无壳页游辅助破解,输入错的不会出现新弹窗
本帖最后由 114699115 于 2023-7-27 13:59 编辑看了很多的前辈们写的文章,以及很多的破解过程。然后感觉自己也会了,就去试了一下。结果是不尽人意的。
刚开始,对这个exe文件进行查壳的基本操作,用的工具是Exeinfo PE看了一下结果,是没有壳的。
第二步就直接用OD查看了看起来没什么不正常的,然后用智能搜索查看关键词。他这个登录是需要联网的,然后显示登录失败。搜索关键词登陆失败查不到,然后我又去网上查找可能是因为字符串给掩盖啥的。但是在点击登录的时候会先显示一个登录ing,请稍后的字眼。这个关键字却能找到点进去了然后看了一些帖子说要找一大跳过,这里看了一天感觉晕乎乎的,感觉自己天分有限。然后我找到了一大跳过je开头的,然后我用nop填充,但是保存运行的时候却没有变化的感觉。而且我点这里面的运行,那个软件还有时候卡机,很奇怪还是没有破解成功,不知道哪个步骤出了问题,感觉就是OD那一块还是有些不太懂。
软件下载地址链接:https://pan.baidu.com/s/1R7sXne7idNbU9pTGoUR5Jg?pwd=ifeb
提取码:ifeb
这个MessageBoxA静态分析,我看来一下其他文章,但是这个辅助在登录错误的情况下不会弹出窗口就说明这个方法用不了,但是又没有看见其他的方法。确实是无壳的,可以直接看到C++的代码,太折磨了。我都每一步都按照其他文章的,但是有些就是不一样,没法到最后。 if ( sub_569331(v3, "Button") || sub_569331(v5, "偏好设置") )
{
v43 = (CWnd *)((char *)this + 1384);
CWnd::SetWindowTextA((CWnd *)((char *)this + 1384), aIng);
CWnd::GetWindowTextA((char *)this + 216);
CWnd::GetWindowTextA((char *)this + 220);
SetMachineMode(1);
v19 = SignOn(*((_DWORD *)this + 54), *((_DWORD *)this + 55));
*((_DWORD *)this + 53) = v19;
if ( v19 == 1 )
{
*((_DWORD *)this + 53) = sub_402300((char *)this + 224);
_time64(&Time);
v20 = sub_402650((char *)this + 224, "%d-%d-%d", (char)ArgList);
if ( v20 == -1 )
{
v21 = -1i64;
}
else
{
v39 = 23;
v39 = *(_DWORD *)ArgList - 1900;
v39 = 59;
v39 = v47 - 1;
v39 = (int)v45;
v39 = 59;
LODWORD(v21) = sub_565EAC(v39);
}
if ( v21 <= Time )
{
CWnd::SetWindowTextA((CWnd *)((char *)this + 1384), "验证未通过");
}
这里是你要的嘛 本帖最后由 situhaonan 于 2023-7-26 15:44 编辑
就从这里“登录ing” 下个断点,然后开始往下跟,发现跳到错误的地方 就给它NOP掉。直到成功 int __thiscall sub_408030(CWnd *this)
{
int v2; // ecx
int v3; // esi
int v4; // ecx
int v5; // edi
int v6; // eax
void **v7; // eax
_DWORD *v8; // ecx
char *v9; // edx
volatile signed __int32 *v10; // esi
int v11; // eax
_DWORD *v12; // edx
int v13; // ecx
int v14; // eax
int v15; // eax
_DWORD *v16; // edx
volatile signed __int32 *v17; // edi
int v18; // eax
int v19; // eax
int v20; // eax
__time64_t v21; // rax
int v22; // eax
const char **v23; // eax
_DWORD *v24; // edx
_DWORD *v25; // edx
_DWORD *v26; // eax
_DWORD *v27; // edx
volatile signed __int32 *v28; // edx
void *v29; // eax
CWnd *v30; // eax
HWND v31; // eax
struct CWnd *v32; // eax
const char *v33; // ebx
volatile signed __int32 *v34; // edi
int result; // eax
volatile signed __int32 *v36; // esi
int v37; //
int v38; //
int v39; // BYREF
struct tagRECT Rect; // BYREF
int v41; //
int v42; //
CWnd *v43; // BYREF
__time64_t Time; // BYREF
_DWORD *v45; //
char ArgList; // BYREF
int v47; // BYREF
int v48; //
*(_DWORD *)ArgList = 0;
Rect = 0i64;
v2 = sub_412F35();
if ( !v2 )
sub_402FE0(-2147467259);
v3 = (*(int (__thiscall **)(int))(*(_DWORD *)v2 + 12))(v2) + 16;
v42 = v3;
v48 = 0;
v4 = sub_412F35();
if ( !v4 )
sub_402FE0(-2147467259);
v5 = (*(int (__thiscall **)(int))(*(_DWORD *)v4 + 12))(v4) + 16;
v41 = v5;
LOBYTE(v48) = 1;
GetWindowRect(*((HWND *)this + 8), &Rect);
v6 = GetSystemMetrics(16);
COleDispatchDriver::InvokeHelper(
(COleDispatchDriver *)&unk_5F0488,
60,
1u,
3u,
&v43,
&byte_5E5BB8,
(v6 - (Rect.right - Rect.left)) / 2 + 350,
15);
v7 = (void **)sub_407A70((COleDispatchDriver *)&unk_5F0488, &v47, v43);
LOBYTE(v48) = 2;
v8 = (_DWORD *)(v3 - 16);
v9 = (char *)*v7;
v45 = (_DWORD *)(v3 - 16);
HIDWORD(Time) = v9 - 16;
if ( v9 - 16 != (char *)(v3 - 16) )
{
v10 = v8 + 3;
if ( (int)v8 >= 0 && *((_DWORD *)v9 - 4) == *v8 )
{
v11 = sub_403F30(HIDWORD(Time));
HIDWORD(Time) = v11;
if ( _InterlockedDecrement(v10) <= 0 )
{
(*(void (__thiscall **)(_DWORD, _DWORD *))(*(_DWORD *)*v45 + 4))(*v45, v45);
v11 = HIDWORD(Time);
}
v3 = v11 + 16;
v42 = v11 + 16;
}
else
{
sub_4052D0(v9, *((_DWORD *)v9 - 3));
v3 = v42;
}
}
LOBYTE(v48) = 1;
v12 = (_DWORD *)(v47 - 16);
if ( _InterlockedDecrement((volatile signed __int32 *)(v47 - 16 + 12)) <= 0 )
(*(void (__thiscall **)(_DWORD, _DWORD *))(*(_DWORD *)*v12 + 4))(*v12, v12);
LOBYTE(v48) = 3;
HIDWORD(Time) = 0;
v13 = sub_412F35();
if ( !v13 )
sub_402FE0(-2147467259);
v14 = (*(int (__thiscall **)(int))(*(_DWORD *)v13 + 12))(v13);
*(_DWORD *)ArgList = 1;
HIDWORD(Time) = v14 + 16;
COleDispatchDriver::InvokeHelper((COleDispatchDriver *)&unk_5F0488, 68, 1u, 8u, (char *)&Time + 4, &byte_5E5BB4, v43);
v15 = HIDWORD(Time);
v16 = (_DWORD *)(v5 - 16);
v45 = (_DWORD *)(v5 - 16);
v47 = HIDWORD(Time) - 16;
if ( HIDWORD(Time) - 16 != v5 - 16 )
{
v17 = v16 + 3;
if ( (int)v16 >= 0 && *(_DWORD *)(HIDWORD(Time) - 16) == *v16 )
{
v18 = sub_403F30(v47);
v47 = v18;
if ( _InterlockedDecrement(v17) <= 0 )
{
(*(void (__thiscall **)(_DWORD, _DWORD *))(*(_DWORD *)*v45 + 4))(*v45, v45);
v18 = v47;
}
v5 = v18 + 16;
v41 = v18 + 16;
}
else
{
sub_4052D0((void *)HIDWORD(Time), *(_DWORD *)(HIDWORD(Time) - 12));
v5 = v41;
}
v15 = HIDWORD(Time);
}
LOBYTE(v48) = 1;
if ( _InterlockedDecrement((volatile signed __int32 *)(v15 - 16 + 12)) <= 0 )
(*(void (__thiscall **)(_DWORD, int))(**(_DWORD **)(v15 - 16) + 4))(*(_DWORD *)(v15 - 16), v15 - 16);
if ( sub_569331(v3, "Button") || sub_569331(v5, "偏好设置") )
{
v43 = (CWnd *)((char *)this + 1384);
CWnd::SetWindowTextA((CWnd *)((char *)this + 1384), aIng);
CWnd::GetWindowTextA((char *)this + 216);
CWnd::GetWindowTextA((char *)this + 220);
SetMachineMode(1);
v19 = SignOn(*((_DWORD *)this + 54), *((_DWORD *)this + 55));
*((_DWORD *)this + 53) = v19;
if ( v19 == 1 )
{
*((_DWORD *)this + 53) = sub_402300((char *)this + 224);
_time64(&Time);
v20 = sub_402650((char *)this + 224, "%d-%d-%d", (char)ArgList);
if ( v20 == -1 )
{
v21 = -1i64;
}
else
{
v39 = 23;
v39 = *(_DWORD *)ArgList - 1900;
v39 = 59;
v39 = v47 - 1;
v39 = (int)v45;
v39 = 59;
LODWORD(v21) = sub_565EAC(v39);
}
if ( v21 <= Time )
{
CWnd::SetWindowTextA((CWnd *)((char *)this + 1384), "验证未通过");
}
else
{
v22 = sub_408F80((char *)this + 224);
LOBYTE(v48) = 4;
v23 = (const char **)sub_4074D0(ArgList, &unk_5C12F8, v22);
LOBYTE(v48) = 5;
CWnd::SetWindowTextA((CWnd *)((char *)this + 1384), *v23);
LOBYTE(v48) = 4;
v24 = (_DWORD *)(*(_DWORD *)ArgList - 16);
if ( _InterlockedDecrement((volatile signed __int32 *)(*(_DWORD *)ArgList - 16 + 12)) <= 0 )
(*(void (__thiscall **)(_DWORD, _DWORD *))(*(_DWORD *)*v24 + 4))(*v24, v24);
LOBYTE(v48) = 1;
v25 = (_DWORD *)(v47 - 16);
if ( _InterlockedDecrement((volatile signed __int32 *)(v47 - 16 + 12)) <= 0 )
(*(void (__thiscall **)(_DWORD, _DWORD *))(*(_DWORD *)*v25 + 4))(*v25, v25);
COleDispatchDriver::InvokeHelper(
(COleDispatchDriver *)&unk_5F0488,
216,
1u,
3u,
ArgList,
&byte_5E5BA0,
"DengLu",
"ZhangHao",
*((_DWORD *)this + 54),
"C:\\1790418057\\巨浪\\配置文件.ini");
v37 = *((_DWORD *)this + 55);
*((_DWORD *)this + 248) = *(_DWORD *)ArgList;
COleDispatchDriver::InvokeHelper(
(COleDispatchDriver *)&unk_5F0488,
216,
1u,
3u,
ArgList,
&byte_5E5BA0,
"DengLu",
"MiMa",
v37,
"C:\\1790418057\\巨浪\\配置文件.ini");
*((_DWORD *)this + 248) = *(_DWORD *)ArgList;
v26 = (_DWORD *)sub_408F80((char *)this + 224);
LOBYTE(v48) = 6;
COleDispatchDriver::InvokeHelper(
(COleDispatchDriver *)&unk_5F0488,
216,
1u,
3u,
&v47,
&byte_5E5BA0,
"DengLu",
"DaoQiShiJian",
*v26,
"C:\\1790418057\\巨浪\\配置文件.ini");
LOBYTE(v48) = 1;
v27 = v45;
*((_DWORD *)this + 248) = v47;
v28 = v27 - 4;
if ( _InterlockedDecrement(v28 + 3) <= 0 )
(*(void (__thiscall **)(volatile signed __int32, volatile signed __int32 *))(**(_DWORD **)v28 + 4))(*v28, v28);
v29 = operator new(0x500u);
*(_DWORD *)ArgList = v29;
LOBYTE(v48) = 7;
if ( v29 )
{
memset(v29, 0, 0x500u);
v30 = (CWnd *)sub_405700(v38);
}
else
{
v30 = 0;
}
LOBYTE(v48) = 1;
dword_5EE338 = v30;
v31 = GetDesktopWindow();
v32 = CWnd::FromHandle(v31);
(*(void (__thiscall **)(CWnd *, int, struct CWnd *))(*(_DWORD *)dword_5EE338 + 356))(dword_5EE338, 137, v32);
CWnd::ShowWindow(dword_5EE338, 5);
CWnd::ShowWindow(this, 0);
CWnd::ModifyStyleEx(this, 0x40000u, 0x80u, 0);
}
}
if ( !*((_DWORD *)this + 53) )
{
v33 = (char *)this + 734;
GetLastErrorInfo(v33, 255);
CWnd::SetWindowTextA(v43, v33);
}
}
else
{
MessageBoxA(0, Text, "登录失败", 0);
}
LOBYTE(v48) = 0;
v34 = (volatile signed __int32 *)(v5 - 16);
result = _InterlockedDecrement(v34 + 3);
if ( result <= 0 )
result = (*(int (__thiscall **)(volatile signed __int32, volatile signed __int32 *))(**(_DWORD **)v34 + 4))(
*v34,
v34);
v48 = -1;
v36 = (volatile signed __int32 *)(v3 - 16);
if ( _InterlockedDecrement(v36 + 3) <= 0 )
result = (*(int (__thiscall **)(volatile signed __int32, volatile signed __int32 *))(**(_DWORD **)v36 + 4))(
*v36,
v36);
return result;
} TobyLee 发表于 2023-7-25 11:51
if ( sub_569331(v3, "Button") || sub_569331(v5, "偏好设置") )
{
v43 = (CWnd *)((char *)this...
好像是这个,但是我大学学的是Python,C++就一丢丢皮毛,理论好像就是你这个,你是破解的吗,还是说本来就有源代码啥的。那需要怎么样去处理才能用这个软件呀 114699115 发表于 2023-7-25 12:00
好像是这个,但是我大学学的是Python,C++就一丢丢皮毛,理论好像就是你这个,你是破解的吗,还是说本来 ...
这个ida静态分析下试试 TobyLee 发表于 2023-7-25 12:13
这个ida静态分析下试试
https://attach.52pojie.cn//forum/202307/25/132054dp2hlpddliwzn2dc.png?l这个MessageBoxA静态分析,我看来一下其他文章,但是这个辅助在登录错误的情况下不会弹出窗口就说明这个方法用不了,但是又没有看见其他的方法。确实是无壳的,可以直接看到C++的代码
situhaonan 发表于 2023-7-26 15:37
就从这里“登录ing” 下个断点,然后开始往下跟,发现跳到错误的地方 就给它NOP掉。直到成功
但是为什么我下了断点慢慢跟,但是nop掉之后他就闪退停止运行了就要重新弄
situhaonan 发表于 2023-7-26 15:37
就从这里“登录ing” 下个断点,然后开始往下跟,发现跳到错误的地方 就给它NOP掉。直到成功
嗯么,感谢大佬,但是就是,我按照你的思路去破解了,结果就是这个软件啊,他似乎用不了,就好像是识别不了游戏窗口似的,没有任何反应,我感觉我弄的就挺少的了,然后我再看了看里面要改的地方,好像也没有了
页:
[1]