上海大富翁1940硬碟版製作

這是我學crack後的第一篇關於crack的文章,不對的地方請各位兄弟姐妹多指教。另外，哪位幫忙pj一下smart goj2000？我折騰了好久都沒搞定。

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401E42(U)
|
:004325C0 81EC00010000 sub esp, 00000100
:004325C6 56 push esi
:004325C7 57 push edi

* Reference To: KERNEL32.GetDriveTypeA, Ord:0104h
|
:004325C8 8B3D5CC44600 mov edi, dword ptr [0046C45C]
:004325CE BE41000000 mov esi, 00000041

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00432653(C)
|
:004325D3 56 push esi
:004325D4 8D84248C000000 lea eax, dword ptr [esp+0000008C]

* Possible StringData Ref from Data Obj ->"%c:\"
|
:004325DB 68880D4600 push 00460D88
:004325E0 50 push eax
:004325E1 E89A1A0000 call 00434080
:004325E6 83C40C add esp, 0000000C
:004325E9 8D8C2488000000 lea ecx, dword ptr [esp+00000088]
:004325F0 51 push ecx
:004325F1 FFD7 call edi
:004325F3 83F805 cmp eax, 00000005 <--------判斷是否為光碟機,可以改為判斷是否為硬碟
:004325F6 7554 jne 0043264C<------------進一步尋找光碟機
:004325F8 56 push esi
:004325F9 8D54240C lea edx, dword ptr [esp+0C]

* Possible StringData Ref from Data Obj ->"%c:\sprite\1940.col"<---在當前盤根目錄下讀取此檔案
|
:004325FD 68700D4600 push 00460D70
:00432602 52 push edx
:00432603 E8781A0000 call 00434080
:00432608 8D442414 lea eax, dword ptr [esp+14]

* Possible StringData Ref from Data Obj ->"rb"
|
:0043260C 68B0B74500 push 0045B7B0
:00432611 50 push eax
:00432612 E8C9240000 call 00434AE0
:00432617 83C414 add esp, 00000014
:0043261A 85C0 test eax, eax　
:0043261C 0F85BB000000 jne 004326DD　<---------檔案讀取成功，遊戲轉入正常執行，否則進一步尋找
:00432622 56 push esi
:00432623 8D4C240C lea ecx, dword ptr [esp+0C]

* Possible StringData Ref from Data Obj ->"%c:\1940\sprite\1940.col"<---在當前盤根目錄下讀取此檔案
|
:00432627 68500D4600 push 00460D50
:0043262C 51 push ecx
:0043262D E84E1A0000 call 00434080
:00432632 8D542414 lea edx, dword ptr [esp+14]

* Possible StringData Ref from Data Obj ->"rb"
|
:00432636 68B0B74500 push 0045B7B0
:0043263B 52 push edx
:0043263C E89F240000 call 00434AE0
:00432641 83C414 add esp, 00000014
:00432644 85C0 test eax, eax
:00432646 0F8591000000 jne 004326DD　<---------檔案讀取成功，遊戲轉入正常執行，否則進一步尋找

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004325F6(C)
|
:0043264C 46 inc esi
:0043264D 8D46C0 lea eax, dword ptr [esi-40]
:00432650 83F81A cmp eax, 0000001A　<-------------從a-z順次查詢
:00432653 0F8E7AFFFFFF jle 004325D3
:00432659 68AA000000 push 000000AA<-----沒有找到，提示錯誤
:0043265E 68B4000000 push 000000B4
:00432663 B94C8A4600 mov ecx, 00468A4C
:00432668 E807F3FCFF call 00401974
:0043266D B94C8A4600 mov ecx, 00468A4C
:00432672 E8C7F1FCFF call 0040183E
:00432677 6A02 push 00000002
:00432679 B94C8A4600 mov ecx, 00468A4C
:0043267E E8A0F3FCFF call 00401A23
:00432683 68F6000000 push 000000F6
:00432688 68F4000000 push 000000F4
:0043268D 68F4000000 push 000000F4
:00432692 6A00 push 00000000

* Possible StringData Ref from Data Obj ->"請插入遊戲光碟!"
|
:00432694 683C0D4600 push 00460D3C
:00432699 B94C8A4600 mov ecx, 00468A4C
:0043269E E840F2FCFF call 004018E3
:004326A3 B94C8A4600 mov ecx, 00468A4C
:004326A8 E899F3FCFF call 00401A46
:004326AD B9C87D4600 mov ecx, 00467DC8
:004326B2 E85EEDFCFF call 00401415
:004326B7 B9C87D4600 mov ecx, 00467DC8
:004326BC E84EF3FCFF call 00401A0F
:004326C1 A144CA4500 mov eax, dword ptr [0045CA44]
:004326C6 8D0C40 lea ecx, dword ptr [eax+2*eax]
:004326C9 D1E1 shl ecx, 1
:004326CB 51 push ecx

* Reference To: KERNEL32.Sleep, Ord:0296h
|
:004326CC FF1538C44600 Call dword ptr [0046C438]
:004326D2 5F pop edi
:004326D3 32C0 xor al, al
:004326D5 5E pop esi
:004326D6 81C400010000 add esp, 00000100
:004326DC C3 ret

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0043261C(C), :00432646(C)
|
:004326DD 50 push eax
:004326DE E89D1D0000 call 00434480
:004326E3 83C404 add esp, 00000004
:004326E6 B001 mov al, 01
:004326E8 5F pop edi
:004326E9 5E pop esi
:004326EA 81C400010000 add esp, 00000100
:004326F0 C3 ret

根據以上的分析，“1940.col”存放路徑有兩個，"%c:\sprite\1940.col"或"%c:\1940\sprite\1940.col"。除此以外
即使是光碟也將提示"請插入遊戲光碟!"，所以“1940.col”存放路徑也需要修改，可以選擇第一個來修改。

這樣需要修改的地方有兩處：
:004325F3 83F805 cmp eax, 00000005 <--------判斷是否為光碟機,改為判斷是否為硬碟
:00432627 68500D4600 push 00460D50　<-------1940.col存放路徑，改為實際硬碟路徑

由於"1940.col"的存放路徑可能很深，而程式本身分配的地方實在可憐，所以需要徵用大片土地來存放完整路徑

00460D3C："請插入遊戲光碟!"，crack後，就沒有用了，徵用這塊地方。
00460D70："%c:\sprite\1940.col"，本來就要使用
00460D50："%c:\1940\sprite\1940.col"，crack後，就沒有用了，徵用！

這樣可以使用的空間大約80個位元組。所以"1940.col"的路徑就要進行限制了,我把1940.exe的安裝路徑長度限制在60，不過一般不會超出此長度，至於二般情況我就$#$^%$^%$。

下面是補丁，不足之處請各位大蝦多指點
//borland c++ builder5.0
#pragma hdrstop
#include <fstream.h>
#include <string.h>
#include <assert.h>
//---------------------------------------------------------------------------

#pragma argsused
int main(int argc, char* argv[])
{
char str[80];
GetCurrentDirectory(65,str);
if(strlen(str)>60)
{
cout<<"error";
exit(0);
}
strcat(str,"\\sprite\\1940.col");

ifstream in("1940.exe",ios::in|ios::out);
ostream out(in.rdbuf());

//modify check for cdrom
out.seekp(0x325F5,ios::beg);
out<<(char)0x03;

//modify path of "1940.col"
out.seekp(0x60D37,ios::beg);
for(unsigned int i=0;i<strlen(str);i++)
out<<(char)str[i];
out<<(char)0;

out.seekp(0x60D36,ios::beg);
out<<(char)0x25<<(char)0x63;

//modify reference to path of(1940.col)
out.seekp(0x325FE,ios::beg);
out<<(char)0x36;

in.close();
return 0;
}
//-------------<

上海大富翁1940硬碟版製作

相關文章