正在优化增强 并且加壳!!
陈晨 发表于 2018-1-8 16:53
正在优化增强 并且加壳!!
牛皮,不搞你了{:5_117:}
园崎未惠 发表于 2018-1-8 16:54
牛皮,不搞你了
等会儿你再下载新版本试试{:5_128:}
xiyiyou 发表于 2018-1-8 16:38
没游戏无法测试
求教程了学习
这是我分析的不知道对不对哦
第一步
0040A99A $55 push ebp ;登录
0040A99B .8BEC mov ebp,esp ;
0040A99D .81EC 20000000 sub esp,0x20
0040A9A3 .C745 FC 00000000 mov dword ptr ss:,0x0
0040A9AA .EB 10 jmp X3Xco0S7.0040A9BC
0040A9AC .56 4D 50 72 6F 74 65 63 74 20 62 65 67 69 6E 00 ascii "VMProtect begin",0
第二步
--------------------------------------------------------------------------------------------------------------------------
0040A87F|.56 4D 50 72 6F 74 65 63 74 20 62 65 67 69 6E 00 ascii "VMProtect begin",0
0040A88F|>68 00000000 push 0x0
0040A894|.BB 60514400 mov ebx,3Xco0S7.00445160
0040A899|.E8 1B830300 call 3Xco0S7.00442BB9
0040A89E|.83C4 04 add esp,0x4
0040A8A1|.6A FF push -0x1
0040A8A3|.6A 08 push 0x8
0040A8A5|.68 C08B0216 push 0x16028BC0
0040A8AA|.68 67540252 push 0x52025467
0040A8AF|.E8 17830300 call 3Xco0S7.00442BCB 这个CALL没跟过不知道是什么
0040A8B4|.83C4 10 add esp,0x10
0040A8B7|.8945 F4 mov ,eax
0040A8BA|.6A FF push -0x1
0040A8BC|.6A 08 push 0x8
0040A8BE|.68 BE8B0216 push 0x16028BBE
0040A8C3|.68 67540252 push 0x52025467
0040A8C8|.E8 FE820300 call 3Xco0S7.00442BCB 这2个CALL没跟过不知道是什么
0040A8CD|.83C4 10 add esp,0x10
0040A8D0|.8945 F0 mov ,eax
0040A8D3|.6A 01 push 0x1
0040A8D5|.8D45 F8 lea eax,
0040A8D8|.50 push eax
0040A8D9|.8D45 F0 lea eax,
0040A8DC|.50 push eax
0040A8DD|.8D45 F4 lea eax,
0040A8E0|.50 push eax
0040A8E1|.E8 B4000000 call 3Xco0S7. 0040A99A ;很明显这个CALL调用的是在字符串搜索帐号密码错误那里的段首
--------------------------------------------------------------------------------------------------------------------------------------------------------------------
第三步 找合法
00416078/$55 push ebp ;合法地址一
00416079|.8BEC mov ebp,esp
0041607B|.81EC 20000000 sub esp,0x20
00416081|.C745 FC 00000000 mov ,0x0
00416088|.EB 10 jmp X3Xco0S7.0041609A
0041608A|.56 4D 50 72 6F 74 65 63 74 20 62 65 67 69 6E 00 ascii "VMProtect begin",0
------------------------------------------------------------------------------------------------------------------------------------
0041656B $55 push ebp ;合法地址二
0041656C .8BEC mov ebp,esp
0041656E .81EC 84000000 sub esp,0x84
------------------------------------------------------------------------------------------------------------------------------------
第四部 暗桩
00405554/$55 push ebp
00405555|.8BEC mov ebp,esp
00405557|.81EC 1C000000 sub esp,0x1C
0040555D|.68 60000000 push 0x60
本地调用来自 004026BF, 004026CE, 00402732, 004104CF, 00416139, 0041629F, 00416436, 004196B2, 004197E8, 004198C8, 00419A58, 00419B10, 00419B7C, 00419C0E, 00421537, 00421549
一个一个跟
BF和CE在一起都不是
004026B9|. /0F84 05000000 je 3Xco0S7.004026C4
004026BF|. |E8 902E0000 call 3Xco0S7.00405554
004026C4|> \837D FC 01 cmp ,0x1
004026C8|.0F85 5A000000 jnz 3Xco0S7.00402728
004026CE|.E8 812E0000 call 3Xco0S7.00405554
004026D3|>817D FC 41010000 /cmp ,0x141
004026DA|.0F84 02000000 |je 3Xco0S7.004026E2
004026E0|.^ EB F1 \jmp X3Xco0S7.004026D3
004026E2|>E8 0E340000 call 3Xco0S7.00405AF5
00402732
0040272C|. /0F85 5A000000 jnz 3Xco0S7.0040278C
00402732|. |E8 1D2E0000 call 3Xco0S7.00405554
004104CF不是
0041629F疑似
00416290|. /74 0D je X3Xco0S7.0041629F
00416292|. |68 06000000 push 0x6
00416297|. |E8 11C90200 call 3Xco0S7.00442BAD
0041629C|. |83C4 04 add esp,0x4
0041629F|> \E8 B0F2FEFF call 3Xco0S7.00405554
00416436 疑似
00416427|. /74 0D je X3Xco0S7.00416436
00416429|. |68 06000000 push 0x6
0041642E|. |E8 7AC70200 call 3Xco0S7.00442BAD
00416433|. |83C4 04 add esp,0x4
00416436|> \E8 19F1FEFF call 3Xco0S7.00405554
004196B2疑似
00419698|. /0F85 14000000 |jnz 3Xco0S7.004196B2
0041969E|. |68 00000000 |push 0x0
004196A3|. |BB 60514400 |mov ebx,3Xco0S7.00445160
004196A8|. |E8 0C950200 |call 3Xco0S7.00442BB9
004196AD|. |83C4 04 |add esp,0x4
004196B0|.^|EB E2 \jmp X3Xco0S7.00419694
004196B2|> \E8 9DBEFEFF call 3Xco0S7.00405554
004197E8疑似
004197CE|. /0F85 14000000 |jnz 3Xco0S7.004197E8
004197D4|. |68 00000000 |push 0x0
004197D9|. |BB 60514400 |mov ebx,3Xco0S7.00445160
004197DE|. |E8 D6930200 |call 3Xco0S7.00442BB9
004197E3|. |83C4 04 |add esp,0x4
004197E6|.^|EB E2 \jmp X3Xco0S7.004197CA
004197E8|> \E8 67BDFEFF call 3Xco0S7.00405554
004198C8 疑似
004198AE|. /0F85 14000000 |jnz 3Xco0S7.004198C8
004198B4|. |68 00000000 |push 0x0
004198B9|. |BB 60514400 |mov ebx,3Xco0S7.00445160
004198BE|. |E8 F6920200 |call 3Xco0S7.00442BB9
004198C3|. |83C4 04 |add esp,0x4
004198C6|.^|EB E2 \jmp X3Xco0S7.004198AA
004198C8|> \E8 87BCFEFF call 3Xco0S7.00405554
00419A58疑似
00419A3E|. /0F85 14000000 |jnz 3Xco0S7.00419A58
00419A44|. |68 00000000 |push 0x0
00419A49|. |BB 60514400 |mov ebx,3Xco0S7.00445160
00419A4E|. |E8 66910200 |call 3Xco0S7.00442BB9
00419A53|. |83C4 04 |add esp,0x4
00419A56|.^|EB E2 \jmp X3Xco0S7.00419A3A
00419A58|> \E8 F7BAFEFF call 3Xco0S7.00405554
00419B10 疑似
00419AF6|. /0F85 14000000 |jnz 3Xco0S7.00419B10
00419AFC|. |68 00000000 |push 0x0
00419B01|. |BB 60514400 |mov ebx,3Xco0S7.00445160
00419B06|. |E8 AE900200 |call 3Xco0S7.00442BB9
00419B0B|. |83C4 04 |add esp,0x4
00419B0E|.^|EB E2 \jmp X3Xco0S7.00419AF2
00419B10|> \E8 3FBAFEFF call 3Xco0S7.00405554
00419B7C JE 直接跳走 00419BB4
00419B76|. /0F84 38000000 je 3Xco0S7.00419BB4
00419B7C|. |E8 D3B9FEFF call 3Xco0S7.00405554
00419C0E JGE 跳转 00419C41
00419C03|. /0F8D 38000000 jge 3Xco0S7.00419C41
00419C09|. |E8 E7BEFEFF call 3Xco0S7.00405AF5
00419C0E|. |E8 41B9FEFF call 3Xco0S7.00405554
00421537 JNZ条件跳转
00421531|. /0F85 05000000 |jnz 3Xco0S7.0042153C
00421537|. |E8 1840FEFF |call 3Xco0S7.00405554
0042153C|> \E8 820E0000 |call 3Xco0S7.004223C3
00421549JE跳转
00421543|. /0F84 05000000 |je 3Xco0S7.0042154E
00421549|. |E8 0640FEFF |call 3Xco0S7.00405554
0042154E|>^\E9 70FFFFFF \jmp 3Xco0S7.004214C3
--------------------------------------
蓝屏
共找到1处地址:
00405B85
段首为
00405B38/$55 push ebp
调用CALL
本地调用来自 00405AF8, 00417B8A
00417B8A段首
00417AFD/$55 push ebp
00405AF8 段首
00405AF5/$55 push ebp
00405AF6|.8BEC mov ebp,esp
00405AF8|.E8 3B000000 call 3Xco0S7.00405B38
----------------------
把作者整出来了?。。。。
陈晨 发表于 2018-1-8 16:53
正在优化增强 并且加壳!!
你是作者哈,尴尬了= =游戏数据获取失败,这是你写的暗桩还是没检测到游戏运行嘞(只是为了学技术,没别的)
@xiyiyou又一位大神出现
影风 发表于 2018-1-8 17:25
你是作者哈,尴尬了= =游戏数据获取失败,这是你写的暗桩还是没检测到游戏运行嘞(只是为了学技术,没别 ...
你进游戏试试有没有效果就知道了{:5_121:}
还有一处 XXX论坛的不知所谓的暗装
你确定是你的吗大兄弟