一篇有關cd-check的譯文，隨便看看吧！上網費超支，下個月見，兄弟們！ (6千字)

Static Vengeance CD 保護破解教程---Addiction Pinball

工具:
1.遊戲:Addiction Pinball

2.W32Dasm

3.十六進位制編輯器

Addiction Pinball 是一個基於win95平臺的遊戲,所以破解它並不難。首先要作的當然是安裝遊戲,然後拿掉CD執行一下,看看它說了什麼。是不是跳出破框要你放入光碟呢？沒問題，讓我們解決它。用 W32Dasm 反彙編pinball.exe檔案，完成後查詢一下“字串資料參考”，你要找 "Insert CD..."，什麼？沒找到。那隻好用“查詢”功能找函式"GetDriveTypeA"，這樣我們會來到這段程式碼：

* Referenced by a CALL at Addresses:
|:00401A8E , :004033BC , :00403BD5 ;從不同的地方 Call 以下程式碼
|
:0043E8F0 83EC44 sub esp, 00000044
:0043E8F3 53 push ebx
:0043E8F4 56 push esi
:0043E8F5 57 push edi
:0043E8F6 55 push ebp
:0043E8F7 BB02000000 mov ebx, 00000002 ; 我們後面要用到這條指令

* Reference To: KERNEL32.GetLogicalDrives, Ord:00F9h ; 檢測CD時常用到的例程
|
:0043E8FC FF156C934700 Call dword ptr [0047936C]
:0043E902 8BF8 mov edi, eax
:0043E904 8B74245C mov esi, dword ptr [esp+5C]
:0043E908 C64424113A mov [esp+11], 3A
:0043E90D C64424125C mov [esp+12], 5C
:0043E912 C644241300 mov [esp+13], 00

* Reference To: KERNEL32.GetVolumeInformationA, Ord:014Eh ; 檢測CD的卷標名
|
:0043E917 8B2D64934700 mov ebp, dword ptr [00479364]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043E96F(C)
|
:0043E91D B801000000 mov eax, 00000001
:0043E922 8ACB mov cl, bl
:0043E924 D3E0 shl eax, cl
:0043E926 85C7 test edi, eax
:0043E928 7441 je 0043E96B
:0043E92A 8D4361 lea eax, dword ptr [ebx+61]
:0043E92D 88442410 mov byte ptr [esp+10], al
:0043E931 8D442410 lea eax, dword ptr [esp+10]
:0043E935 50 push eax

* Reference To: KERNEL32.GetDriveTypeA, Ord:00DEh ; 我們被帶到這裡
|
:0043E936 FF1568934700 Call dword ptr [00479368]
:0043E93C 83F805 cmp eax, 00000005 ; 05 是光碟機的程式碼值
:0043E93F 752A jne 0043E96B ; 若不等就跳到CD檢測失敗的程式碼處:0043E941 8D442414 lea eax, dword ptr [esp+14]
:0043E945 6A00 push 00000000
:0043E947 8D4C2414 lea ecx, dword ptr [esp+14]
:0043E94B 6A00 push 00000000
:0043E94D 6A00 push 00000000
:0043E94F 6A00 push 00000000
:0043E951 6A00 push 00000000
:0043E953 6A40 push 00000040
:0043E955 50 push eax
:0043E956 51 push ecx
:0043E957 FFD5 call ebp
:0043E959 8D4C2414 lea ecx, dword ptr [esp+14]
:0043E95D 56 push esi
:0043E95E 51 push ecx
:0043E95F E8FCDD0100 call 0045C760
:0043E964 83C408 add esp, 00000008
:0043E967 85C0 test eax, eax
:0043E969 7412 je 0043E97D ; 執行這個跳轉繼續 CD 的檢測

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0043E928(C), :0043E93F(C)
|
:0043E96B 43 inc ebx ; CD 迴圈檢測的計數器
:0043E96C 83FB20 cmp ebx, 00000020 ; 最高測試次數為 32 次
:0043E96F 7CAC jl 0043E91D
:0043E971 33C0 xor eax, eax ; EAX 置0 表示CD 檢測失敗
:0043E973 5D pop ebp
:0043E974 5F pop edi
:0043E975 5E pop esi
:0043E976 5B pop ebx
:0043E977 83C444 add esp, 00000044
:0043E97A C20800 ret 0008 ; 返回

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043E969(C)
|
:0043E97D 8B542458 mov edx, dword ptr [esp+58]
:0043E981 85D2 test edx, edx
:0043E983 7423 je 0043E9A8
:0043E985 8D7C2410 lea edi, dword ptr [esp+10]
:0043E989 B9FFFFFFFF mov ecx, FFFFFFFF
:0043E98E 2BC0 sub eax, eax
:0043E990 F2 repnz
:0043E991 AE scasb
:0043E992 F7D1 not ecx
:0043E994 2BF9 sub edi, ecx
:0043E996 8BC1 mov eax, ecx
:0043E998 C1E902 shr ecx, 02
:0043E99B 8BF7 mov esi, edi
:0043E99D 8BFA mov edi, edx
:0043E99F F3 repz
:0043E9A0 A5 movsd
:0043E9A1 8BC8 mov ecx, eax
:0043E9A3 83E103 and ecx, 00000003
:0043E9A6 F3 repz
:0043E9A7 A4 movsb

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043E983(C)
| ; 我們最終想要到達的地方!
:0043E9A8 B801000000 mov eax, 00000001 ; 設定CD 檢測透過的標記值
:0043E9AD 5D pop ebp
:0043E9AE 5F pop edi
:0043E9AF 5E pop esi
:0043E9B0 5B pop ebx
:0043E9B1 83C444 add esp, 00000044
:0043E9B4 C20800 ret 0008 ; 返回

好了，從以上 CD 檢測程式碼的分析，你也能看出我們需要到達 43E9A8 才能在 EAX 置 1 以透過 CD檢測。那我們該怎麼辦好呢？這一次我決定找一處程式碼置入一個jump指令以直接到達43E9A8。這樣程式就會直接跳到"found the CD" 處的程式碼，並且不會執行CD的檢測。向上看看，你會發現43E8F7的指令"mov ebx, 00000002"這是一個很好的插入點，因為它的位元組數剛好和一個長跳轉相等。那就來吧，將"mov ebx, 00000002"換成"jmp 43E9A8",用十六進位制編輯器作如下修改：

Edit pinball.exe at offset 253,175
==================================
Search for: BB 02 00 00 00
Change to : E9 AC 00 00 00

ok,任務完成！

Static Vengeance

一篇有關cd-check的譯文，隨便看看吧！上網費超支，下個月見，兄弟們！ (6千字)

相關文章