to : TbsSkinUpDown._PROC_004A36D0()
0050BBC0
E80B7BF9FF call 004A36D0
0050BBC5 8B15F41E5100 mov
edx, [$00511EF4]
0050BBCB 8802
mov [edx], al
* Reference to control cbServIP
: TbsSkinComboBox
0050BBCD 8B833C070000
mov eax, [ebx+$073C]
* Reference to : TbsSkinUpDown._PROC_004A36D0()
0050BBD3 E8F87AF9FF call
004A36D0
0050BBD8 8B15A0215100
mov edx, [$005121A0]
0050BBDE 894204
mov [edx+$04], eax
0050BBE1
A1F41E5100 mov eax, dword
ptr [$00511EF4]
0050BBE6 0FB600
movzx eax, byte ptr [eax]
0050BBE9 8B15A0215100
mov edx, [$005121A0]
0050BBEF
8902 mov
[edx], eax
0050BBF1 8D55EC
lea edx, [ebp-$14]
* Reference to control EdtPlayerName
: TbsSkinEdit
0050BBF4 8B8340070000
mov eax, [ebx+$0740]
* Reference to : TCustomMaskEdit._PROC_004949EC()
0050BBFA E8ED8DF8FF call
004949EC
0050BBFF 8B55EC
mov edx, [ebp-$14]
0050BC02 A1FC215100
mov eax, dword ptr [$005121FC]
0050BC07 E80C90EFFF call
00404C18
0050BC0C A144225100
mov eax, dword ptr [$00512244]
0050BC11 C6400401
mov byte ptr [eax+$04],
$01
0050BC15 A1C0205100 mov
eax, dword ptr [$005120C0]
0050BC1A 33C9
xor ecx, ecx
0050BC1C
BAB0310000 mov edx, $000031B0
0050BC21 E89E77EFFF call
004033C4
0050BC26 A184205100
mov eax, dword ptr [$00512084]
0050BC2B 33C9
xor ecx,
ecx
0050BC2D BA90100000 mov
edx, $00001090
0050BC32 E88D77EFFF
call 004033C4
0050BC37 E8A8EFFEFF
call 004FABE4
;登陆魅力的验证服务器
=======================================================================
;61.145.112.135
点取Proceduers->AuthorDMUnit,双击右边的AuthorSockRead事件,进入反汇编界面:
=======================================================================
004FA406 8B45F8 mov
eax, [ebp-$08]
004FA409 8D55FC
lea edx, [ebp-$04]
004FA40C E837FDFFFF
call 004FA148
;读接收数据
004FA411 8B45FC
mov eax, [ebp-$04]
* Reference to : TAuthorDM._PROC_004FA880()
004FA414 E867040000
call 004FA880
;数据处理过程
=======================================================================
双击004FA414这一行,来到这里:
=======================================================================
004FA880 55
push ebp
004FA881 8BEC
mov ebp, esp
... ...
... ...(节省版面)
... ...
004FA8C1 8B45FC
mov eax, [ebp-$04]
;接收的数据
004FA8C4 8A18
mov bl, byte ptr [eax]
;取出一个字节
004FA8C6 8D45FC
lea eax, [ebp-$04]
004FA8C9 B901000000
mov ecx, $00000001
004FA8CE
BA01000000 mov edx, $00000001
004FA8D3 E83CA8F0FF call
00405114
004FA8D8 A1C4205100
mov eax, dword ptr [$005120C4]
004FA8DD 8B00
mov eax,
[eax]
004FA8DF 8B800C070000 mov
eax, [eax+$070C]
004FA8E5 B201
mov dl, $01
004FA8E7 8B08
mov ecx,
[eax]
004FA8E9 FF5164
call dword ptr [ecx+$64]
004FA8EC 33C0
xor eax, eax
004FA8EE 8AC3
mov al, bl
004FA8F0 83F870
cmp eax, +$70
004FA8F3 7F38
jnle 004FA92D
004FA8F5 0F84FA000000 jz
004FA9F5
004FA8FB 83F865
cmp eax, +$65
004FA8FE 7F13
jnle 004FA913
004FA900 0F8486000000 jz
004FA98C ;身份验证成功
004FA906 48
dec eax
004FA907 744B
jz 004FA954
004FA909 83E80B sub
eax, +$0B
004FA90C 7460
jz 004FA96E
;身份验证成功后,返回几个运行参数
004FA90E E926020000
jmp 004FAB39
004FA913
83C09A add
eax, -$66
004FA916 83E803
sub eax, +$03
... ...
... ...(再次节省版面)
... ...
004FA969 E9CB010000
jmp 004FAB39
004FA96E 8B45FC
mov eax, [ebp-$04]
004FA971
E82AFEFFFF call 004FA7A0
004FA976 A180225100 mov
eax, dword ptr [$00512280] ;
004FA97B 8B00
mov eax,
[eax] ;
* Reference
to control AuthorSock : TClientSocket
004FA97D 8B4058
mov eax, [eax+$58]
;
004FA980 B201
mov dl, $01
;
* Reference to : TCustomControlBar._PROC_00439488()
004FA982 E801EBF3FF call
00439488 ;验证结束,设置定时器,准备登陆游戏
004FA987 E9AD010000 jmp
004FAB39
004FA98C 8B45FC
mov eax, [ebp-$04]
* Reference to : TAuthorDM._PROC_004FA800()
004FA98F E86CFEFFFF call
004FA800
004FA994 33D2
xor edx, edx
004FA996 B80B000000
mov eax, $0000000B
* Reference
to : TAuthorDM._PROC_004FA578()
004FA99B E8D8FBFFFF
call 004FA578
* Possible String Reference
to: '身份验证成功,感谢您支持魅力产品。'
004FA9A0 BA80AB4F00
mov edx, $004FAB80
004FA9A5 B801000000
mov eax, $00000001
004FA9AA
E8BD990000 call 0050436C
004FA9AF E985010000 jmp
004FAB39
=======================================================================
先双击004FA98F这一行,来到这里:
=======================================================================
004FA800 55
push ebp
004FA801 8BEC
mov ebp, esp
... ...
... ...(再再次节省版面)
... ...
004FA822 8D55F4
lea edx, [ebp-$0C]
004FA825
8D45FC lea
eax, [ebp-$04] ;接收到的数据
* Reference to
: TAuthorDM._PROC_004FA514()
004FA828 E8E7FCFFFF
call 004FA514
;取出一项
004FA82D 8B55F4
mov edx, [ebp-$0C]
;其实就是你的游戏登陆帐号
004FA830 A150205100
mov eax, dword ptr [$00512050] ;登陆帐号存储在这里
004FA835 E8DEA3F0FF call
00404C18
004FA83A 8D55F8
lea edx, [ebp-$08]
004FA83D 8D45FC
lea eax, [ebp-$04]
* Reference to : TAuthorDM._PROC_004FA514()
004FA840 E8CFFCFFFF
call 004FA514
;再取出一项
004FA845 33D2
xor edx, edx
004FA847
8B45F8 mov
eax, [ebp-$08] ;其实就是你的游戏登陆密码
004FA84A
E8E5ECF0FF call 00409534
004FA84F 8B1560205100 mov
edx, [$00512060] ;把登陆密码存储在这里
004FA855
8902 mov
[edx], eax ;用户的登陆密码竟然由他管理
======================================================================= ;真实不放心
再双击004FA971这一行,来到这里:
=======================================================================
004FA7A0 55
push ebp
004FA7A1 8BEC
mov ebp, esp
004FA7A3
51 push
ecx
004FA7A4 8945FC
mov [ebp-$04], eax
004FA7A7 8B45FC
mov eax, [ebp-$04]
004FA7AA E8B5A8F0FF call
00405064
004FA7AF 33C0
xor eax, eax
004FA7B1 55
push ebp
004FA7B2 68F6A74F00 push
$004FA7F6
004FA7B7 64FF30
push dword ptr fs:[eax]
004FA7BA
648920 mov
fs:[eax], esp
004FA7BD 8B45FC
mov eax, [ebp-$04] ;身份验证成功后,返回2个字节的运行参数
004FA7C0 8A00
mov al, byte ptr [eax] ;第一字节,应该=0EH
004FA7C2 8B159C1E5100 mov
edx, [$00511E9C]
004FA7C8 8802
mov [edx], al
004FA7CA 8B45FC
mov eax, [ebp-$04]
004FA7CD 8A4001
mov al, byte ptr [eax+$01] ;第二字节,应该=08H
004FA7D0
8B15D01E5100 mov edx, [$00511ED0]
004FA7D6 8802
mov [edx], al
004FA7D8 A1C81F5100
mov eax, dword ptr [$00511FC8]
;一切OK了,置个标志吧
004FA7DD C60001
mov byte ptr [eax], $01
=======================================================================
这里还有暗桩一处:(这处我也说不清是怎么得到的,瞎猫撞到死老鼠了)
有可能是验证时其它CASE情况处理的,或是ASPR壳里处理的,我懒得花时间去看了
=======================================================================
005036B8 833DE81D510021 cmp dword
ptr [$00511DE8], +$21 ;这个21H是什么时候写入的?我没找到
005036BF
750A jnz
005036CB ;改为90 90吧
005036C1 A3E81D5100 mov
dword ptr [$00511DE8], eax
* Reference to : TAuthorDM._PROC_004FA670()
005036C6 E8A56FFFFF call
004FA670
005036CB C3
ret
=======================================================================
最后整理一下破解方法,注意到这一行:
0050BC37 E8A8EFFEFF
call 004FABE4 ;登陆魅力的验证服务器
我们可以把这个子程序改掉,在这里添好各项参数,直接设置定时器,登陆游戏
这回终于轮到我那心爱的QVIEW280上场了(因为我不喜欢用HIEW):
=======================================================================
004FABE4 A144225100 mov
eax, dword ptr [$00512244] ;你输入的密码
004FABE9 8B1560205100
mov edx, [$00512060]
;赋给登陆密码变量
004FABEF 8902
mov [edx], eax
004FABF1 8B059C1E5100
mov eax, [$00511E9C]
;参数1
004FABF7 C6000E
mov byte ptr [eax], $0E
004FABFA
8B05D01E5100 mov eax, [$00511ED0]
;参数2
004FAC00 C60008
mov byte ptr [eax], $08
004FAC03
8B05C81F5100 mov eax, [$00511FC8]
;验证OK
004FAC09 C60001
mov byte ptr [eax], $01
004FAC0C
90 nop
004FAC0D 90
nop
004FAC0E 90
nop
004FAC0F 90
nop
004FAC10 90
nop
004FAC11 90
nop
004FAC12
90 nop
004FAC13 90
nop
004FAC14 90
nop
004FAC15 90
nop
004FAC16 90
nop
004FAC17 90
nop
004FAC18
90 nop
004FAC19 90
nop
004FAC1A 90
nop
004FAC1B A180225100
mov eax, dword ptr [$00512280]
004FAC20
8B00 mov
eax, [eax]
004FAC22 8B4058
mov eax, [eax+$58]
004FAC24 B201
mov dl, $01
* Reference to : TCustomControlBar._PROC_00439488()
004FAC27 E85CE8F3FF
call 00439488
;设置定时器,准备登陆游戏
004FAC2C C3
ret
=======================================================================
不要忘了把下面这里改了:
=======================================================================
005036B8 833DE81D510021 cmp
dword ptr [$00511DE8], +$21
005036BF 750A
jnz 005036CB
;75 0A改为90 90
005036C1 A3E81D5100
mov dword ptr [$00511DE8], eax
* Reference to : TAuthorDM._PROC_004FA670()
005036C6 E8A56FFFFF
call 004FA670
005036CB
C3 ret
=======================================================================
保险一点可以搜索‘61.145.112.135’,把它随便改成什么,让它和验证服务器彻底切断联系,
呵呵,太狠了点吧,我可要溜了
**************************************************************************************************
-=======heXer/iPB======-
-=======2003.5.17======-
- 标 题:RO外挂破解一例,但愿这个不是圈内人士做的,需要下载EXE文件的到http://www.ipbcn.org/forum/去找 (14千字)
- 作 者:heXer
- 时 间:2003-5-17
15:40:02
- 链 接:http://bbs.pediy.com