《推箱子 202（275）破解》 ====>我們可以繼續玩了，哈！ (5千字)

《推箱子 202（275）破解》 ====>我們可以繼續玩了，哈！

破解人：yuppc
破解時間：2001.6.22
感謝：1212、THK

破解目的：為加入CCG而奮鬥！！

1>初步分析:多次實驗確實發現只要改動程式任何一點,啟動時程式會自動關機,用execope檢測其程式的內部結構,發現它是用Delphi編寫,這下好辦了.

2>結論:一定是函式的呼叫,並最後確定它呼叫了"ExitWindowsEx"函式.（幸好不是邏輯炸彈）^>^

3>用w32asm黃金版反彙編其主程式Cargador.exe,

4>到檔案尾部,查詢字元"exitwindow"

從檔案尾開始查詢：（個人習慣:-)）
* Referenced by a CALL at Addresses:
|:00404817 , :00404820 , :00404D63 , :00404D6C =====>四個呼叫處，記住
|

* Reference To: USER32.ExitWindowsEx, Ord:0000h
|
:00480EA2 FF25BCCA4A00 Jmp dword ptr [004ACABC]====>關機函式ExitwindowsEx的呼叫點

5>好了開始查詢呼叫windows關機函式(按上面呼叫地址,共有四處):

:0040480E 3A4DBF cmp cl, byte ptr [ebp-41] ====>檢測檔案是否被改動
:00404811 7417 je 0040482A =======>關鍵跳(否,則調動下面函式)
:00404813 6A00 push 00000000
:00404815 6A02 push 00000002

* Reference To: USER32.ExitWindowsEx, Ord:0000h======>關閉windows函式呼叫(1)
|
:00404817 E886C60700 Call 00480EA2
:0040481C 6A00 push 00000000
:0040481E 6A00 push 00000000

* Reference To: USER32.ExitWindowsEx, Ord:0000h=======>關閉windows函式呼叫(2)
|
:00404820 E87DC60700 Call 00480EA2
:00404825 E984010000 jmp 004049AE

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00404811(C)
|
:0040482A A17CCD4900 mov eax, dword ptr [0049CD7C] =====>破解正確入口

6>查詢第三、第四呼叫地址：

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00404D42(C)
|
:00404D4A 803DCA51490000 cmp byte ptr [004951CA], 00
:00404D51 741E je 00404D71 =======>關鍵跳
:00404D53 813DCC514900B0040000 cmp dword ptr [004951CC], 000004B0
:00404D5D 7E12 jle 00404D71 =======>關鍵跳
:00404D5F 6A00 push 00000000
:00404D61 6A02 push 00000002

* Reference To: USER32.ExitWindowsEx, Ord:0000h ======>關閉windows函式呼叫(3)
|
:00404D63 E83AC10700 Call 00480EA2
:00404D68 6A00 push 00000000
:00404D6A 6A00 push 00000000

* Reference To: USER32.ExitWindowsEx, Ord:0000h =======>關閉windows函式呼叫(4)
|
:00404D6C E831C10700 Call 00480EA2

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00404D51(C), :00404D5D(C)
|
:00404D71 8D55AC lea edx, dword ptr [ebp-54] =======>破解正確入口

7>第二大步:查詢程式啟動檢測註冊原始碼段:

|:00402035(C)
|
:00401FF5 8B45FC mov eax, dword ptr [ebp-04] -----------------------------^-----------------------
:00401FF8 8A8405C5FEFFFF mov al, byte ptr [ebp+eax-0000013B] | |
:00401FFF 8B55FC mov edx, dword ptr [ebp-04] |
:00402002 3A84152AFFFFFF cmp al, byte ptr [ebp+edx-000000D6] ====>註冊碼單碼比較 |
:00402009 7423 je 0040202E =======>關鍵跳(對,則跳) |
:0040200B C60564D1490000 mov byte ptr [0049D164], 00 |
:00402012 C605CED2490000 mov byte ptr [0049D2CE], 00 |
:00402019 A160D14900 mov eax, dword ptr [0049D160] 迴圈檢測段
:0040201E 8B80E8020000 mov eax, dword ptr [eax+000002E8] |
:00402024 33D2 xor edx, edx |
:00402026 89500C mov dword ptr [eax+0C], edx |
:00402029 E91D030000 jmp 0040234B |
|
* Referenced by a (U)nconditional or (C)onditional Jump at Address: |
|:00402009(C) |
| |
:0040202E FF45FC inc [ebp-04] ====>迴圈增位 |
:00402031 837DFC07 cmp dword ptr [ebp-04], 00000007====>迴圈條件判斷 |
:00402035 75BE jne 00401FF5 ======>迴圈跳(主要是迴圈比較註冊碼用,當[ebp-4]的值等於7時便繼續執行)

8>分析完成,開始動手改動:
開啟Hex shop找到"關鍵跳",將它們全部改成Jmp(明白了嗎) :-)

9>測試結果:一個bug--->最高分記錄停止 ====>那位高手繼續
其他一切正常！！！！

《推箱子 202（275）破解》 ====>我們可以繼續玩了，哈！ (5千字)

相關文章