《推箱子 202(275)破解》 ====>我們可以繼續玩了,哈!
破解人:yuppc
破解時間:2001.6.22
感謝:1212、THK
破解目的:為加入CCG而奮鬥!!
1>初步分析:多次實驗確實發現只要改動程式任何一點,啟動時程式會自動關機,用execope檢測其程式的內部結構,發現它是用Delphi編寫,這下好辦了.
2>結論:一定是函式的呼叫,並最後確定它呼叫了"ExitWindowsEx"函式.(幸好不是邏輯炸彈)^>^
3>用w32asm黃金版反彙編其主程式Cargador.exe,
4>到檔案尾部,查詢字元"exitwindow"
從檔案尾開始查詢:(個人習慣:-))
* Referenced by a CALL at Addresses:
|:00404817 , :00404820 , :00404D63 , :00404D6C =====>四個呼叫處,記住
|
* Reference To: USER32.ExitWindowsEx, Ord:0000h
|
:00480EA2 FF25BCCA4A00 Jmp dword ptr
[004ACABC]====>關機函式ExitwindowsEx的呼叫點
5>好了開始查詢呼叫windows關機函式(按上面呼叫地址,共有四處):
:0040480E 3A4DBF
cmp cl, byte ptr [ebp-41] ====>檢測檔案是否被改動
:00404811 7417
je 0040482A =======>關鍵跳(否,則調動下面函式)
:00404813 6A00
push 00000000
:00404815 6A02
push 00000002
* Reference To: USER32.ExitWindowsEx, Ord:0000h======>關閉windows函式呼叫(1)
|
:00404817 E886C60700 Call 00480EA2
:0040481C 6A00
push 00000000
:0040481E 6A00
push 00000000
* Reference To: USER32.ExitWindowsEx, Ord:0000h=======>關閉windows函式呼叫(2)
|
:00404820 E87DC60700 Call 00480EA2
:00404825 E984010000 jmp 004049AE
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00404811(C)
|
:0040482A A17CCD4900 mov eax,
dword ptr [0049CD7C] =====>破解正確入口
6>查詢第三、第四呼叫地址:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00404D42(C)
|
:00404D4A 803DCA51490000 cmp byte ptr [004951CA],
00
:00404D51 741E
je 00404D71 =======>關鍵跳
:00404D53 813DCC514900B0040000 cmp dword ptr [004951CC], 000004B0
:00404D5D 7E12
jle 00404D71 =======>關鍵跳
:00404D5F 6A00
push 00000000
:00404D61 6A02
push 00000002
* Reference To: USER32.ExitWindowsEx, Ord:0000h ======>關閉windows函式呼叫(3)
|
:00404D63 E83AC10700 Call 00480EA2
:00404D68 6A00
push 00000000
:00404D6A 6A00
push 00000000
* Reference To: USER32.ExitWindowsEx, Ord:0000h =======>關閉windows函式呼叫(4)
|
:00404D6C E831C10700 Call 00480EA2
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00404D51(C), :00404D5D(C)
|
:00404D71 8D55AC
lea edx, dword ptr [ebp-54] =======>破解正確入口
7>第二大步:查詢程式啟動檢測註冊原始碼段:
|:00402035(C)
|
:00401FF5 8B45FC
mov eax, dword ptr [ebp-04]
-----------------------------^-----------------------
:00401FF8 8A8405C5FEFFFF mov al, byte ptr
[ebp+eax-0000013B]
|
|
:00401FFF 8B55FC
mov edx, dword ptr [ebp-04]
|
:00402002 3A84152AFFFFFF cmp al, byte ptr
[ebp+edx-000000D6] ====>註冊碼單碼比較
|
:00402009 7423
je 0040202E =======>關鍵跳(對,則跳)
|
:0040200B C60564D1490000 mov byte ptr [0049D164],
00
|
:00402012 C605CED2490000 mov byte ptr [0049D2CE],
00
|
:00402019 A160D14900 mov eax,
dword ptr [0049D160]
迴圈檢測段
:0040201E 8B80E8020000 mov eax, dword
ptr [eax+000002E8]
|
:00402024 33D2
xor edx, edx
|
:00402026 89500C
mov dword ptr [eax+0C], edx
|
:00402029 E91D030000 jmp 0040234B
|
|
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|
|:00402009(C)
|
|
|
:0040202E FF45FC
inc [ebp-04] ====>迴圈增位
|
:00402031 837DFC07 cmp
dword ptr [ebp-04], 00000007====>迴圈條件判斷
|
:00402035 75BE
jne 00401FF5 ======>迴圈跳(主要是迴圈比較註冊碼用,當[ebp-4]的值等於7時便繼續執行)
8>分析完成,開始動手改動:
開啟Hex shop找到"關鍵跳",將它們全部改成Jmp(明白了嗎) :-)
9>測試結果:一個bug--->最高分記錄停止 ====>那位高手繼續
其他一切正常!!!!