【文章标题】: [网络验证破解]某外挂验证转本地化
【文章作者】: KuNgBiM
【作者邮箱】: kungbim@163.com
【作者主页】: http://www.crkcn.com
【软件名称】: 惊天伴侣2.2.5会员增强版(2007年3月26日更新)
【软件大小】: 1.71 MB
【下载地址】: 自己搜索下载
【加壳方式】: ASProtect 2.1x SKE
【保护方式】: 网络验证
【编写语言】: Microsoft Visual C++ 6.0
【使用工具】: OllyICE
【操作平台】: 盗版非标准XPsp2
【软件介绍】: 大型网游惊天动地辅助工具,俗称“外挂”。
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
由于该程序加的壳为标准的ASProtect 2.1x SKE,并未偷代码,所以为了方便起见,脱之分析。。。
脱壳后,OllyICE载入分析,由于程序关键字符处理的比较好,字符插件就不起作用了。
我们还是利用常用的办法“API函数断点”来调试它吧。
命令下断:bpx closesocket
F9运行,输入用户名后点击“登陆”断下:
00418E79 . 6A 10 push 10 ; 外挂网络验证开始
00418E7B . 8D85 60FEFFFF lea eax, dword ptr [ebp-1A0] ; 计算游戏ID长度
00418E81 . 50 push eax
00418E82 . 6A 60 push 60
00418E84 . 8D8D 74FFFFFF lea ecx, dword ptr [ebp-8C]
00418E8A . 51 push ecx
00418E8B . 8D95 74FFFFFF lea edx, dword ptr [ebp-8C]
00418E91 . 52 push edx
00418E92 . E8 B9320100 call 0042C150 ; 判断外挂是否已经处于通信状态
00418E97 . 83C4 18 add esp, 18
00418E9A . 833D 9C826500 00 cmp dword ptr [65829C], 0
00418EA1 . 74 16 je short 00418EB9 ; 还未通信则跳(不管)
00418EA3 . A1 9C826500 mov eax, dword ptr [65829C]
00418EA8 . 50 push eax ; /Socket => 384
00418EA9 . FF15 E4A54600 call dword ptr [<&ws2_32.closesocket>] ; \closesocket
00418EAF . C705 9C826500 00000000 mov dword ptr [65829C], 0
00418EB9 > 833D 9C826500 00 cmp dword ptr [65829C], 0
00418EC0 . 75 11 jnz short 00418ED3 ; 还未通信则准备获取验证服务器地址
00418EC2 . 6A 00 push 0 ; /Protocol = IPPROTO_IP
00418EC4 . 6A 01 push 1 ; |Type = SOCK_STREAM
00418EC6 . 6A 02 push 2 ; |Family = AF_INET
00418EC8 . FF15 E0A54600 call dword ptr [<&ws2_32.socket>] ; \socket
00418ECE . A3 9C826500 mov dword ptr [65829C], eax
00418ED3 > 66:C785 18FAFFFF 0200 mov word ptr [ebp-5E8], 2
00418EDC . 68 AC836500 push 006583AC ; /ASCII "203.174.87.234"
00418EE1 . FF15 DCA54600 call dword ptr [<&ws2_32.inet_addr>] ; \inet_addr
00418EE7 . 8985 1CFAFFFF mov dword ptr [ebp-5E4], eax
00418EED . 66:8B0D 38105D00 mov cx, word ptr [5D1038]
00418EF4 . 51 push ecx ; /NetShort
00418EF5 . FF15 E8A54600 call dword ptr [<&ws2_32.htons>] ; \ntohs
00418EFB . 66:8985 1AFAFFFF mov word ptr [ebp-5E6], ax
00418F02 . 6A 10 push 10 ; /AddrLen = 10 (16.)
00418F04 . 8D95 18FAFFFF lea edx, dword ptr [ebp-5E8] ; |
00418F0A . 52 push edx ; |pSockAddr
00418F0B . A1 9C826500 mov eax, dword ptr [65829C] ; |
00418F10 . 50 push eax ; |Socket => 384
00418F11 . FF15 D0A54600 call dword ptr [<&ws2_32.connect>] ; \connect
00418F17 . 8985 58FEFFFF mov dword ptr [ebp-1A8], eax ; 获取服务器数据
00418F1D . 83BD 58FEFFFF FF cmp dword ptr [ebp-1A8], -1 ; 返回值是否大于等于FFFFFFFF
; 是则挂(通信不正常)
00418F24 75 14 jnz short 00418F3A ; ★所以这里必须跳!改为JMP★
00418F26 . C705 3C105D00 0D000000 mov dword ptr [5D103C], 0D
00418F30 . E8 EB180100 call 0042A820
00418F35 . E9 5C0A0000 jmp 00419996
00418F3A > 6A 00 push 0 ; /Flags = 0
00418F3C . 6A 60 push 60 ; |DataSize = 60 (96.)
00418F3E . 8D8D 74FFFFFF lea ecx, dword ptr [ebp-8C] ; |
00418F44 . 51 push ecx ; |Data
00418F45 . 8B15 9C826500 mov edx, dword ptr [65829C] ; |
00418F4B . 52 push edx ; |Socket => 384
00418F4C . FF15 D8A54600 call dword ptr [<&ws2_32.send>] ; \send
00418F52 . 8985 58FEFFFF mov dword ptr [ebp-1A8], eax ; 再次获取服务器数据
00418F58 . 83BD 58FEFFFF 60 cmp dword ptr [ebp-1A8], 60 ; 返回值是否小于等于96
; 是则挂(数据包不正确)
00418F5F 74 05 je short 00418F66 ; ★所以这里必须跳!改为JMP★
00418F61 . E9 300A0000 jmp 00419996
00418F66 > 6A 00 push 0 ; /Flags = 0
00418F68 . 6A 60 push 60 ; |BufSize = 60 (96.)
00418F6A . 8D85 74FFFFFF lea eax, dword ptr [ebp-8C] ; |
00418F70 . 50 push eax ; |Buffer
00418F71 . 8B0D 9C826500 mov ecx, dword ptr [65829C] ; |
00418F77 . 51 push ecx ; |Socket => 384
00418F78 . FF15 D4A54600 call dword ptr [<&ws2_32.recv>] ; \recv
00418F7E . 8985 58FEFFFF mov dword ptr [ebp-1A8], eax ; 再次获取服务器数据
00418F84 . 83BD 58FEFFFF 00 cmp dword ptr [ebp-1A8], 0 ; 返回值是否大于等于0
; 是则挂(数据包不正确)
00418F8B 75 05 jnz short 00418F92 ; ★则里可改可不改,保险起见改为JMP★
00418F8D . E9 040A0000 jmp 00419996
00418F92 > 8B15 9C826500 mov edx, dword ptr [65829C] ; 服务器通信结束
00418F98 . 52 push edx ; /Socket => 384
00418F99 . FF15 E4A54600 call dword ptr [<&ws2_32.closesocket>] ; \closesocket
00418F9F . 6A 01 push 1
00418FA1 . 6A 10 push 10
00418FA3 . 8D85 48FEFFFF lea eax, dword ptr [ebp-1B8]
00418FA9 . 50 push eax
00418FAA . 6A 60 push 60
00418FAC . 8D8D 74FFFFFF lea ecx, dword ptr [ebp-8C]
00418FB2 . 51 push ecx
00418FB3 . 8D95 74FFFFFF lea edx, dword ptr [ebp-8C]
00418FB9 . 52 push edx
00418FBA . E8 91310100 call 0042C150 ; 判断服务器是否有数据返回
00418FBF . 83C4 18 add esp, 18
00418FC2 . 75 04 jnz short 00418FC8 ; 有数据返回则跳!(必须跳)
00418FC4 . 74 02 je short 00418FC8
00418FC6 9A db 9A
00418FC7 E8 db E8
00418FC8 > 83BD 74FFFFFF 09 cmp dword ptr [ebp-8C], 9 ; 检测外挂程序版本是否有更新
00418FCF . 0F85 A7000000 jnz 0041907C ; 大于等于则跳
; (为了不让它自动更新,改为JMP)
00418FD5 . 6A 00 push 0
00418FD7 . 68 502E4800 push 00482E50
00418FDC . 68 082E4800 push 00482E08
00418FE1 . 8B8D 98F9FFFF mov ecx, dword ptr [ebp-668]
00418FE7 . E8 CCF40300 call 004584B8
00418FEC . B9 11000000 mov ecx, 11
00418FF1 . 33C0 xor eax, eax
00418FF3 . 8DBD C0F9FFFF lea edi, dword ptr [ebp-640]
00418FF9 . F3:AB rep stos dword ptr es:[edi]
00418FFB . C785 C0F9FFFF 44000000 mov dword ptr [ebp-640], 44
00419005 . 33C0 xor eax, eax
00419007 . 8985 04FAFFFF mov dword ptr [ebp-5FC], eax
0041900D . 8985 08FAFFFF mov dword ptr [ebp-5F8], eax
00419013 . 8985 0CFAFFFF mov dword ptr [ebp-5F4], eax
00419019 . 8985 10FAFFFF mov dword ptr [ebp-5F0], eax
0041901F . 8D8D 04FAFFFF lea ecx, dword ptr [ebp-5FC]
00419025 . 51 push ecx ; /pProcessInfo
00419026 . 8D95 C0F9FFFF lea edx, dword ptr [ebp-640] ; |
0041902C . 52 push edx ; |pStartupInfo
0041902D . 6A 00 push 0 ; |CurrentDir = NULL
0041902F . 6A 00 push 0 ; |pEnvironment = NULL
00419031 . 6A 00 push 0 ; |CreationFlags = 0
00419033 . 6A 00 push 0 ; |InheritHandles = FALSE
00419035 . 6A 00 push 0 ; |pThreadSecurity = NULL
00419037 . 6A 00 push 0 ; |pProcessSecurity = NULL
00419039 . 68 E42D4800 push 00482DE4 ; |CommandLine = "explorer
http://www.jtlover.net/"
0041903E . 6A 00 push 0 ; |ModuleFileName = NULL
00419040 . FF15 34A24600 call dword ptr [<&kernel32.CreateProces>; \CreateProcessA
00419046 . 85C0 test eax, eax
00419048 . 75 07 jnz short 00419051
0041904A . 6A 00 push 0
0041904C . E8 87C30100 call 004353D8
00419051 > 8B85 04FAFFFF mov eax, dword ptr [ebp-5FC]
00419057 . 50 push eax ; /hObject
00419058 . FF15 44A24600 call dword ptr [<&kernel32.CloseHandle>>; \CloseHandle
0041905E . 8B8D 08FAFFFF mov ecx, dword ptr [ebp-5F8]
00419064 . 51 push ecx ; /hObject
00419065 . FF15 44A24600 call dword ptr [<&kernel32.CloseHandle>>; \CloseHandle
0041906B . 8B95 74FFFFFF mov edx, dword ptr [ebp-8C]
00419071 . 8915 3C105D00 mov dword ptr [5D103C], edx
00419077 . E9 1A090000 jmp 00419996
0041907C > 75 04 jnz short 00419082
0041907E . 74 02 je short 00419082
00419080 9A db 9A
00419081 E8 db E8
00419082 > 83BD 74FFFFFF 00 cmp dword ptr [ebp-8C], 0 ; 检测验证数据最后结果是否小于等于0
; 是则正确!
00419089 . 74 15 je short 004190A0 ; ★所以这里必须跳!改为JMP★
0041908B . 8B85 74FFFFFF mov eax, dword ptr [ebp-8C]
00419091 . A3 3C105D00 mov dword ptr [5D103C], eax
00419096 . E8 85170100 call 0042A820
0041909B . E9 F6080000 jmp 00419996
004190A0 > 8B4D CC mov ecx, dword ptr [ebp-34] ; 从这里就开始控制程序窗口、配置文件了
004190A3 . 890D C0836500 mov dword ptr [6583C0], ecx
004190A9 . C705 3C105D00 58000000 mov dword ptr [5D103C], 58
004190B3 . 68 F4030000 push 3F4
004190B8 . 8B8D 98F9FFFF mov ecx, dword ptr [ebp-668]
004190BE . E8 25050400 call 004595E8
004190C3 . 8985 5CFEFFFF mov dword ptr [ebp-1A4], eax
004190C9 . 6A 00 push 0
004190CB . 8B8D 5CFEFFFF mov ecx, dword ptr [ebp-1A4]
004190D1 . E8 3E080400 call 00459914
004190D6 . 51 push ecx
004190D7 . 8BCC mov ecx, esp
004190D9 . 89A5 ACF9FFFF mov dword ptr [ebp-654], esp
004190DF . 68 DC2D4800 push 00482DDC ; ASCII "TIP2"
004190E4 . E8 8BD50300 call 00456674
004190E9 . 8985 94F9FFFF mov dword ptr [ebp-66C], eax
004190EF . 8B95 94F9FFFF mov edx, dword ptr [ebp-66C]
004190F5 . 8995 90F9FFFF mov dword ptr [ebp-670], edx
004190FB . C745 FC 00000000 mov dword ptr [ebp-4], 0
00419102 . 51 push ecx
00419103 . 8BCC mov ecx, esp
00419105 . 89A5 A8F9FFFF mov dword ptr [ebp-658], esp
0041910B . 68 D42D4800 push 00482DD4 ; ASCII "Dialog1"
00419110 . E8 5FD50300 call 00456674
00419115 . 8985 8CF9FFFF mov dword ptr [ebp-674], eax ; |
0041911B . 8D85 A4F9FFFF lea eax, dword ptr [ebp-65C] ; |
00419121 . 50 push eax ; |Arg1
00419122 . B9 04156500 mov ecx, 00651504 ; |
00419127 . C745 FC FFFFFFFF mov dword ptr [ebp-4], -1 ; |
0041912E . E8 DD610000 call 0041F310 ; \jtbl.0041F310
00419133 . 8985 88F9FFFF mov dword ptr [ebp-678], eax
00419139 . 8B8D 88F9FFFF mov ecx, dword ptr [ebp-678]
0041913F . 898D A0F9FFFF mov dword ptr [ebp-660], ecx
00419145 . C745 FC 01000000 mov dword ptr [ebp-4], 1
0041914C . 8B95 A0F9FFFF mov edx, dword ptr [ebp-660]
00419152 . 8B02 mov eax, dword ptr [edx]
00419154 . 8985 9CF9FFFF mov dword ptr [ebp-664], eax
0041915A . 8B8D 9CF9FFFF mov ecx, dword ptr [ebp-664]
00419160 . 51 push ecx
00419161 . 68 B5040000 push 4B5
00419166 . B9 C87A6500 mov ecx, 00657AC8
0041916B . E8 69050400 call 004596D9
00419170 . C745 FC FFFFFFFF mov dword ptr [ebp-4], -1
00419177 . 8D8D A4F9FFFF lea ecx, dword ptr [ebp-65C]
0041917D . E8 84D40300 call 00456606
00419182 . 68 0000FF00 push 0FF0000
00419187 . B9 E8806500 mov ecx, 006580E8
0041918C . E8 FF4F0000 call 0041E190
00419191 . C645 D8 00 mov byte ptr [ebp-28], 0
00419195 . C645 D9 00 mov byte ptr [ebp-27], 0
00419199 . 33D2 xor edx, edx
0041919B . 8955 DA mov dword ptr [ebp-26], edx
0041919E . 8955 DE mov dword ptr [ebp-22], edx
004191A1 . 8955 E2 mov dword ptr [ebp-1E], edx
004191A4 . 8955 E6 mov dword ptr [ebp-1A], edx
004191A7 . 8955 EA mov dword ptr [ebp-16], edx
004191AA . 66:8955 EE mov word ptr [ebp-12], dx
004191AE . 8855 F0 mov byte ptr [ebp-10], dl
004191B1 . 6A 18 push 18 ; /Arg3 = 00000018
004191B3 . 8D45 D8 lea eax, dword ptr [ebp-28] ; |
004191B6 . 50 push eax ; |Arg2
004191B7 . 68 05040000 push 405 ; |Arg1 = 00000405
004191BC . 8B8D 98F9FFFF mov ecx, dword ptr [ebp-668] ; |
004191C2 . E8 AB040400 call 00459672 ; \jtbl.00459672
004191C7 . 68 382D4800 push 00482D38 ; /FileName = ".\Setting\config.ini"
004191CC . 8D4D D8 lea ecx, dword ptr [ebp-28] ; |
004191CF . 51 push ecx ; |String
004191D0 . 68 182D4800 push 00482D18 ; |Key = "Account"
004191D5 . 68 282D4800 push 00482D28 ; |Section = "Config"
004191DA . FF15 48A24600 call dword ptr [<&kernel32.WritePrivate>; \WritePrivateProfileStringA
004191E0 . C685 70FEFFFF 00 mov byte ptr [ebp-190], 0
004191E7 . C685 71FEFFFF 00 mov byte ptr [ebp-18F], 0
004191EE . B9 40000000 mov ecx, 40
004191F3 . 33C0 xor eax, eax
004191F5 . 8DBD 72FEFFFF lea edi, dword ptr [ebp-18E]
004191FB . F3:AB rep stos dword ptr es:[edi]
004191FD . 66:AB stos word ptr es:[edi]
004191FF . C745 D4 00000000 mov dword ptr [ebp-2C], 0
00419206 . 68 04010000 push 104 ; /BufSize = 104 (260.)
0041920B . 8D95 70FEFFFF lea edx, dword ptr [ebp-190] ; |
00419211 . 52 push edx ; |PathBuffer
00419212 . 6A 00 push 0 ; |hModule = NULL
00419214 . FF15 ECA14600 call dword ptr [<&kernel32.GetModuleFil>; \GetModuleFileNameA
0041921A . 8DBD 70FEFFFF lea edi, dword ptr [ebp-190]
00419220 . 83C9 FF or ecx, FFFFFFFF
00419223 . 33C0 xor eax, eax
00419225 . F2:AE repne scas byte ptr es:[edi]
00419227 . F7D1 not ecx
00419229 . 83C1 FE add ecx, -2
0041922C . 894D D4 mov dword ptr [ebp-2C], ecx
0041922F > 8B45 D4 mov eax, dword ptr [ebp-2C]
00419232 . 0FBE8C05 70FEFFFF movsx ecx, byte ptr [ebp+eax-190]
0041923A . 83F9 5C cmp ecx, 5C
0041923D . 74 16 je short 00419255
0041923F . 8B55 D4 mov edx, dword ptr [ebp-2C]
00419242 . C68415 70FEFFFF 00 mov byte ptr [ebp+edx-190], 0
0041924A . 8B45 D4 mov eax, dword ptr [ebp-2C]
0041924D . 83E8 01 sub eax, 1
00419250 . 8945 D4 mov dword ptr [ebp-2C], eax
00419253 .^ EB DA jmp short 0041922F
相关文章
评论加载中....
