写点东西,菜鸟也玩保护...
本帖最后由 JolaSia 于 2015-2-8 17:25 编辑写点东西,菜鸟也玩保护...
写点杂言,有错误之处也很难避免,希望大家指正...
说点题外话,很多朋友来经常问,要入门,该怎么做,很惭愧的说,至于网上那些教程,自己也没看过, 不过可以谈谈自己的几年下来的一些经验,可提供大家参考.有人说现在的程序都加强壳,还做 是不是还得去学脱壳?自己对壳没什么了解,不过自己调试过的游戏数量自己也记不清了,基本都是带壳调试,虽然不脱壳,起码加壳还是会的,那因为很现实的原因,必须保护自己的代码,想想现在的动不动就是VM,开句玩笑,那些壳方面的知识好是好,如果业余时间多,纯兴趣研究到可以.不过你得多久才能搞VM呢?等你到了能搞VM了,那不知道有什么M出来了,所以壳方面的东西,在做G方面不是必要的,可以在业余时间去分析研究.
也有朋友问,是不是先把汇编学的滚瓜乱熟,我觉得那东西必须学,尤其基本的必须掌握,象寄存器,函数调用规则,栈结构..等,尤其掌握好汇编和高级语言之间的关系,很简单的说,你能不能看懂代码,讲的具体点,你能不能针对分析的代码进行模拟或者调用.很多都说开发脱机等.你想想也能知道,假设你发现算法部分,如果你不能模拟,把算法部分扣出来,想做脱机我想很难,毕竟搞密码学的少数.
又有朋友问,我是不是得学ring 0方面的知识,我感觉适当了解是需要的,如果要深入,感觉不是必要的.现在的工具还是很多,即使工具搞不定,很多还是可以从ring 3 出发解决问题.
写的有点乱...废话就到这吧.
言归正转..机器里拿了2个游戏,做一些分析.分析的过程可能有一些跳跃和省去,因为都是以前分析了,拿到1个游戏,一般先确定游戏的主程序,现在很多游戏主程序都有commline,那首先取他的commline,方面我们OD直接启动他,跟踪启动过程.但是一些游戏虽然没有commline,但是依然不能正常启动,例如W美系列的游戏.第1个游戏,就拿W美降龙之剑说说.
游戏主程序client.exe,直接丢OD里,分析他的启动过程.分析的过程我就省去了,我们知道直接启动client.exe貌似不行的...经过调试发现1个关键函数..
0040ED40 .55 push ebp
0040ED41 .8BEC mov ebp,esp
0040ED43 .83E4 F8 and esp,FFFFFFF8
0040ED46 .6A FF push -1
0040ED48 .68 B6349400 push client.009434B6 ;SE 处理程序安装
0040ED4D .64:A1 0000000>mov eax,dword ptr fs:
0040ED53 .50 push eax
0040ED54 .64:8925 00000>mov dword ptr fs:,esp
0040ED5B .81EC 74060000 sub esp,674
0040ED61 .53 push ebx
0040ED62 .55 push ebp
0040ED63 .8B2D 84529900 mov ebp,dword ptr ds:[<&KERNEL32.GetCurr>;kernel32.GetCurrentDirectoryA
0040ED69 .56 push esi
0040ED6A .57 push edi
0040ED6B .8BF1 mov esi,ecx
0040ED6D .33C0 xor eax,eax
0040ED6F .33DB xor ebx,ebx
0040ED71 .889C24 E00100>mov byte ptr ss:,bl
0040ED78 .B9 3F000000 mov ecx,3F
0040ED7D .8DBC24 E10100>lea edi,dword ptr ss:
0040ED84 .F3:AB rep stos dword ptr es:
0040ED86 .66:AB stos word ptr es:
0040ED88 .8D8424 E00100>lea eax,dword ptr ss:
0040ED8F .50 push eax ; /Buffer
0040ED90 .68 FF000000 push 0FF ; |BufSize = FF (255.)
0040ED95 .FFD5 call ebp ; \GetCurrentDirectoryA
0040ED97 .8DBC24 E00100>lea edi,dword ptr ss:
0040ED9E .4F dec edi
0040ED9F .90 nop
0040EDA0 >8A47 01 mov al,byte ptr ds:
0040EDA3 .47 inc edi
0040EDA4 .3AC3 cmp al,bl
0040EDA6 .^ 75 F8 jnz short client.0040EDA0
0040EDA8 .66:8B0D 6C639>mov cx,word ptr ds:
0040EDAF .66:890F mov word ptr ds:,cx
0040EDB2 .8DBC24 E00100>lea edi,dword ptr ss:
0040EDB9 .4F dec edi
0040EDBA .8D9B 00000000 lea ebx,dword ptr ds:
0040EDC0 >8A47 01 mov al,byte ptr ds:
0040EDC3 .47 inc edi
0040EDC4 .3AC3 cmp al,bl
0040EDC6 .^ 75 F8 jnz short client.0040EDC0
0040EDC8 .8B15 58639900 mov edx,dword ptr ds:
0040EDCE .A1 5C639900 mov eax,dword ptr ds:
0040EDD3 .8B0D 60639900 mov ecx,dword ptr ds:
0040EDD9 .8917 mov dword ptr ds:,edx
0040EDDB .8B15 64639900 mov edx,dword ptr ds:
0040EDE1 .8947 04 mov dword ptr ds:,eax
0040EDE4 .A0 68639900 mov al,byte ptr ds:
0040EDE9 .894F 08 mov dword ptr ds:,ecx
0040EDEC .8957 0C mov dword ptr ds:,edx
0040EDEF .8D4C24 1B lea ecx,dword ptr ss:
0040EDF3 .8847 10 mov byte ptr ds:,al
0040EDF6 .E8 75F44500 call client.0086E270
0040EDFB .6A 01 push 1
0040EDFD .68 4C639900 push client.0099634C ;ASCII "client.exe"
0040EE02 .8D4C24 23 lea ecx,dword ptr ss:
0040EE06 .899C24 940600>mov dword ptr ss:,ebx
0040EE0D .E8 5EB9FFFF call client.0040A770
0040EE12 .6A 01 push 1
0040EE14 .68 3C639900 push client.0099633C ;ASCII "client_r.exe"
0040EE19 .8D4C24 23 lea ecx,dword ptr ss:
0040EE1D .8BF8 mov edi,eax
0040EE1F .E8 4CB9FFFF call client.0040A770
0040EE24 .33C9 xor ecx,ecx
0040EE26 .03F8 add edi,eax
0040EE28 .83FF 01 cmp edi,1
0040EE2B .0F9EC1 setle cl
0040EE2E .898E 88000000 mov dword ptr ds:,ecx
0040EE34 .8B15 1856A600 mov edx,dword ptr ds:
0040EE3A .52 push edx
0040EE3B .E8 60960500 call client.004684A0
0040EE40 .A1 785AA600 mov eax,dword ptr ds:
0040EE45 .83C4 04 add esp,4
0040EE48 .83F8 10 cmp eax,10
0040EE4B .A1 645AA600 mov eax,dword ptr ds:
0040EE50 .73 05 jnb short client.0040EE57
0040EE52 .B8 645AA600 mov eax,client.00A65A64
0040EE57 >50 push eax
0040EE58 .8D8424 640100>lea eax,dword ptr ss:
0040EE5F .68 78669900 push client.00996678 ;ASCII "%s"
0040EE64 .50 push eax
0040EE65 .E8 B4BE4F00 call client.0090AD1E
0040EE6A .8B0D 64669900 mov ecx,dword ptr ds:
0040EE70 .8B15 68669900 mov edx,dword ptr ds:
0040EE76 .A1 6C669900 mov eax,dword ptr ds:
0040EE7B .83C4 0C add esp,0C
0040EE7E .894C24 30 mov dword ptr ss:,ecx
0040EE82 .8B0D 70669900 mov ecx,dword ptr ds:
0040EE88 .895424 34 mov dword ptr ss:,edx
0040EE8C .66:8B15 74669>mov dx,word ptr ds:
0040EE93 .6A 02 push 2 ; /Priority = THREAD_PRIORITY_HIGHEST
0040EE95 .894424 3C mov dword ptr ss:,eax ; |
0040EE99 .894C24 40 mov dword ptr ss:,ecx ; |
0040EE9D .66:895424 44mov word ptr ss:,dx ; |
0040EEA2 .FF15 AC509900 call dword ptr ds:[<&KERNEL32.GetCurrent>; |[GetCurrentThread
0040EEA8 .50 push eax ; |hThread
0040EEA9 .FF15 A8509900 call dword ptr ds:[<&KERNEL32.SetThreadP>; \SetThreadPriority
0040EEAF .6A 60 push 60
0040EEB1 .E8 9A544300 call client.00844350
0040EEB6 .83C4 04 add esp,4
0040EEB9 .894424 14 mov dword ptr ss:,eax
0040EEBD .3BC3 cmp eax,ebx
0040EEBF .C68424 8C0600>mov byte ptr ss:,1
0040EEC7 .74 0B je short client.0040EED4
0040EEC9 .8BC8 mov ecx,eax
0040EECB .E8 20D42F00 call client.0070C2F0
0040EED0 .8BF8 mov edi,eax
0040EED2 .EB 02 jmp short client.0040EED6
0040EED4 >33FF xor edi,edi
0040EED6 >3BFB cmp edi,ebx
0040EED8 .889C24 8C0600>mov byte ptr ss:,bl
0040EEDF .74 07 je short client.0040EEE8
0040EEE1 .8B07 mov eax,dword ptr ds:
0040EEE3 .8BXF mov ecx,edi
0040EEE5 .FF50 04 call dword ptr ds:
0040EEE8 >8B8E A8000000 mov ecx,dword ptr ds:
0040EEEE .3BCB cmp ecx,ebx
0040EEF0 .74 05 je short client.0040EEF7
0040EEF2 .8B11 mov edx,dword ptr ds:
0040EEF4 .FF52 08 call dword ptr ds:
0040EEF7 >89BE A8000000 mov dword ptr ds:,edi
0040EEFD .E8 8E3E0000 call client.00412D90
0040EF02 .68 48669900 push client.00996648 ; /Title = "<<W美-降龙之剑>>自动更新"
0040EF07 .53 push ebx ; |Class
0040EF08 .FF15 D4539900 call dword ptr ds:[<&USER32.FindWindowA>>; \FindWindowA
0040EF0E .894424 14 mov dword ptr ss:,eax
0040EF12 .33C0 xor eax,eax
0040EF14 .885C24 60 mov byte ptr ss:,bl
0040EF18 .B9 3F000000 mov ecx,3F
0040EF1D .8D7C24 61 lea edi,dword ptr ss:
0040EF21 .F3:AB rep stos dword ptr es:
0040EF23 .66:AB stos word ptr es:
0040EF25 .8D4424 60 lea eax,dword ptr ss:
0040EF29 .50 push eax
0040EF2A .68 FF000000 push 0FF
0040EF2F .FFD5 call ebp
0040EF31 .8D7C24 60 lea edi,dword ptr ss:
0040EF35 .4F dec edi
0040EF36 >8A47 01 mov al,byte ptr ds:
0040EF39 .47 inc edi
0040EF3A .3AC3 cmp al,bl
0040EF3C .^ 75 F8 jnz short client.0040EF36
0040EF3E .8B0D 44669900 mov ecx,dword ptr ds: ;client.0050505C
0040EF44 .8D4424 60 lea eax,dword ptr ss:
0040EF48 .890F mov dword ptr ds:,ecx
0040EF4A .C74424 5C 0F0>mov dword ptr ss:,0F
0040EF52 .895C24 58 mov dword ptr ss:,ebx
0040EF56 .885C24 48 mov byte ptr ss:,bl
0040EF5A .8D50 01 lea edx,dword ptr ds:
0040EF5D .8D49 00 lea ecx,dword ptr ds:
0040EF60 >8A08 mov cl,byte ptr ds:
0040EF62 .40 inc eax
0040EF63 .3ACB cmp cl,bl
0040EF65 .^ 75 F9 jnz short client.0040EF60
0040EF67 .2BC2 sub eax,edx
0040EF69 .50 push eax
0040EF6A .8D5424 64 lea edx,dword ptr ss:
0040EF6E .52 push edx
0040EF6F .8D4C24 4C lea ecx,dword ptr ss:
0040EF73 .E8 382XFFFF call client.00401BB0
0040EF78 .8D4424 44 lea eax,dword ptr ss:
0040EF7C .50 push eax
0040EF7D .C68424 900600>mov byte ptr ss:,2
0040EF85 .E8 A6134300 call client.00840330
0040EF8A .8B4C24 60 mov ecx,dword ptr ss:
0040EF8E .83C4 04 add esp,4
0040EF91 .F7D8 neg eax
0040EF93 .1AC0 sbb al,al
0040EF95 .FEC0 inc al
0040EF97 .83F9 10 cmp ecx,10
0040EF9A .884424 1F mov byte ptr ss:,al
0040EF9E .889C24 8C0600>mov byte ptr ss:,bl
0040EFA5 72 11 jb short client.0040EFB8
0040EFA7 .8B4C24 48 mov ecx,dword ptr ss:
0040EFAB .51 push ecx
0040EFAC .E8 30B64F00 call client.0090A5E1
0040EFB1 .8A4424 23 mov al,byte ptr ss:
0040EFB5 .83C4 04 add esp,4
0040EFB8 >3AC3 cmp al,bl
0040EFBA .74 0D je short client.0040EFC9
0040EFBC .8D5424 60 lea edx,dword ptr ss:
0040EFC0 .52 push edx
0040EFC1 .E8 AEFD4F00 call client.0090ED74
0040EFC6 .83C4 04 add esp,4
0040EFC9 8D7C24 60 lea edi,dword ptr ss:
0040EFCD 4F dec edi
0040EFCE .8BFF mov edi,edi
0040EFD0 >8A47 01 mov al,byte ptr ds:
0040EFD3 .47 inc edi
0040EFD4 .3AC3 cmp al,bl
0040EFD6 .^ 75 F8 jnz short client.0040EFD0
0040EFD8 .66:A1 6C63990>mov ax,word ptr ds:
0040EFDE .66:8907 mov word ptr ds:,ax
0040EFE1 .68 D4AF84XF push XF84AFD4
0040EFE6 .E8 7981FFFF call client.00407164
0040EFEB $FF3424 push dword ptr ss:
0040EFEE .894C24 28 mov dword ptr ss:,ecx
0040EFF2 .66:0FB6E8 movzx bp,al
0040EFF6 .66:0FCE bswap si
0040EFF9 .5E pop esi
0040EFFA .9C pushfd
0040EFFB .8F4424 20 pop dword ptr ss:
0040EFFF .D3ED shr ebp,cl
0040F001 .66:0FBDE9 bsr bp,cx
0040F005 .66:0FCD bswap bp
0040F008 .66:0FB3C5 btr bp,ax
0040F00C .894424 1C mov dword ptr ss:,eax
0040F010 .66:D3E6 shl si,cl
0040F013 .0FACDE 0F shrd esi,ebx,0F
0040F017 .66:09F5 or bp,si
0040F01A .895424 18 mov dword ptr ss:,edx
0040F01E .E9 A9C30000 jmp client.0041B3CC
0040F023 .FECA dec dl
0040F025 .30C8 xor al,cl
0040F027 .8B55 00 mov edx,dword ptr ss:
0040F02A .C0F0 06 sal al,6
0040F02D .F5 cmc
0040F02E .F5 cmc
0040F02F .24 57 and al,57
0040F031 .83C5 02 add ebp,2
0040F034 .E8 CD83FFFF call client.00407406
0040F039 $E9 BD900000 jmp client.004180FB
0040F03E >F6D2 not dl
0040F040 .F5 cmc
0040F041 .66:894C24 08mov word ptr ss:,cx
0040F046 .83ED 02 sub ebp,2
0040F049 .E8 46910000 call client.00418194
0040F04E >9C pushfd
0040F04F .D2E0 shl al,cl
0040F051 .53 push ebx
0040F052 66:8945 04 mov word ptr ss:,ax
0040F056 883424 mov byte ptr ss:,dh
0040F059 E9 AEB80000 jmp client.0041A90C
0040F05E 894C24 24 mov dword ptr ss:,ecx
0040F062 66:87F5 xchg bp,si
0040F065 55 push ebp
0040F066 E9 E7B20000 jmp client.0041A352
0040F06B 86E0 xchg al,ah
0040F06D 880424 mov byte ptr ss:,al
0040F070 F6C6 E0 test dh,0E0
0040F073 53 push ebx
0040F074 66:29C3 sub bx,ax
0040F077 F5 cmc
0040F078 68 74D6F477 push 77F4D674 ;ASCII "QuoteRDNValue"
0040F07D 80FD 4C cmp ch,4C
0040F080 ^ E9 55B0FFFF jmp client.0040A0DA
0040F085 E8 93AE0000 call client.00419F1D
0040F08A 12E8 adc ch,al
0040F08C 40 inc eax
0040F08D 36:43 inc ebx
0040F08F 008B 08682C66 add byte ptr ds:,cl
0040F095 99 cdq
0040F096 0050 FF add byte ptr ds:,dl
0040F099 51 push ecx
0040F09A 108B 2DA05099 adc byte ptr ds:,cl
0040F0A0 0083 C4086800 add byte ptr ds:,al
0040F0A6 4E dec esi
0040F0A7 A6 cmps byte ptr ds:,byte ptr es:
0040F0A8 0053 6A add byte ptr ds:,dl
0040F0AB 02FF add bh,bh
0040F0AD D5 8B aad 8B
0040F0AF F8 clc
0040F0B0 3BFB cmp edi,ebx
0040F0B2 74 0E je short client.0040F0C2
0040F0B4 .57 push edi ; /hEvent
0040F0B5 .FF15 9C509900 call dword ptr ds:[<&KERNEL32.SetEvent>] ; \SetEvent
0040F0BB .57 push edi ; /hObject
0040F0BC .FF15 34529900 call dword ptr ds:[<&KERNEL32.CloseHandl>; \CloseHandle
0040F0C2 >68 1C669900 push client.0099661C ;ASCII "PPStartEvent"
0040F0C7 .53 push ebx
0040F0C8 .6A 02 push 2
0040F0CA .FFD5 call ebp
0040F0CC .8BF8 mov edi,eax
0040F0CE .3BFB cmp edi,ebx
0040F0D0 .74 0E je short client.0040F0E0
0040F0D2 .57 push edi ; /hEvent
0040F0D3 .FF15 9C509900 call dword ptr ds:[<&KERNEL32.SetEvent>] ; \SetEvent
0040F0D9 .57 push edi ; /hObject
0040F0DA .FF15 34529900 call dword ptr ds:[<&KERNEL32.CloseHandl>; \CloseHandle
0040F0E0 >6A 04 push 4
0040F0E2 .889E 90000000 mov byte ptr ds:,bl
0040F0E8 .E8 AE984E00 call client.008F899B
0040F0ED .83C4 04 add esp,4
0040F0F0 .894424 14 mov dword ptr ss:,eax
0040F0F4 .3BC3 cmp eax,ebx
0040F0F6 .C68424 8C0600>mov byte ptr ss:,3
0040F0FE .74 09 je short client.0040F109
0040F100 .8BC8 mov ecx,eax
0040F102 .E8 59690000 call client.00415A60
0040F107 .EB 02 jmp short client.0040F10B
0040F109 >33C0 xor eax,eax
0040F10B >889C24 8C0600>mov byte ptr ss:,bl
0040F112 .8946 08 mov dword ptr ds:,eax
0040F115 .E8 36F00400 call client.0045E150
0040F11A .50 push eax
0040F11B .E8 D0EF0400 call client.0045E0F0
0040F120 .8B4E 08 mov ecx,dword ptr ds:
0040F123 .50 push eax
0040F124 .8D9424 680100>lea edx,dword ptr ss:
0040F12B .52 push edx
0040F12C .8D4424 3C lea eax,dword ptr ss:
0040F130 .50 push eax
0040F131 .E8 3A8A0000 call client.00417B70
0040F136 .85C0 test eax,eax
0040F138 .75 0E jnz short client.0040F148
0040F13A .6A 30 push 30
0040F13C .53 push ebx
0040F13D .68 08669900 push client.00996608
0040F142 .53 push ebx
0040F143 .E9 CE000000 jmp client.0040F216
0040F148 >E8 83354300 call client.008426D0
0040F14D .8B08 mov ecx,dword ptr ds:
0040F14F .68 F0659900 push client.009965F0 ;ASCII "Create Window Sucess"
0040F154 .50 push eax
0040F155 .FF51 10 call dword ptr ds:
0040F158 .6A 04 push 4
0040F15A .E8 3C984E00 call client.008F899B
0040F15F .8BF8 mov edi,eax
0040F161 .83C4 0C add esp,0C
0040F164 .3BFB cmp edi,ebx
0040F166 .74 11 je short client.0040F179
0040F168 .8D5424 30 lea edx,dword ptr ss:
0040F16C .52 push edx ; /MutexName
0040F16D .53 push ebx ; |InitialOwner
0040F16E .53 push ebx ; |pSecurity
0040F16F .FF15 64519900 call dword ptr ds:[<&KERNEL32.CreateMute>; \CreateMutexA
0040F175 .8907 mov dword ptr ds:,eax
0040F177 .EB 02 jmp short client.0040F17B
0040F179 >33FF xor edi,edi
0040F17B >8B46 08 mov eax,dword ptr ds:
0040F17E .89BE 9C010000 mov dword ptr ds:,edi
0040F184 .8B08 mov ecx,dword ptr ds:
0040F186 .6A 05 push 5 ; /ShowState = SW_SHOW
0040F188 .51 push ecx ; |hWnd
0040F189 .FF15 CC539900 call dword ptr ds:[<&USER32.ShowWindow>] ; \ShowWindow
0040F18F .8B56 08 mov edx,dword ptr ds:
0040F192 .8B02 mov eax,dword ptr ds:
0040F194 .50 push eax ; /hWnd
0040F195 .FF15 C8539900 call dword ptr ds:[<&USER32.UpdateWindow>; \UpdateWindow
0040F19B .8D8E 40010000 lea ecx,dword ptr ds:
0040F1A1 .51 push ecx ; /pRect
0040F1A2 .FF15 C4539900 call dword ptr ds:[<&USER32.GetClipCurso>; \GetClipCursor
0040F1A8 .8D9424 E00300>lea edx,dword ptr ss:
0040F1AF .52 push edx ; /Buffer
0040F1B0 .68 FF000000 push 0FF ; |BufSize = FF (255.)
0040F1B5 .FF15 84529900 call dword ptr ds:[<&KERNEL32.GetCurrent>; \GetCurrentDirectoryA
0040F1BB .8D8424 E00300>lea eax,dword ptr ss:
0040F1C2 .50 push eax
0040F1C3 .8D8C24 840500>lea ecx,dword ptr ss:
0040F1CA .68 E0659900 push client.009965E0 ;ASCII "%s\system.ini"
0040F1XF .51 push ecx
0040F1D0 .E8 49BB4F00 call client.0090AD1E
0040F1D5 .A1 60FFA600 mov eax,dword ptr ds:
0040F1DA .83C4 0C add esp,0C
0040F1DD .3BC3 cmp eax,ebx
0040F1DF .0F85 30010000 jnz client.0040F315
0040F1E5 .E8 D62E4300 call client.008420C0
0040F1EA .8B56 08 mov edx,dword ptr ds:
0040F1ED .8B02 mov eax,dword ptr ds:
0040F1EF .6A 01 push 1
0040F1F1 .53 push ebx
0040F1F2 .50 push eax
0040F1F3 .E8 582F4300 call client.00842150
0040F1F8 .83C4 0C add esp,0C
0040F1FB .3BC3 cmp eax,ebx
0040F1FD .A3 60FFA600 mov dword ptr ds:,eax
0040F202 .75 44 jnz short client.0040F248
0040F204 .8B4E 08 mov ecx,dword ptr ds:
0040F207 .8B11 mov edx,dword ptr ds:
0040F209 .6A 10 push 10 ; /Style = MB_OK|MB_ICONHAND|MB_APPLMODAL
0040F20B .68 D0659900 push client.009965D0 ; |Title = "DirectX3D异常"
0040F210 .68 70659900 push client.00996570 ; |Text = "未发现DirectX3D设备,请确认未禁用3D加速功能且测试Direct 3D通过, 或更新最新的显卡驱动后再尝试游戏"
0040F215 .52 push edx ; |hOwner
0040F216 >FF15 8C539900 call dword ptr ds:[<&USER32.MessageBoxA>>; \MessageBoxA
0040F21C .8D4C24 1B lea ecx,dword ptr ss:
0040F220 .C78424 8C0600>mov dword ptr ss:,-1
0040F22B .E8 D01DFFFF call client.00401000
0040F230 .33C0 xor eax,eax
0040F232 .8B8C24 840600>mov ecx,dword ptr ss:
0040F239 .64:890D 00000>mov dword ptr fs:,ecx
0040F240 .5F pop edi
0040F241 .5E pop esi
0040F242 .5D pop ebp
0040F243 .5B pop ebx
0040F244 .8BE5 mov esp,ebp
0040F246 .5D pop ebp
0040F247 .C3 retn
经过分析, 发现1个关键判断,主要 判断是不是登陆器启动
0040EFA5 /72 11 jb short client.0040EFB8
下面的信息可以看到和启动保护有关,那我们能不能跳过呢?
由于VM的关系, 那OD 分析出来的代码可能有点问题..
看看正常的代码。。。
0040F08B E8 40364300 call client.008426D0
0040F090 8B08 mov ecx,dword ptr ds:
0040F092 68 2C669900 push client.0099662C ;ASCII "PP Sucess"
0040F097 50 push eax
0040F098 FF51 10 call dword ptr ds:
0040F09B 8B2D A0509900 mov ebp,dword ptr ds:[<&KERNEL32.OpenEve>;kernel32.OpenEventA
0040F0A1 83C4 08 add esp,8
0040F0A4 68 004EA600 push client.00A64E00 ;ASCII "PP_XLZJ_EventA"
0040F0A9 53 push ebx
0040F0AA 6A 02 push 2
0040F0AC FFD5 call ebp
0040F0AE 8BF8 mov edi,eax
0040F0B0 3BFB cmp edi,ebx
0040F0B2 74 0E je short client.0040F0C2
0040F0B4 .57 push edi ; /hEvent
0040F0B5 .FF15 9C509900 call dword ptr ds:[<&KERNEL32.SetEvent>] ; \SetEvent
0040F0BB .57 push edi ; /hObject
0040F0BC .FF15 34529900 call dword ptr ds:[<&KERNEL32.CloseHandl>; \CloseHandle
0040F0C2 >68 1C669900 push client.0099661C ;ASCII "PPStartEvent"
0040F0C7 .53 push ebx
0040F0C8 .6A 02 push 2
0040F0CA .FFD5 call ebp
0040F0CC .8BF8 mov edi,eax
0040F0CE .3BFB cmp edi,ebx
0040F0D0 .74 0E je short client.0040F0E0
0040F0D2 .57 push edi ; /hEvent
0040F0D3 .FF15 9C509900 call dword ptr ds:[<&KERNEL32.SetEvent>] ; \SetEvent
0040F0D9 .57 push edi ; /hObject
0040F0DA .FF15 34529900 call dword ptr ds:[<&KERNEL32.CloseHandl>; \CloseHandle
0040F0E0 >6A 04 push 4
0040F0E2 .889E 90000000 mov byte ptr ds:,bl
0040F0E8 .E8 AE984E00 call client.008F899B
0040F0ED .83C4 04 add esp,4
0040F0F0 .894424 14 mov dword ptr ss:,eax
0040F0F4 .3BC3 cmp eax,ebx
0040F0F6 .C68424 8C0600>mov byte ptr ss:,3
0040F0FE .74 09 je short client.0040F109
那我们找1个位置 给他JMP过来....
这样游戏可以正常跑起来了.
游戏跑起来后,发现大概2分钟左右,游戏即退出,那说明客户端还有校验....
那要稳定一些调试,那肯定需要解决这个问题...
经过分析..
游戏出错是由于异常导致的...其中必须经过1个函数
0090A6A9/> /55 push ebp
0090A6AA|. |8BEC mov ebp,esp
0090A6AC|. |83EC 04 sub esp,4
0090A6AF|. |53 push ebx
0090A6B0|. |56 push esi
0090A6B1|. |57 push edi
0090A6B2|. |FC cld
0090A6B3|. |8945 FC mov ,eax
0090A6B6|. |33C0 xor eax,eax
0090A6B8|. |50 push eax
0090A6B9|. |50 push eax
0090A6BA|. |50 push eax
0090A6BB|. |FF75 FC push
0090A6BE|. |FF75 14 push
0090A6C1|. |FF75 10 push
0090A6C4|. |FF75 0C push
0090A6C7|. |FF75 08 push
0090A6CA|. |E8 04720000 call client.009118D3
0090A6XF|. |83C4 20 add esp,20
0090A6D2|. |8945 FC mov ,eax
0090A6D5|. |5F pop edi
0090A6D6|. |5E pop esi
0090A6D7|. |5B pop ebx
0090A6D8|. |8B45 FC mov eax,
0090A6DB|. |8BE5 mov esp,ebp
0090A6DD|. |5D pop ebp
0090A6DE\. |C3 retn
发现调用的地方..
0094354C $B8 A403A000 mov eax,client.00A003A4 ;结构异常处理程序
00943551 .^ E9 5371FXFF jmp client.0090A6A9
00943556 CC int3
下断...
我们在堆栈里翻翻...
.....
0012F834|7C92E48A返回到 ntdll.KiUserApcDispatcher+3A 来自 ntdll.7C94A970
0012F838|00000000
0012F83C|0012F864
0012F840|0012F848
0012F844|0012F864
0012F848|C0000005
0012F84C|00000000
0012F850|00000000
0012F854|00AC94CDclient.00AC94CD
C0000005 这样的异常 我就不解释了,
client.00AC94CD 是什么 我们进去看看...
00AC94CD CD 22 int 22
原来00AC94CD 是int22,执行到这后触发异常,程序无法处理.所以退出了.那把 00AC94CDnop掉2个字节即可...
这下客户端他老实了...正常调试.
现在NP,HS,XTrap的保护越来越多,国内还有TP,GPK 之流,越来越多, 面对这些保护,如果你无法从ring 0上对抗,那是不是真的一点办法都没有呢?
我简单介绍下我处理国外某XTrap保护下的游戏.
首先用OD 启动他的主程序...
发现关键CALL
005F4EF0/$81EC 44070000 sub esp,744
005F4EF6|.53 push ebx
005F4EF7|.56 push esi
005F4EF8|.57 push edi
005F4EF9|.33DB xor ebx,ebx
005F4EFB|.B9 4A000000 mov ecx,4A
005F4F00|.33C0 xor eax,eax
005F4F02|.8DBC24 29020000 lea edi,dword ptr ss:
005F4F09|.889C24 28020000 mov byte ptr ss:,bl
005F4F10|.F3:AB rep stos dword ptr es:
005F4F12|.66:AB stos word ptr es:
005F4F14|.AA stos byte ptr es:
005F4F15|.B9 40000000 mov ecx,40
005F4F1A|.33C0 xor eax,eax
005F4F1C|.8DBC24 59040000 lea edi,dword ptr ss:
005F4F23|.889C24 58040000 mov byte ptr ss:,bl
005F4F2A|.F3:AB rep stos dword ptr es:
005F4F2C|.66:AB stos word ptr es:
005F4F2E|.AA stos byte ptr es:
005F4F2F|.B9 40000000 mov ecx,40
005F4F34|.33C0 xor eax,eax
005F4F36|.8DBC24 25010000 lea edi,dword ptr ss:
005F4F3D|.889C24 24010000 mov byte ptr ss:,bl
005F4F44|.F3:AB rep stos dword ptr es:
005F4F46|.66:AB stos word ptr es:
005F4F48|.AA stos byte ptr es:
005F4F49|.B9 40000000 mov ecx,40
005F4F4E|.33C0 xor eax,eax
005F4F50|.8DBC24 55030000 lea edi,dword ptr ss:
005F4F57|.889C24 54030000 mov byte ptr ss:,bl
005F4F5E|.F3:AB rep stos dword ptr es:
005F4F60|.66:AB stos word ptr es:
005F4F62|.AA stos byte ptr es:
005F4F63|.E8 78060000 call Fiesta.005F55E0
005F4F68|.8BB424 54070000 mov esi,dword ptr ss:
005F4F6F|.56 push esi
005F4F70|.68 209F8300 push Fiesta.00839F20 ;ASCII "%s"
005F4F75|.68 F2C89000 push Fiesta.0090C8F2
005F4F7A|.E8 C8F31700 call Fiesta.00774347
005F4F7F|.83C4 0C add esp,0C
005F4F82|.81C6 80000000 add esi,80
005F4F88|.56 push esi
005F4F89|.68 209F8300 push Fiesta.00839F20 ;ASCII "%s"
005F4F8E|.68 E0C69000 push Fiesta.0090C6E0
005F4F93|.E8 AFF31700 call Fiesta.00774347
005F4F98|.83C4 0C add esp,0C
005F4F9B|.C705 D8C59000 410000D5 mov dword ptr ds:,D5000041
005F4FA5|.C705 D4C59000 000000E5 mov dword ptr ds:,E5000000
005F4FAF|.68 A89D8300 push Fiesta.00839DA8 ;ASCII "211.115.86.66"
005F4FB4|.68 209F8300 push Fiesta.00839F20 ;ASCII "%s"
005F4FB9|.68 ECC79000 push Fiesta.0090C7EC
005F4FBE|.E8 84F31700 call Fiesta.00774347
005F4FC3|.8BB424 64070000 mov esi,dword ptr ss:
005F4FCA|.83C4 0C add esp,0C
005F4FCD|.66:C705 F0C89000 7809mov word ptr ds:,978
005F4FD6|.56 push esi ; /String
005F4FD7|.FF15 90F17B00 call dword ptr ds:[<&KERNEL32.lstrlenA>] ; \lstrlenA
005F4FDD|.85C0 test eax,eax
005F4FDF|.75 74 jnz short Fiesta.005F5055
005F4FE1|.8D8424 54030000 lea eax,dword ptr ss:
005F4FE8|.68 04010000 push 104 ; /BufSize = 104 (260.)
005F4FED|.50 push eax ; |PathBuffer
005F4FEE|.53 push ebx ; |hModule
005F4FEF|.FF15 CXF17B00 call dword ptr ds:[<&KERNEL32.GetModuleF>; \GetModuleFileNameA
005F4FF5|.85C0 test eax,eax
005F4FF7|.75 2D jnz short Fiesta.005F5026
005F4FF9|.FF15 9XF07B00 call dword ptr ds:[<&KERNEL32.GetLastErr>; [GetLastError
005F4FFF|.6A 01 push 1
005F5001|.50 push eax
005F5002|.6A 11 push 11
005F5004|.68 50CC9000 push Fiesta.0090CC50
005F5009|.E8 E2400000 call Fiesta.005F90F0
005F500E|.83C4 10 add esp,10
005F5011|.891D 44C49000 mov dword ptr ds:,ebx
005F5017|.E8 C42A0000 call Fiesta.005F7AE0
005F501C|.5F pop edi
005F501D|.5E pop esi
005F501E|.5B pop ebx
005F501F|.81C4 44070000 add esp,744
005F5025|.C3 retn
005F5026|>8D8C24 58040000 lea ecx,dword ptr ss:
005F502D|.8D9424 54030000 lea edx,dword ptr ss:
005F5034|.51 push ecx
005F5035|.52 push edx
005F5036|.E8 85360000 call Fiesta.005F86C0
005F503B|.83C4 08 add esp,8
005F503E|.8D8424 58040000 lea eax,dword ptr ss:
005F5045|.8D8C24 24010000 lea ecx,dword ptr ss:
005F504C|.50 push eax
005F504D|.68 149F8300 push Fiesta.00839F14 ;ASCII "%s\XTrap"
005F5052|.51 push ecx
005F5053|.EB 0E jmp short Fiesta.005F5063
005F5055|>56 push esi
005F5056|.8D9424 28010000 lea edx,dword ptr ss:
005F505D|.68 149F8300 push Fiesta.00839F14 ;ASCII "%s\XTrap"
005F5062|.52 push edx
005F5063|>E8 DFF21700 call Fiesta.00774347
005F5068|.83C4 0C add esp,0C
005F506B|.8D8424 28020000 lea eax,dword ptr ss:
005F5072|.8D8C24 24010000 lea ecx,dword ptr ss:
005F5079|.50 push eax
005F507A|.68 B0C59000 push Fiesta.0090C5B0
005F507F|.51 push ecx
005F5080|.E8 AB230000 call Fiesta.005F7430
005F5085|.8B8424 58020000 mov eax,dword ptr ss:
005F508C|.83C4 0C add esp,0C
005F508F|.83F8 02 cmp eax,2
005F5092|.0F84 B6010000 je Fiesta.005F524E
005F5098|.3D 01500A00 cmp eax,0A5001
005F509D|.0F84 AB010000 je Fiesta.005F524E
005F50A3|.B9 40000000 mov ecx,40
005F50A8|.33C0 xor eax,eax
005F50AA|.8D7C24 21 lea edi,dword ptr ss:
005F50AE|.885C24 20 mov byte ptr ss:,bl
005F50B2|.F3:AB rep stos dword ptr es:
005F50B4|.66:AB stos word ptr es:
005F50B6|.33D2 xor edx,edx
005F50B8|.68 089F8300 push Fiesta.00839F08 ;ASCII "XTrapVa.dll"
005F50BD|.895424 14 mov dword ptr ss:,edx
005F50C1|.8D4C24 24 lea ecx,dword ptr ss:
005F50C5|.AA stos byte ptr es:
005F50C6|.8D8424 28010000 lea eax,dword ptr ss:
005F50CD|.895424 18 mov dword ptr ss:,edx
005F50D1|.50 push eax
005F50D2|.895424 20 mov dword ptr ss:,edx
005F50D6|.68 009F8300 push Fiesta.00839F00 ;ASCII "%s\%s"
005F50DB|.51 push ecx
005F50DC|.895C24 1C mov dword ptr ss:,ebx
005F50E0|.895424 2C mov dword ptr ss:,edx
005F50E4|.E8 5EF21700 call Fiesta.00774347
005F50E9|.8D5424 1C lea edx,dword ptr ss:
005F50ED|.8D4424 30 lea eax,dword ptr ss:
005F50F1|.52 push edx
005F50F2|.50 push eax
005F50F3|.E8 F8350000 call Fiesta.005F86F0
005F50F8|.83C4 18 add esp,18
005F50FB|.8D8C24 24010000 lea ecx,dword ptr ss:
005F5102|.8D5424 20 lea edx,dword ptr ss:
005F5106|.68 F89E8300 push Fiesta.00839EF8 ;ASCII "*.xtp"
005F510B|.51 push ecx
005F510C|.68 009F8300 push Fiesta.00839F00 ;ASCII "%s\%s"
005F5111|.52 push edx
005F5112|.E8 30F21700 call Fiesta.00774347
005F5117|.8D4424 20 lea eax,dword ptr ss:
005F511B|.8D4C24 30 lea ecx,dword ptr ss:
005F511F|.50 push eax
005F5120|.51 push ecx
005F5121|.E8 CA350000 call Fiesta.005F86F0
005F5126|.83C4 18 add esp,18
005F5129|.8D9424 24010000 lea edx,dword ptr ss:
005F5130|.8D4424 20 lea eax,dword ptr ss:
005F5134|.68 EC9E8300 push Fiesta.00839EEC ;ASCII "XTrap.XT"
005F5139|.52 push edx
005F513A|.68 009F8300 push Fiesta.00839F00 ;ASCII "%s\%s"
005F513F|.50 push eax
005F5140|.E8 02F21700 call Fiesta.00774347
005F5145|.8D4C24 24 lea ecx,dword ptr ss:
005F5149|.8D5424 30 lea edx,dword ptr ss:
005F514D|.51 push ecx
005F514E|.52 push edx
005F514F|.E8 9C350000 call Fiesta.005F86F0
005F5154|.83C4 18 add esp,18
005F5157|.8D8424 24010000 lea eax,dword ptr ss:
005F515E|.8D4C24 20 lea ecx,dword ptr ss:
005F5162|.68 E49E8300 push Fiesta.00839EE4 ;ASCII "*.dll"
005F5167|.50 push eax
005F5168|.68 009F8300 push Fiesta.00839F00 ;ASCII "%s\%s"
005F516D|.51 push ecx
005F516E|.E8 D4F11700 call Fiesta.00774347
005F5173|.8D5424 28 lea edx,dword ptr ss:
005F5177|.8D4424 30 lea eax,dword ptr ss:
005F517B|.52 push edx
005F517C|.50 push eax
005F517D|.E8 6E350000 call Fiesta.005F86F0
005F5182|.83C4 18 add esp,18
005F5185|.8D8C24 24010000 lea ecx,dword ptr ss:
005F518C|.8D5424 20 lea edx,dword ptr ss:
005F5190|.68 E09E8300 push Fiesta.00839EE0 ;ASCII "*.*"
005F5195|.51 push ecx
005F5196|.68 009F8300 push Fiesta.00839F00 ;ASCII "%s\%s"
005F519B|.52 push edx
005F519C|.E8 A6F11700 call Fiesta.00774347
005F51A1|.8D4424 2C lea eax,dword ptr ss:
005F51A5|.8D4C24 30 lea ecx,dword ptr ss:
005F51A9|.50 push eax
005F51AA|.51 push ecx
005F51AB|.E8 40350000 call Fiesta.005F86F0
005F51B0|.8B8424 64020000 mov eax,dword ptr ss:
005F51B7|.83C4 18 add esp,18
005F51BA|.3D 0B500A00 cmp eax,0A500B
005F51BF|.75 45 jnz short Fiesta.005F5206
005F51C1|.8B4424 1C mov eax,dword ptr ss:
005F51C5|.8B4C24 18 mov ecx,dword ptr ss:
005F51C9|.8D9424 24010000 lea edx,dword ptr ss:
005F51D0|.52 push edx
005F51D1|.8B5424 18 mov edx,dword ptr ss:
005F51D5|.50 push eax
005F51D6|.8B4424 18 mov eax,dword ptr ss:
005F51DA|.51 push ecx
005F51DB|.8B4C24 18 mov ecx,dword ptr ss:
005F51DF|.52 push edx
005F51E0|.8B15 ECCD9000 mov edx,dword ptr ds:
005F51E6|.50 push eax
005F51E7|.A1 F0CD9000 mov eax,dword ptr ds:
005F51EC|.51 push ecx
005F51ED|.52 push edx
005F51EE|.50 push eax
005F51EF|.8D8C24 7C050000 lea ecx,dword ptr ss:
005F51F6|.68 C49E8300 push Fiesta.00839EC4 ;ASCII "%08X.(%d).%d.%d.%d.%d.%d.%s"
005F51FB|.51 push ecx
005F51FC|.E8 46F11700 call Fiesta.00774347
005F5201|.83C4 28 add esp,28
005F5204|.EB 1E jmp short Fiesta.005F5224
005F5206|>8D9424 54020000 lea edx,dword ptr ss:
005F520D|.52 push edx
005F520E|.50 push eax
005F520F|.8D8424 64050000 lea eax,dword ptr ss:
005F5216|.68 BC9E8300 push Fiesta.00839EBC ;ASCII "%08X.%s"
005F521B|.50 push eax
005F521C|.E8 26F11700 call Fiesta.00774347
005F5221|.83C4 10 add esp,10
005F5224|>8B0D ECCD9000 mov ecx,dword ptr ds:
005F522A|.6A 03 push 3
005F522C|.51 push ecx
005F522D|.8D9424 64050000 lea edx,dword ptr ss:
005F5234|.6A 11 push 11
005F5236|.52 push edx
005F5237|.E8 B43E0000 call Fiesta.005F90F0
005F523C|.83C4 10 add esp,10
005F523F|.E8 9C280000 call Fiesta.005F7AE0
005F5244|.5F pop edi
005F5245|.5E pop esi
005F5246|.5B pop ebx
005F5247|.81C4 44070000 add esp,744
005F524D|.C3 retn
005F524E|>B9 18000000 mov ecx,18
005F5253|.8DB424 54020000 lea esi,dword ptr ss:
005F525A|.BF F0CB9000 mov edi,Fiesta.0090CBF0
005F525F|.83E8 02 sub eax,2
005F5262|.F3:A5 rep movs dword ptr es:,dword ptr ds>
005F5264|.74 0D je short Fiesta.005F5273
005F5266|.2D FF4F0A00 sub eax,0A4FFF
005F526B|.891D 44C49000 mov dword ptr ds:,ebx
005F5271|.75 0A jnz short Fiesta.005F527D
005F5273|>C705 44C49000 01000000 mov dword ptr ds:,1
005F527D|>8D8424 28020000 lea eax,dword ptr ss:
005F5284|.50 push eax
005F5285|.E8 362D0000 call Fiesta.005F7FC0
005F528A|.8B8424 50020000 mov eax,dword ptr ss:
005F5291|.83C4 04 add esp,4
005F5294|.83F8 02 cmp eax,2
005F5297|.74 41 je short Fiesta.005F52DA
005F5299|.8B0D ECCD9000 mov ecx,dword ptr ds:
005F529F|.8B15 F0CD9000 mov edx,dword ptr ds:
005F52A5|.51 push ecx
005F52A6|.52 push edx
005F52A7|.50 push eax
005F52A8|.8D8424 68050000 lea eax,dword ptr ss:
005F52AF|.68 AC9E8300 push Fiesta.00839EAC ;ASCII "%08X.%08x.(%d)"
005F52B4|.50 push eax
005F52B5|.E8 8DF01700 call Fiesta.00774347
005F52BA|.8B0D F0CD9000 mov ecx,dword ptr ds:
005F52C0|.6A 12 push 12
005F52C2|.51 push ecx
005F52C3|.8D9424 78050000 lea edx,dword ptr ss:
005F52CA|.6A 11 push 11
005F52CC|.52 push edx
005F52CD|.E8 1E3E0000 call Fiesta.005F90F0
005F52D2|.83C4 24 add esp,24
005F52D5|.E8 06280000 call Fiesta.005F7AE0
005F52DA|>5F pop edi
005F52DB|.5E pop esi
005F52DC|.C705 E8CD9000 00010000 mov dword ptr ds:,100
005F52E6|.5B pop ebx
005F52E7|.81C4 44070000 add esp,744
005F52ED\.C3 retn
其中发现 关键CALL
005F5080|.E8 AB230000 call Fiesta.005F7430
这个Call执行后启动保护.
OD 跟进后 发现为无参函数,所以直接retn,不给保护启动.
发现下面call出来还有1个返回值校验.
005F5098|.3D 01500A00 cmp eax,0A5001
那找个位置,写进去
005F5085|.8B8424 58020000 mov eax,dword ptr ss:
改成
005F5085 B8 01500A00 mov eax,0A5001
005F508A 90 nop
005F508B 90 nop
这边总结下,各类型保护启动的过程都有返回值校验,象np,hs,gpk等.
到此发现OD可以正常启动游戏... 发现角色游戏后,1分钟左右,客户端关闭,那说明保护有通信,那我们真的是不是无能为力呢?
不急,等等慢慢道来.
因为客户端关闭,还是比较容易处理的,经过几处修改,发现客户端已经很听话了,不关闭,但是角色一段时间后掉线.那说明XTrap和服务端还是存在通信的...
那必须找出通讯关键处,经过调试发现..
005F77F0/$A1 C0CD9000 mov eax,dword ptr ds: ;XTrapVa.dll_Base判断....
005F77F5|.85C0 test eax,eax
005F77F7|.75 05 jnz short Fiesta.005F77FE ;强制跳
005F77F9|.E8 E2020000 call Fiesta.005F7AE0 ;做坏事
005F77FE|>8B4424 14 mov eax,dword ptr ss:
005F7802|.8B4C24 10 mov ecx,dword ptr ss:
005F7806|.8B5424 0C mov edx,dword ptr ss:
005F780A|.50 push eax
005F780B|.8B4424 0C mov eax,dword ptr ss:
005F780F|.51 push ecx
005F7810|.8B4C24 0C mov ecx,dword ptr ss:
005F7814|.52 push edx
005F7815|.50 push eax
005F7816|.51 push ecx
005F7817|.FF15 FCCD9000 call dword ptr ds: ;XTrapVa.dll_Base+A4A0 通信函数调用
005F781D|.83C4 14 add esp,14
005F7820\.C3 retn
所以代码上处理就简单了.
说一下我的处理方式,我是直接复制出XTrapVa.dll,改名为a.dll,这是为了避免XTrap的更新,去重复更新这部分,因为一般情况下这类保护算法上是不会有大变动的.
if XX = 0 then
begin
XX:= LoadLibrary('a.dll');
//PDWORD($0090CDC0)^:= XX; //BASE 不能写进去,写进去后触发更多判断...
PDWORD($0090CDFC)^:= XX+$A4A0; //通信CALL写进去...
end;
至于//PDWORD($0090CDC0)^:= XX; //为什么不写进去,具体的游戏还是得分析.我是直接强制跳
感恩无私的分享与奉献 :) .......................真是难得给力的帖子啊。 不错 支持下
页:
[1]