[求助]破解软件的网络验证,如何改为本地IIS验证？-付费问答-看雪-安全社区|安全招聘|kanxue.com

最新回复 (89) ◀ 1 2 3 4 ▶
dsds小白兔雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 54 回帖 124 粉丝 0 关注私信	dsds小白兔 51 楼呵呵``现在网络验证很热门呀``我支持```请大老大搞个教程``` 2007-7-10 17:03 0
mymelen 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 11 粉丝 0 关注私信	mymelen 52 楼到服务器验证的比较难弄。 2007-7-11 09:22 0
lygxuxu 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 13 粉丝 0 关注私信	lygxuxu 53 楼没看明白。。。。 2007-7-11 21:11 0
hzcool 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 2 粉丝 0 关注私信	hzcool 54 楼我也没有看明白 2007-7-13 21:04 0
不死神鸟雪币： 9 活跃值： (142) 能力值： ( LV12，RANK：200 ) 在线值：发帖 105 回帖 757 粉丝 1 关注私信	不死神鸟 1 55 楼先在HOST里添加要模拟的IP,然后再用net box就可以模拟80的端口的网络验证,具体怎么做还需要你们自己研究,方法已经告诉你了,接下来就看你们自己的了 2007-7-13 22:47 0
angelxiao 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 4 回帖 14 粉丝 0 关注私信	angelxiao 56 楼在网上找到的一篇关于把网络验证转为本地化希望对你有什么帮助。我自己也是菜鸟，现在正在学习关于破解 [网络验证破解]某外挂验证转本地化【文章标题】: [网络验证破解]某外挂验证转本地化【文章作者】: KuNgBiM 【作者邮箱】: kungbim@163.com 【作者主页】: b91K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3y4J5K9$3y4F1i4K6u0W2j5$3!0E0 【软件名称】: 惊天伴侣2.2.5会员增强版(2007年3月26日更新) 【软件大小】: 1.71 MB 【下载地址】: 自己搜索下载【加壳方式】: ASProtect 2.1x SKE 【保护方式】: 网络验证【编写语言】: Microsoft Visual C++ 6.0 【使用工具】: OllyICE 【操作平台】: 盗版非标准XPsp2 【软件介绍】: 大型网游惊天动地辅助工具，俗称“外挂”。【作者声明】: 只是感兴趣，没有其他目的。失误之处敬请诸位大侠赐教! -------------------------------------------------------------------------------- 【详细过程】由于该程序加的壳为标准的ASProtect 2.1x SKE，并未偷代码，所以为了方便起见，脱之分析。。。脱壳后，OllyICE载入分析，由于程序关键字符处理的比较好，字符插件就不起作用了。我们还是利用常用的办法“API函数断点”来调试它吧。以下内容跟帖回复才能看到 ============================== 命令下断：bpx closesocket F9运行，输入用户名后点击“登陆”断下： 00418E79 . 6A 10 push 10 ; 外挂网络验证开始 00418E7B . 8D85 60FEFFFF lea eax, dword ptr [ebp-1A0] ; 计算游戏ID长度 00418E81 . 50 push eax 00418E82 . 6A 60 push 60 00418E84 . 8D8D 74FFFFFF lea ecx, dword ptr [ebp-8C] 00418E8A . 51 push ecx 00418E8B . 8D95 74FFFFFF lea edx, dword ptr [ebp-8C] 00418E91 . 52 push edx 00418E92 . E8 B9320100 call 0042C150 ; 判断外挂是否已经处于通信状态 00418E97 . 83C4 18 add esp, 18 00418E9A . 833D 9C826500 00 cmp dword ptr [65829C], 0 00418EA1 . 74 16 je short 00418EB9 ; 还未通信则跳(不管) 00418EA3 . A1 9C826500 mov eax, dword ptr [65829C] 00418EA8 . 50 push eax ; /Socket => 384 00418EA9 . FF15 E4A54600 call dword ptr [<&ws2_32.closesocket>] ; \closesocket 00418EAF . C705 9C826500 00000000 mov dword ptr [65829C], 0 00418EB9 > 833D 9C826500 00 cmp dword ptr [65829C], 0 00418EC0 . 75 11 jnz short 00418ED3 ; 还未通信则准备获取验证服务器地址 00418EC2 . 6A 00 push 0 ; /Protocol = IPPROTO_IP 00418EC4 . 6A 01 push 1 ; \|Type = SOCK_STREAM 00418EC6 . 6A 02 push 2 ; \|Family = AF_INET 00418EC8 . FF15 E0A54600 call dword ptr [<&ws2_32.socket>] ; \socket 00418ECE . A3 9C826500 mov dword ptr [65829C], eax 00418ED3 > 66:C785 18FAFFFF 0200 mov word ptr [ebp-5E8], 2 00418EDC . 68 AC836500 push 006583AC ; /ASCII "203.174.87.234" 00418EE1 . FF15 DCA54600 call dword ptr [<&ws2_32.inet_addr>] ; \inet_addr 00418EE7 . 8985 1CFAFFFF mov dword ptr [ebp-5E4], eax 00418EED . 66:8B0D 38105D00 mov cx, word ptr [5D1038] 00418EF4 . 51 push ecx ; /NetShort 00418EF5 . FF15 E8A54600 call dword ptr [<&ws2_32.htons>] ; \ntohs 00418EFB . 66:8985 1AFAFFFF mov word ptr [ebp-5E6], ax 00418F02 . 6A 10 push 10 ; /AddrLen = 10 (16.) 00418F04 . 8D95 18FAFFFF lea edx, dword ptr [ebp-5E8] ; \| 00418F0A . 52 push edx ; \|pSockAddr 00418F0B . A1 9C826500 mov eax, dword ptr [65829C] ; \| 00418F10 . 50 push eax ; \|Socket => 384 00418F11 . FF15 D0A54600 call dword ptr [<&ws2_32.connect>] ; \connect 00418F17 . 8985 58FEFFFF mov dword ptr [ebp-1A8], eax ; 获取服务器数据 00418F1D . 83BD 58FEFFFF FF cmp dword ptr [ebp-1A8], -1 ; 返回值是否大于等于FFFFFFFF ; 是则挂（通信不正常） 00418F24 75 14 jnz short 00418F3A ; ★所以这里必须跳！改为JMP★ 00418F26 . C705 3C105D00 0D000000 mov dword ptr [5D103C], 0D 00418F30 . E8 EB180100 call 0042A820 00418F35 . E9 5C0A0000 jmp 00419996 00418F3A > 6A 00 push 0 ; /Flags = 0 00418F3C . 6A 60 push 60 ; \|DataSize = 60 (96.) 00418F3E . 8D8D 74FFFFFF lea ecx, dword ptr [ebp-8C] ; \| 00418F44 . 51 push ecx ; \|Data 00418F45 . 8B15 9C826500 mov edx, dword ptr [65829C] ; \| 00418F4B . 52 push edx ; \|Socket => 384 00418F4C . FF15 D8A54600 call dword ptr [<&ws2_32.send>] ; \send 00418F52 . 8985 58FEFFFF mov dword ptr [ebp-1A8], eax ; 再次获取服务器数据 00418F58 . 83BD 58FEFFFF 60 cmp dword ptr [ebp-1A8], 60 ; 返回值是否小于等于96 ; 是则挂（数据包不正确） 00418F5F 74 05 je short 00418F66 ; ★所以这里必须跳！改为JMP★ 00418F61 . E9 300A0000 jmp 00419996 00418F66 > 6A 00 push 0 ; /Flags = 0 00418F68 . 6A 60 push 60 ; \|BufSize = 60 (96.) 00418F6A . 8D85 74FFFFFF lea eax, dword ptr [ebp-8C] ; \| 00418F70 . 50 push eax ; \|Buffer 00418F71 . 8B0D 9C826500 mov ecx, dword ptr [65829C] ; \| 00418F77 . 51 push ecx ; \|Socket => 384 00418F78 . FF15 D4A54600 call dword ptr [<&ws2_32.recv>] ; \recv 00418F7E . 8985 58FEFFFF mov dword ptr [ebp-1A8], eax ; 再次获取服务器数据 00418F84 . 83BD 58FEFFFF 00 cmp dword ptr [ebp-1A8], 0 ; 返回值是否大于等于0 ; 是则挂（数据包不正确） 00418F8B 75 05 jnz short 00418F92 ; ★则里可改可不改，保险起见改为JMP★ 00418F8D . E9 040A0000 jmp 00419996 00418F92 > 8B15 9C826500 mov edx, dword ptr [65829C] ; 服务器通信结束 00418F98 . 52 push edx ; /Socket => 384 00418F99 . FF15 E4A54600 call dword ptr [<&ws2_32.closesocket>] ; \closesocket 00418F9F . 6A 01 push 1 00418FA1 . 6A 10 push 10 00418FA3 . 8D85 48FEFFFF lea eax, dword ptr [ebp-1B8] 00418FA9 . 50 push eax 00418FAA . 6A 60 push 60 00418FAC . 8D8D 74FFFFFF lea ecx, dword ptr [ebp-8C] 00418FB2 . 51 push ecx 00418FB3 . 8D95 74FFFFFF lea edx, dword ptr [ebp-8C] 00418FB9 . 52 push edx 00418FBA . E8 91310100 call 0042C150 ; 判断服务器是否有数据返回 00418FBF . 83C4 18 add esp, 18 00418FC2 . 75 04 jnz short 00418FC8 ; 有数据返回则跳！(必须跳) 00418FC4 . 74 02 je short 00418FC8 00418FC6 9A db 9A 00418FC7 E8 db E8 00418FC8 > 83BD 74FFFFFF 09 cmp dword ptr [ebp-8C], 9 ; 检测外挂程序版本是否有更新 00418FCF . 0F85 A7000000 jnz 0041907C ; 大于等于则跳 ; （为了不让它自动更新，改为JMP） 00418FD5 . 6A 00 push 0 00418FD7 . 68 502E4800 push 00482E50 00418FDC . 68 082E4800 push 00482E08 00418FE1 . 8B8D 98F9FFFF mov ecx, dword ptr [ebp-668] 00418FE7 . E8 CCF40300 call 004584B8 00418FEC . B9 11000000 mov ecx, 11 00418FF1 . 33C0 xor eax, eax 00418FF3 . 8DBD C0F9FFFF lea edi, dword ptr [ebp-640] 00418FF9 . F3:AB rep stos dword ptr es:[edi] 00418FFB . C785 C0F9FFFF 44000000 mov dword ptr [ebp-640], 44 00419005 . 33C0 xor eax, eax 00419007 . 8985 04FAFFFF mov dword ptr [ebp-5FC], eax 0041900D . 8985 08FAFFFF mov dword ptr [ebp-5F8], eax 00419013 . 8985 0CFAFFFF mov dword ptr [ebp-5F4], eax 00419019 . 8985 10FAFFFF mov dword ptr [ebp-5F0], eax 0041901F . 8D8D 04FAFFFF lea ecx, dword ptr [ebp-5FC] 00419025 . 51 push ecx ; /pProcessInfo 00419026 . 8D95 C0F9FFFF lea edx, dword ptr [ebp-640] ; \| 0041902C . 52 push edx ; \|pStartupInfo 0041902D . 6A 00 push 0 ; \|CurrentDir = NULL 0041902F . 6A 00 push 0 ; \|pEnvironment = NULL 00419031 . 6A 00 push 0 ; \|CreationFlags = 0 00419033 . 6A 00 push 0 ; \|InheritHandles = FALSE 00419035 . 6A 00 push 0 ; \|pThreadSecurity = NULL 00419037 . 6A 00 push 0 ; \|pProcessSecurity = NULL 00419039 . 68 E42D4800 push 00482DE4 ; \|CommandLine = "explorer 1bbK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3A6@1L8r3!0$3k6i4u0Q4x3X3g2F1k6i4c8Q4x3V1j5`."; 0041903E . 6A 00 push 0 ; \|ModuleFileName = NULL 00419040 . FF15 34A24600 call dword ptr [<&kernel32.CreateProces>; \CreateProcessA 00419046 . 85C0 test eax, eax 00419048 . 75 07 jnz short 00419051 0041904A . 6A 00 push 0 0041904C . E8 87C30100 call 004353D8 00419051 > 8B85 04FAFFFF mov eax, dword ptr [ebp-5FC] 00419057 . 50 push eax ; /hObject 00419058 . FF15 44A24600 call dword ptr [<&kernel32.CloseHandle>>; \CloseHandle 0041905E . 8B8D 08FAFFFF mov ecx, dword ptr [ebp-5F8] 00419064 . 51 push ecx ; /hObject 00419065 . FF15 44A24600 call dword ptr [<&kernel32.CloseHandle>>; \CloseHandle 0041906B . 8B95 74FFFFFF mov edx, dword ptr [ebp-8C] 00419071 . 8915 3C105D00 mov dword ptr [5D103C], edx 00419077 . E9 1A090000 jmp 00419996 0041907C > 75 04 jnz short 00419082 0041907E . 74 02 je short 00419082 00419080 9A db 9A 00419081 E8 db E8 00419082 > 83BD 74FFFFFF 00 cmp dword ptr [ebp-8C], 0 ; 检测验证数据最后结果是否小于等于0 ; 是则正确！ 00419089 . 74 15 je short 004190A0 ; ★所以这里必须跳！改为JMP★ 0041908B . 8B85 74FFFFFF mov eax, dword ptr [ebp-8C] 00419091 . A3 3C105D00 mov dword ptr [5D103C], eax 00419096 . E8 85170100 call 0042A820 0041909B . E9 F6080000 jmp 00419996 004190A0 > 8B4D CC mov ecx, dword ptr [ebp-34] ; 从这里就开始控制程序窗口、配置文件了 004190A3 . 890D C0836500 mov dword ptr [6583C0], ecx 004190A9 . C705 3C105D00 58000000 mov dword ptr [5D103C], 58 004190B3 . 68 F4030000 push 3F4 004190B8 . 8B8D 98F9FFFF mov ecx, dword ptr [ebp-668] 004190BE . E8 25050400 call 004595E8 004190C3 . 8985 5CFEFFFF mov dword ptr [ebp-1A4], eax 004190C9 . 6A 00 push 0 004190CB . 8B8D 5CFEFFFF mov ecx, dword ptr [ebp-1A4] 004190D1 . E8 3E080400 call 00459914 004190D6 . 51 push ecx 004190D7 . 8BCC mov ecx, esp 004190D9 . 89A5 ACF9FFFF mov dword ptr [ebp-654], esp 004190DF . 68 DC2D4800 push 00482DDC ; ASCII "TIP2" 004190E4 . E8 8BD50300 call 00456674 004190E9 . 8985 94F9FFFF mov dword ptr [ebp-66C], eax 004190EF . 8B95 94F9FFFF mov edx, dword ptr [ebp-66C] 004190F5 . 8995 90F9FFFF mov dword ptr [ebp-670], edx 004190FB . C745 FC 00000000 mov dword ptr [ebp-4], 0 00419102 . 51 push ecx 00419103 . 8BCC mov ecx, esp 00419105 . 89A5 A8F9FFFF mov dword ptr [ebp-658], esp 0041910B . 68 D42D4800 push 00482DD4 ; ASCII "Dialog1" 00419110 . E8 5FD50300 call 00456674 00419115 . 8985 8CF9FFFF mov dword ptr [ebp-674], eax ; \| 0041911B . 8D85 A4F9FFFF lea eax, dword ptr [ebp-65C] ; \| 00419121 . 50 push eax ; \|Arg1 00419122 . B9 04156500 mov ecx, 00651504 ; \| 00419127 . C745 FC FFFFFFFF mov dword ptr [ebp-4], -1 ; \| 0041912E . E8 DD610000 call 0041F310 ; \jtbl.0041F310 00419133 . 8985 88F9FFFF mov dword ptr [ebp-678], eax 00419139 . 8B8D 88F9FFFF mov ecx, dword ptr [ebp-678] 0041913F . 898D A0F9FFFF mov dword ptr [ebp-660], ecx 00419145 . C745 FC 01000000 mov dword ptr [ebp-4], 1 0041914C . 8B95 A0F9FFFF mov edx, dword ptr [ebp-660] 00419152 . 8B02 mov eax, dword ptr [edx] 00419154 . 8985 9CF9FFFF mov dword ptr [ebp-664], eax 0041915A . 8B8D 9CF9FFFF mov ecx, dword ptr [ebp-664] 00419160 . 51 push ecx 00419161 . 68 B5040000 push 4B5 00419166 . B9 C87A6500 mov ecx, 00657AC8 0041916B . E8 69050400 call 004596D9 00419170 . C745 FC FFFFFFFF mov dword ptr [ebp-4], -1 00419177 . 8D8D A4F9FFFF lea ecx, dword ptr [ebp-65C] 0041917D . E8 84D40300 call 00456606 00419182 . 68 0000FF00 push 0FF0000 00419187 . B9 E8806500 mov ecx, 006580E8 0041918C . E8 FF4F0000 call 0041E190 00419191 . C645 D8 00 mov byte ptr [ebp-28], 0 00419195 . C645 D9 00 mov byte ptr [ebp-27], 0 00419199 . 33D2 xor edx, edx 0041919B . 8955 DA mov dword ptr [ebp-26], edx 0041919E . 8955 DE mov dword ptr [ebp-22], edx 004191A1 . 8955 E2 mov dword ptr [ebp-1E], edx 004191A4 . 8955 E6 mov dword ptr [ebp-1A], edx 004191A7 . 8955 EA mov dword ptr [ebp-16], edx 004191AA . 66:8955 EE mov word ptr [ebp-12], dx 004191AE . 8855 F0 mov byte ptr [ebp-10], dl 004191B1 . 6A 18 push 18 ; /Arg3 = 00000018 004191B3 . 8D45 D8 lea eax, dword ptr [ebp-28] ; \| 004191B6 . 50 push eax ; \|Arg2 004191B7 . 68 05040000 push 405 ; \|Arg1 = 00000405 004191BC . 8B8D 98F9FFFF mov ecx, dword ptr [ebp-668] ; \| 004191C2 . E8 AB040400 call 00459672 ; \jtbl.00459672 004191C7 . 68 382D4800 push 00482D38 ; /FileName = ".\Setting\config.ini" 004191CC . 8D4D D8 lea ecx, dword ptr [ebp-28] ; \| 004191CF . 51 push ecx ; \|String 004191D0 . 68 182D4800 push 00482D18 ; \|Key = "Account" 004191D5 . 68 282D4800 push 00482D28 ; \|Section = "Config" 004191DA . FF15 48A24600 call dword ptr [<&kernel32.WritePrivate>; \WritePrivateProfileStringA 004191E0 . C685 70FEFFFF 00 mov byte ptr [ebp-190], 0 004191E7 . C685 71FEFFFF 00 mov byte ptr [ebp-18F], 0 004191EE . B9 40000000 mov ecx, 40 004191F3 . 33C0 xor eax, eax 004191F5 . 8DBD 72FEFFFF lea edi, dword ptr [ebp-18E] 004191FB . F3:AB rep stos dword ptr es:[edi] 004191FD . 66:AB stos word ptr es:[edi] 004191FF . C745 D4 00000000 mov dword ptr [ebp-2C], 0 00419206 . 68 04010000 push 104 ; /BufSize = 104 (260.) 0041920B . 8D95 70FEFFFF lea edx, dword ptr [ebp-190] ; \| 00419211 . 52 push edx ; \|PathBuffer 00419212 . 6A 00 push 0 ; \|hModule = NULL 00419214 . FF15 ECA14600 call dword ptr [<&kernel32.GetModuleFil>; \GetModuleFileNameA 0041921A . 8DBD 70FEFFFF lea edi, dword ptr [ebp-190] 00419220 . 83C9 FF or ecx, FFFFFFFF 00419223 . 33C0 xor eax, eax 00419225 . F2:AE repne scas byte ptr es:[edi] 00419227 . F7D1 not ecx 00419229 . 83C1 FE add ecx, -2 0041922C . 894D D4 mov dword ptr [ebp-2C], ecx 0041922F > 8B45 D4 mov eax, dword ptr [ebp-2C] 00419232 . 0FBE8C05 70FEFFFF movsx ecx, byte ptr [ebp+eax-190] 0041923A . 83F9 5C cmp ecx, 5C 0041923D . 74 16 je short 00419255 0041923F . 8B55 D4 mov edx, dword ptr [ebp-2C] 00419242 . C68415 70FEFFFF 00 mov byte ptr [ebp+edx-190], 0 0041924A . 8B45 D4 mov eax, dword ptr [ebp-2C] 0041924D . 83E8 01 sub eax, 1 00419250 . 8945 D4 mov dword ptr [ebp-2C], eax 00419253 .^ EB DA jmp short 0041922F 00419255 > 8D7D D8 lea edi, dword ptr [ebp-28] ; 获取用户名(准备计算试用时间验证) 00419258 . 8B15 787D5F00 mov edx, dword ptr [5F7D78] ; kudrtgov.10213000 0041925E . 83C9 FF or ecx, FFFFFFFF 00419261 . 33C0 xor eax, eax 00419263 . F2:AE repne scas byte ptr es:[edi] 00419265 . F7D1 not ecx 00419267 . 2BF9 sub edi, ecx 00419269 . 8BF7 mov esi, edi 0041926B . 8BC1 mov eax, ecx 0041926D . 8BFA mov edi, edx 0041926F . C1E9 02 shr ecx, 2 00419272 . F3:A5 rep movs dword ptr es:[edi], dword ptr> 00419274 . 8BC8 mov ecx, eax 00419276 . 83E1 03 and ecx, 3 00419279 . F3:A4 rep movs byte ptr es:[edi], byte ptr [> 0041927B . 8DBD 70FEFFFF lea edi, dword ptr [ebp-190] 00419281 . 8B0D 787D5F00 mov ecx, dword ptr [5F7D78] ; kudrtgov.10213000 00419287 . 83C1 1E add ecx, 1E 0041928A . 8BD1 mov edx, ecx 0041928C . 83C9 FF or ecx, FFFFFFFF 0041928F . 33C0 xor eax, eax 00419291 . F2:AE repne scas byte ptr es:[edi] 00419293 . F7D1 not ecx 00419295 . 2BF9 sub edi, ecx 00419297 . 8BF7 mov esi, edi 00419299 . 8BC1 mov eax, ecx 0041929B . 8BFA mov edi, edx 0041929D . C1E9 02 shr ecx, 2 004192A0 . F3:A5 rep movs dword ptr es:[edi], dword ptr> 004192A2 . 8BC8 mov ecx, eax 004192A4 . 83E1 03 and ecx, 3 004192A7 . F3:A4 rep movs byte ptr es:[edi], byte ptr [> 004192A9 . C685 38FBFFFF 00 mov byte ptr [ebp-4C8], 0 004192B0 . C685 39FBFFFF 00 mov byte ptr [ebp-4C7], 0 004192B7 . B9 40000000 mov ecx, 40 004192BC . 33C0 xor eax, eax 004192BE . 8DBD 3AFBFFFF lea edi, dword ptr [ebp-4C6] 004192C4 . F3:AB rep stos dword ptr es:[edi] 004192C6 . 66:AB stos word ptr es:[edi] 004192C8 . C685 3CFCFFFF 00 mov byte ptr [ebp-3C4], 0 004192CF . C685 3DFCFFFF 00 mov byte ptr [ebp-3C3], 0 004192D6 . B9 40000000 mov ecx, 40 004192DB . 33C0 xor eax, eax 004192DD . 8DBD 3EFCFFFF lea edi, dword ptr [ebp-3C2] 004192E3 . F3:AB rep stos dword ptr es:[edi] 004192E5 . 66:AB stos word ptr es:[edi] 004192E7 . C685 44FDFFFF 00 mov byte ptr [ebp-2BC], 0 004192EE . C685 45FDFFFF 00 mov byte ptr [ebp-2BB], 0 004192F5 . B9 40000000 mov ecx, 40 004192FA . 33C0 xor eax, eax 004192FC . 8DBD 46FDFFFF lea edi, dword ptr [ebp-2BA] 00419302 . F3:AB rep stos dword ptr es:[edi] 00419304 . 66:AB stos word ptr es:[edi] 00419306 . BF CC2D4800 mov edi, 00482DCC ; ASCII "\Users\" 0041930B . 8D95 70FEFFFF lea edx, dword ptr [ebp-190] 00419311 . 83C9 FF or ecx, FFFFFFFF 00419314 . 33C0 xor eax, eax 00419316 . F2:AE repne scas byte ptr es:[edi] 00419318 . F7D1 not ecx 0041931A . 2BF9 sub edi, ecx 0041931C . 8BF7 mov esi, edi 0041931E . 8BD9 mov ebx, ecx 00419320 . 8BFA mov edi, edx 00419322 . 83C9 FF or ecx, FFFFFFFF 00419325 . 33C0 xor eax, eax 00419327 . F2:AE repne scas byte ptr es:[edi] 00419329 . 83C7 FF add edi, -1 0041932C . 8BCB mov ecx, ebx 0041932E . C1E9 02 shr ecx, 2 00419331 . F3:A5 rep movs dword ptr es:[edi], dword ptr> 00419333 . 8BCB mov ecx, ebx 00419335 . 83E1 03 and ecx, 3 00419338 . F3:A4 rep movs byte ptr es:[edi], byte ptr [> 0041933A . 8DBD 70FEFFFF lea edi, dword ptr [ebp-190] 00419340 . 8D95 38FBFFFF lea edx, dword ptr [ebp-4C8] 00419346 . 83C9 FF or ecx, FFFFFFFF 00419349 . 33C0 xor eax, eax 0041934B . F2:AE repne scas byte ptr es:[edi] 0041934D . F7D1 not ecx 0041934F . 2BF9 sub edi, ecx 00419351 . 8BF7 mov esi, edi 00419353 . 8BC1 mov eax, ecx 00419355 . 8BFA mov edi, edx 00419357 . C1E9 02 shr ecx, 2 0041935A . F3:A5 rep movs dword ptr es:[edi], dword ptr> 0041935C . 8BC8 mov ecx, eax 0041935E . 83E1 03 and ecx, 3 00419361 . F3:A4 rep movs byte ptr es:[edi], byte ptr [> 00419363 . 8B3D 787D5F00 mov edi, dword ptr [5F7D78] ; kudrtgov.10213000 00419369 . 8D95 38FBFFFF lea edx, dword ptr [ebp-4C8] 0041936F . 83C9 FF or ecx, FFFFFFFF 00419372 . 33C0 xor eax, eax 00419374 . F2:AE repne scas byte ptr es:[edi] 00419376 . F7D1 not ecx 00419378 . 2BF9 sub edi, ecx 0041937A . 8BF7 mov esi, edi 0041937C . 8BD9 mov ebx, ecx 0041937E . 8BFA mov edi, edx 00419380 . 83C9 FF or ecx, FFFFFFFF 00419383 . 33C0 xor eax, eax 00419385 . F2:AE repne scas byte ptr es:[edi] 00419387 . 83C7 FF add edi, -1 0041938A . 8BCB mov ecx, ebx 0041938C . C1E9 02 shr ecx, 2 0041938F . F3:A5 rep movs dword ptr es:[edi], dword ptr> 00419391 . 8BCB mov ecx, ebx 00419393 . 83E1 03 and ecx, 3 00419396 . F3:A4 rep movs byte ptr es:[edi], byte ptr [> 00419398 . BF BC2D4800 mov edi, 00482DBC ; ASCII "\NewConfig.ini" 0041939D . 8D95 38FBFFFF lea edx, dword ptr [ebp-4C8] 004193A3 . 83C9 FF or ecx, FFFFFFFF 004193A6 . 33C0 xor eax, eax 004193A8 . F2:AE repne scas byte ptr es:[edi] 004193AA . F7D1 not ecx 004193AC . 2BF9 sub edi, ecx 004193AE . 8BF7 mov esi, edi 004193B0 . 8BD9 mov ebx, ecx 004193B2 . 8BFA mov edi, edx 004193B4 . 83C9 FF or ecx, FFFFFFFF 004193B7 . 33C0 xor eax, eax 004193B9 . F2:AE repne scas byte ptr es:[edi] 004193BB . 83C7 FF add edi, -1 004193BE . 8BCB mov ecx, ebx 004193C0 . C1E9 02 shr ecx, 2 004193C3 . F3:A5 rep movs dword ptr es:[edi], dword ptr> 004193C5 . 8BCB mov ecx, ebx 004193C7 . 83E1 03 and ecx, 3 004193CA . F3:A4 rep movs byte ptr es:[edi], byte ptr [> 004193CC . 8DBD 70FEFFFF lea edi, dword ptr [ebp-190] 004193D2 . 8D95 3CFCFFFF lea edx, dword ptr [ebp-3C4] 004193D8 . 83C9 FF or ecx, FFFFFFFF 004193DB . 33C0 xor eax, eax 004193DD . F2:AE repne scas byte ptr es:[edi] 004193DF . F7D1 not ecx 004193E1 . 2BF9 sub edi, ecx 004193E3 . 8BF7 mov esi, edi 004193E5 . 8BC1 mov eax, ecx 004193E7 . 8BFA mov edi, edx 004193E9 . C1E9 02 shr ecx, 2 004193EC . F3:A5 rep movs dword ptr es:[edi], dword ptr> 004193EE . 8BC8 mov ecx, eax 004193F0 . 83E1 03 and ecx, 3 004193F3 . F3:A4 rep movs byte ptr es:[edi], byte ptr [> 004193F5 . 8B3D 787D5F00 mov edi, dword ptr [5F7D78] ; kudrtgov.10213000 004193FB . 8D95 3CFCFFFF lea edx, dword ptr [ebp-3C4] 00419401 . 83C9 FF or ecx, FFFFFFFF 00419404 . 33C0 xor eax, eax 00419406 . F2:AE repne scas byte ptr es:[edi] 00419408 . F7D1 not ecx 0041940A . 2BF9 sub edi, ecx 0041940C . 8BF7 mov esi, edi 0041940E . 8BD9 mov ebx, ecx 00419410 . 8BFA mov edi, edx 00419412 . 83C9 FF or ecx, FFFFFFFF 00419415 . 33C0 xor eax, eax 00419417 . F2:AE repne scas byte ptr es:[edi] 00419419 . 83C7 FF add edi, -1 0041941C . 8BCB mov ecx, ebx 0041941E . C1E9 02 shr ecx, 2 00419421 . F3:A5 rep movs dword ptr es:[edi], dword ptr> 00419423 . 8BCB mov ecx, ebx 00419425 . 83E1 03 and ecx, 3 00419428 . F3:A4 rep movs byte ptr es:[edi], byte ptr [> 0041942A . BF AC2D4800 mov edi, 00482DAC ; ASCII "\ListFile.ini" 0041942F . 8D95 3CFCFFFF lea edx, dword ptr [ebp-3C4] 00419435 . 83C9 FF or ecx, FFFFFFFF 00419438 . 33C0 xor eax, eax 0041943A . F2:AE repne scas byte ptr es:[edi] 0041943C . F7D1 not ecx 0041943E . 2BF9 sub edi, ecx 00419440 . 8BF7 mov esi, edi 00419442 . 8BD9 mov ebx, ecx 00419444 . 8BFA mov edi, edx 00419446 . 83C9 FF or ecx, FFFFFFFF 00419449 . 33C0 xor eax, eax 0041944B . F2:AE repne scas byte ptr es:[edi] 0041944D . 83C7 FF add edi, -1 00419450 . 8BCB mov ecx, ebx 00419452 . C1E9 02 shr ecx, 2 00419455 . F3:A5 rep movs dword ptr es:[edi], dword ptr> 00419457 . 8BCB mov ecx, ebx 00419459 . 83E1 03 and ecx, 3 0041945C . F3:A4 rep movs byte ptr es:[edi], byte ptr [> 0041945E . 8DBD 70FEFFFF lea edi, dword ptr [ebp-190] 00419464 . 8D95 44FDFFFF lea edx, dword ptr [ebp-2BC] 0041946A . 83C9 FF or ecx, FFFFFFFF 0041946D . 33C0 xor eax, eax 0041946F . F2:AE repne scas byte ptr es:[edi] 00419471 . F7D1 not ecx 00419473 . 2BF9 sub edi, ecx 00419475 . 8BF7 mov esi, edi 00419477 . 8BC1 mov eax, ecx 00419479 . 8BFA mov edi, edx 0041947B . C1E9 02 shr ecx, 2 0041947E . F3:A5 rep movs dword ptr es:[edi], dword ptr> 00419480 . 8BC8 mov ecx, eax 00419482 . 83E1 03 and ecx, 3 00419485 . F3:A4 rep movs byte ptr es:[edi], byte ptr [> 00419487 . 8B3D 787D5F00 mov edi, dword ptr [5F7D78] ; kudrtgov.10213000 0041948D . 8D95 44FDFFFF lea edx, dword ptr [ebp-2BC] 00419493 . 83C9 FF or ecx, FFFFFFFF 00419496 . 33C0 xor eax, eax 00419498 . F2:AE repne scas byte ptr es:[edi] 0041949A . F7D1 not ecx 0041949C . 2BF9 sub edi, ecx 0041949E . 8BF7 mov esi, edi 004194A0 . 8BD9 mov ebx, ecx 004194A2 . 8BFA mov edi, edx 004194A4 . 83C9 FF or ecx, FFFFFFFF 004194A7 . 33C0 xor eax, eax 004194A9 . F2:AE repne scas byte ptr es:[edi] 004194AB . 83C7 FF add edi, -1 004194AE . 8BCB mov ecx, ebx 004194B0 . C1E9 02 shr ecx, 2 004194B3 . F3:A5 rep movs dword ptr es:[edi], dword ptr> 004194B5 . 8BCB mov ecx, ebx 004194B7 . 83E1 03 and ecx, 3 004194BA . F3:A4 rep movs byte ptr es:[edi], byte ptr [> 004194BC . BF 9C2D4800 mov edi, 00482D9C ; ASCII "\GuoLvFile.ini" 004194C1 . 8D95 44FDFFFF lea edx, dword ptr [ebp-2BC] 004194C7 . 83C9 FF or ecx, FFFFFFFF 004194CA . 33C0 xor eax, eax 004194CC . F2:AE repne scas byte ptr es:[edi] 004194CE . F7D1 not ecx 004194D0 . 2BF9 sub edi, ecx 004194D2 . 8BF7 mov esi, edi 004194D4 . 8BD9 mov ebx, ecx 004194D6 . 8BFA mov edi, edx 004194D8 . 83C9 FF or ecx, FFFFFFFF 004194DB . 33C0 xor eax, eax 004194DD . F2:AE repne scas byte ptr es:[edi] 004194DF . 83C7 FF add edi, -1 004194E2 . 8BCB mov ecx, ebx 004194E4 . C1E9 02 shr ecx, 2 004194E7 . F3:A5 rep movs dword ptr es:[edi], dword ptr> 004194E9 . 8BCB mov ecx, ebx 004194EB . 83E1 03 and ecx, 3 004194EE . F3:A4 rep movs byte ptr es:[edi], byte ptr [> 004194F0 . 68 982D4800 push 00482D98 004194F5 . 8D85 38FBFFFF lea eax, dword ptr [ebp-4C8] 004194FB . 50 push eax 004194FC . E8 97BE0100 call 00435398 ; 配置文件A是否已经存在 00419501 . 83C4 08 add esp, 8 00419504 . 8985 14FAFFFF mov dword ptr [ebp-5EC], eax 0041950A . 83BD 14FAFFFF 00 cmp dword ptr [ebp-5EC], 0 00419511 . 75 5A jnz short 0041956D ; 如果文件已经存在则跳 00419513 . 8B3D 787D5F00 mov edi, dword ptr [5F7D78] ; kudrtgov.10213000 00419519 . 8D95 70FEFFFF lea edx, dword ptr [ebp-190] 0041951F . 83C9 FF or ecx, FFFFFFFF 00419522 . 33C0 xor eax, eax 00419524 . F2:AE repne scas byte ptr es:[edi] 00419526 . F7D1 not ecx 00419528 . 2BF9 sub edi, ecx 0041952A . 8BF7 mov esi, edi 0041952C . 8BD9 mov ebx, ecx 0041952E . 8BFA mov edi, edx 00419530 . 83C9 FF or ecx, FFFFFFFF 00419533 . 33C0 xor eax, eax 00419535 . F2:AE repne scas byte ptr es:[edi] 00419537 . 83C7 FF add edi, -1 0041953A . 8BCB mov ecx, ebx 0041953C . C1E9 02 shr ecx, 2 0041953F . F3:A5 rep movs dword ptr es:[edi], dword ptr> 00419541 . 8BCB mov ecx, ebx 00419543 . 83E1 03 and ecx, 3 00419546 . F3:A4 rep movs byte ptr es:[edi], byte ptr [> 00419548 . 6A 00 push 0 ; /pSecurity = NULL 0041954A . 8D85 70FEFFFF lea eax, dword ptr [ebp-190] ; \| 00419550 . 50 push eax ; \|Path 00419551 . FF15 F0A14600 call dword ptr [<&kernel32.CreateDirect>; \CreateDirectoryA 00419557 . 6A 01 push 1 ; /FailIfExists = TRUE 00419559 . 8D8D 38FBFFFF lea ecx, dword ptr [ebp-4C8] ; \|使用默认的配置文件A 0041955F . 51 push ecx ; \|NewFileName 00419560 . 68 842D4800 push 00482D84 ; \|ExistingFileName = ; "Setting\Default.ini" 00419565 . FF15 F4A14600 call dword ptr [<&kernel32.CopyFileA>] ; \CopyFileA 0041956B . EB 0F jmp short 0041957C 0041956D > 8B95 14FAFFFF mov edx, dword ptr [ebp-5EC] 00419573 . 52 push edx 00419574 . E8 71BD0100 call 004352EA 00419579 . 83C4 04 add esp, 4 0041957C > 68 982D4800 push 00482D98 00419581 . 8D85 3CFCFFFF lea eax, dword ptr [ebp-3C4] 00419587 . 50 push eax 00419588 . E8 0BBE0100 call 00435398 ; 配置文件B是否已经存在 0041958D . 83C4 08 add esp, 8 00419590 . 8985 14FAFFFF mov dword ptr [ebp-5EC], eax 00419596 . 83BD 14FAFFFF 00 cmp dword ptr [ebp-5EC], 0 0041959D . 75 25 jnz short 004195C4 ; 如果文件已经存在则跳 0041959F . 6A 00 push 0 ; /pSecurity = NULL 004195A1 . 8D8D 70FEFFFF lea ecx, dword ptr [ebp-190] ; \| 004195A7 . 51 push ecx ; \|Path 004195A8 . FF15 F0A14600 call dword ptr [<&kernel32.CreateDirect>; \CreateDirectoryA 004195AE . 6A 01 push 1 ; /FailIfExists = TRUE 004195B0 . 8D95 3CFCFFFF lea edx, dword ptr [ebp-3C4] ; \|使用默认的配置文件B 004195B6 . 52 push edx ; \|NewFileName 004195B7 . 68 6C2D4800 push 00482D6C ; \|ExistingFileName = ; "Setting\DefaultList.ini" 004195BC . FF15 F4A14600 call dword ptr [<&kernel32.CopyFileA>] ; \CopyFileA 004195C2 . EB 0F jmp short 004195D3 004195C4 > 8B85 14FAFFFF mov eax, dword ptr [ebp-5EC] 004195CA . 50 push eax 004195CB . E8 1ABD0100 call 004352EA 004195D0 . 83C4 04 add esp, 4 004195D3 > 68 982D4800 push 00482D98 004195D8 . 8D8D 44FDFFFF lea ecx, dword ptr [ebp-2BC] 004195DE . 51 push ecx 004195DF . E8 B4BD0100 call 00435398 ; 配置文件C是否已经存在 004195E4 . 83C4 08 add esp, 8 004195E7 . 8985 14FAFFFF mov dword ptr [ebp-5EC], eax 004195ED . 83BD 14FAFFFF 00 cmp dword ptr [ebp-5EC], 0 004195F4 . 75 25 jnz short 0041961B ; 如果文件已经存在则跳 004195F6 . 6A 00 push 0 ; /pSecurity = NULL 004195F8 . 8D95 70FEFFFF lea edx, dword ptr [ebp-190] ; \| 004195FE . 52 push edx ; \|Path 004195FF . FF15 F0A14600 call dword ptr [<&kernel32.CreateDirect>; \CreateDirectoryA 00419605 . 6A 01 push 1 ; /FailIfExists = TRUE 00419607 . 8D85 44FDFFFF lea eax, dword ptr [ebp-2BC] ; \|使用默认的配置文件C 0041960D . 50 push eax ; \|NewFileName 0041960E . 68 502D4800 push 00482D50 ; \|ExistingFileName = ; "Setting\DefaultGuoLv.ini" 00419613 . FF15 F4A14600 call dword ptr [<&kernel32.CopyFileA>] ; \CopyFileA 00419619 . EB 0F jmp short 0041962A 0041961B > 8B8D 14FAFFFF mov ecx, dword ptr [ebp-5EC] 00419621 . 51 push ecx 00419622 . E8 C3BC0100 call 004352EA 00419627 . 83C4 04 add esp, 4 0041962A > 68 382D4800 push 00482D38 ; /IniFileName = ".\Setting\config.ini" 0041962F . 6A 00 push 0 ; \|Default = 0 00419631 . 68 0C2D4800 push 00482D0C ; \|Key = "virtualcode" 00419636 . 68 282D4800 push 00482D28 ; \|Section = "Config" 0041963B . FF15 F8A14600 call dword ptr [<&kernel32.GetPrivatePr>; \GetPrivateProfileIntA 00419641 . 66:8985 34FBFFFF mov word ptr [ebp-4CC], ax 00419648 . 68 382D4800 push 00482D38 ; /IniFileName = ".\Setting\config.ini" 0041964D . 6A 00 push 0 ; \|Default = 0 0041964F . 68 002D4800 push 00482D00 ; \|Key = "modifiers" 00419654 . 68 282D4800 push 00482D28 ; \|Section = "Config" 00419659 . FF15 F8A14600 call dword ptr [<&kernel32.GetPrivatePr>; \GetPrivateProfileIntA 0041965F . 66:8985 2CFBFFFF mov word ptr [ebp-4D4], ax 00419666 . 8B95 34FBFFFF mov edx, dword ptr [ebp-4CC] 0041966C . 81E2 FFFF0000 and edx, 0FFFF 00419672 . A1 787D5F00 mov eax, dword ptr [5F7D78] 00419677 . 8990 22010000 mov dword ptr [eax+122], edx 0041967D . 8B8D 2CFBFFFF mov ecx, dword ptr [ebp-4D4] 00419683 . 81E1 FFFF0000 and ecx, 0FFFF 00419689 . 8B15 787D5F00 mov edx, dword ptr [5F7D78] ; kudrtgov.10213000 0041968F . 898A 26010000 mov dword ptr [edx+126], ecx 00419695 . A1 787D5F00 mov eax, dword ptr [5F7D78] 0041969A . C780 90010000 64000000 mov dword ptr [eax+190], 64 004196A4 . C685 28FAFFFF 00 mov byte ptr [ebp-5D8], 0 004196AB . C685 29FAFFFF 00 mov byte ptr [ebp-5D7], 0 004196B2 . B9 40000000 mov ecx, 40 004196B7 . 33C0 xor eax, eax 004196B9 . 8DBD 2AFAFFFF lea edi, dword ptr [ebp-5D6] 004196BF . F3:AB rep stos dword ptr es:[edi] 004196C1 . 66:AB stos word ptr es:[edi] 004196C3 . 6A 12 push 12 ; /Arg3 = 00000012 004196C5 . 8D8D 28FAFFFF lea ecx, dword ptr [ebp-5D8] ; \| 004196CB . 51 push ecx ; \|Arg2 004196CC . 68 05040000 push 405 ; \|Arg1 = 00000405 004196D1 . 8B8D 98F9FFFF mov ecx, dword ptr [ebp-668] ; \| 004196D7 . E8 96FF0300 call 00459672 ; \jtbl.00459672 004196DC . C785 40FDFFFF 00000000 mov dword ptr [ebp-2C0], 0 004196E6 . EB 0F jmp short 004196F7 004196E8 > 8B95 40FDFFFF mov edx, dword ptr [ebp-2C0] 004196EE . 83C2 01 add edx, 1 004196F1 . 8995 40FDFFFF mov dword ptr [ebp-2C0], edx 004196F7 > 8B85 40FDFFFF mov eax, dword ptr [ebp-2C0] 004196FD . 3B05 687D5F00 cmp eax, dword ptr [5F7D68] 00419703 . 0F83 A6000000 jnb 004197AF 00419709 . 8D8D 28FAFFFF lea ecx, dword ptr [ebp-5D8] 0041970F . 898D 84F9FFFF mov dword ptr [ebp-67C], ecx 00419715 . 8B95 40FDFFFF mov edx, dword ptr [ebp-2C0] 0041971B . 6BD2 68 imul edx, edx, 68 0041971E . 81C2 18E65D00 add edx, 005DE618 ; 获取曾经本地使用过的用户名 00419724 . 8995 80F9FFFF mov dword ptr [ebp-680], edx 0041972A > 8B85 80F9FFFF mov eax, dword ptr [ebp-680] 00419730 . 8A08 mov cl, byte ptr [eax] 00419732 . 888D 7FF9FFFF mov byte ptr [ebp-681], cl 00419738 . 8B95 84F9FFFF mov edx, dword ptr [ebp-67C] 0041973E . 3A0A cmp cl, byte ptr [edx] 00419740 . 75 46 jnz short 00419788 00419742 . 80BD 7FF9FFFF 00 cmp byte ptr [ebp-681], 0 00419749 . 74 31 je short 0041977C 0041974B . 8B85 80F9FFFF mov eax, dword ptr [ebp-680] 00419751 . 8A48 01 mov cl, byte ptr [eax+1] 00419754 . 888D 7EF9FFFF mov byte ptr [ebp-682], cl 0041975A . 8B95 84F9FFFF mov edx, dword ptr [ebp-67C] 00419760 . 3A4A 01 cmp cl, byte ptr [edx+1] 00419763 . 75 23 jnz short 00419788 00419765 . 8385 80F9FFFF 02 add dword ptr [ebp-680], 2 0041976C . 8385 84F9FFFF 02 add dword ptr [ebp-67C], 2 00419773 . 80BD 7EF9FFFF 00 cmp byte ptr [ebp-682], 0 0041977A .^ 75 AE jnz short 0041972A 0041977C > C785 78F9FFFF 00000000 mov dword ptr [ebp-688], 0 00419786 . EB 0B jmp short 00419793 00419788 > 1BC0 sbb eax, eax 0041978A . 83D8 FF sbb eax, -1 0041978D . 8985 78F9FFFF mov dword ptr [ebp-688], eax 00419793 > 8B8D 78F9FFFF mov ecx, dword ptr [ebp-688] 00419799 . 898D 74F9FFFF mov dword ptr [ebp-68C], ecx 0041979F . 83BD 74F9FFFF 00 cmp dword ptr [ebp-68C], 0 004197A6 . 75 02 jnz short 004197AA 004197A8 . EB 05 jmp short 004197AF 004197AA >^ E9 39FFFFFF jmp 004196E8 004197AF > 8B95 40FDFFFF mov edx, dword ptr [ebp-2C0] 004197B5 . 3B15 687D5F00 cmp edx, dword ptr [5F7D68] ; 判断是否该用户名为新用户名 004197BB . 0F82 EF000000 jb 004198B0 ; ★所以这里不能跳！NOP掉★ 004197C1 . A1 687D5F00 mov eax, dword ptr [5F7D68] 004197C6 . A3 6C7D5F00 mov dword ptr [5F7D6C], eax 004197CB . 8DBD 28FAFFFF lea edi, dword ptr [ebp-5D8] 004197D1 . 8B0D 687D5F00 mov ecx, dword ptr [5F7D68] 004197D7 . 6BC9 68 imul ecx, ecx, 68 004197DA . 81C1 18E65D00 add ecx, 005DE618 ; ASCII "test" 004197E0 . 898D 70F9FFFF mov dword ptr [ebp-690], ecx 004197E6 . 8B95 70F9FFFF mov edx, dword ptr [ebp-690] 004197EC . A1 687D5F00 mov eax, dword ptr [5F7D68] 004197F1 . 83C0 01 add eax, 1 004197F4 . A3 687D5F00 mov dword ptr [5F7D68], eax 004197F9 . 83C9 FF or ecx, FFFFFFFF 004197FC . 33C0 xor eax, eax 004197FE . F2:AE repne scas byte ptr es:[edi] 00419800 . F7D1 not ecx 00419802 . 2BF9 sub edi, ecx 00419804 . 8BF7 mov esi, edi 00419806 . 8BC1 mov eax, ecx 00419808 . 8BFA mov edi, edx 0041980A . C1E9 02 shr ecx, 2 0041980D . F3:A5 rep movs dword ptr es:[edi], dword ptr> 0041980F . 8BC8 mov ecx, eax 00419811 . 83E1 03 and ecx, 3 00419814 . F3:A4 rep movs byte ptr es:[edi], byte ptr [> 00419816 . 6A 00 push 0 ; /准备写入用于本地记录的数据文件 00419818 . 68 00000002 push 2000000 ; \|Attributes = BACKUP_SEMANTICS 0041981D . 6A 04 push 4 ; \|Mode = OPEN_ALWAYS 0041981F . 6A 00 push 0 ; \|pSecurity = NULL 00419821 . 6A 02 push 2 ; \|ShareMode = FILE_SHARE_WRITE 00419823 . 68 00000040 push 40000000 ; \|Access = GENERIC_WRITE 00419828 . 68 F42C4800 push 00482CF4 ; \|FileName = "Account.dat" 0041982D . FF15 3CA24600 call dword ptr [<&kernel32.CreateFileA>>; \CreateFileA 00419833 . 8985 B8F9FFFF mov dword ptr [ebp-648], eax 00419839 . 6A 00 push 0 ; /pOverlapped = NULL 0041983B . 8D8D BCF9FFFF lea ecx, dword ptr [ebp-644] ; \| 00419841 . 51 push ecx ; \|pBytesWritten 00419842 . 6A 04 push 4 ; \|nBytesToWrite = 4 00419844 . 68 687D5F00 push 005F7D68 ; \|Buffer = jtbl.005F7D68 00419849 . 8B95 B8F9FFFF mov edx, dword ptr [ebp-648] ; \| 0041984F . 52 push edx ; \|hFile 00419850 . FF15 40A24600 call dword ptr [<&kernel32.WriteFile>] ; \WriteFile 00419856 . 6A 00 push 0 ; /pOverlapped = NULL 00419858 . 8D85 BCF9FFFF lea eax, dword ptr [ebp-644] ; \| 0041985E . 50 push eax ; \|pBytesWritten 0041985F . 6A 04 push 4 ; \|nBytesToWrite = 4 00419861 . 68 6C7D5F00 push 005F7D6C ; \|Buffer = jtbl.005F7D6C 00419866 . 8B8D B8F9FFFF mov ecx, dword ptr [ebp-648] ; \| 0041986C . 51 push ecx ; \|hFile 0041986D . FF15 40A24600 call dword ptr [<&kernel32.WriteFile>] ; \WriteFile 00419873 . 6A 00 push 0 ; /pOverlapped = NULL 00419875 . 8D95 BCF9FFFF lea edx, dword ptr [ebp-644] ; \| 0041987B . 52 push edx ; \|pBytesWritten 0041987C . 68 40960100 push 19640 ; \|nBytesToWrite = 19640 (104000.) 00419881 . 68 18E65D00 push 005DE618 ; \|Buffer = jtbl.005DE618 00419886 . 8B85 B8F9FFFF mov eax, dword ptr [ebp-648] ; \| 0041988C . 50 push eax ; \|hFile 0041988D . FF15 40A24600 call dword ptr [<&kernel32.WriteFile>] ; \WriteFile 00419893 . 8B8D B8F9FFFF mov ecx, dword ptr [ebp-648] 00419899 . 51 push ecx ; /hObject 0041989A . FF15 44A24600 call dword ptr [<&kernel32.CloseHandle>>; \CloseHandle 004198A0 . 8B8D 98F9FFFF mov ecx, dword ptr [ebp-668] 004198A6 . E8 350E0000 call 0041A6E0 004198AB . E9 A1000000 jmp 00419951 004198B0 > 8B95 40FDFFFF mov edx, dword ptr [ebp-2C0] 004198B6 . 8915 6C7D5F00 mov dword ptr [5F7D6C], edx 004198BC . 6A 00 push 0 ; /hTemplateFile = NULL 004198BE . 68 00000002 push 2000000 ; \|Attributes = BACKUP_SEMANTICS 004198C3 . 6A 04 push 4 ; \|Mode = OPEN_ALWAYS 004198C5 . 6A 00 push 0 ; \|pSecurity = NULL 004198C7 . 6A 02 push 2 ; \|ShareMode = FILE_SHARE_WRITE 004198C9 . 68 00000040 push 40000000 ; \|Access = GENERIC_WRITE 004198CE . 68 F42C4800 push 00482CF4 ; \|FileName = "Account.dat" 004198D3 . FF15 3CA24600 call dword ptr [<&kernel32.CreateFileA>>; \CreateFileA 004198D9 . 8985 B0F9FFFF mov dword ptr [ebp-650], eax 004198DF . 6A 00 push 0 ; /pOverlapped = NULL 004198E1 . 8D85 B4F9FFFF lea eax, dword ptr [ebp-64C] ; \| 004198E7 . 50 push eax ; \|pBytesWritten 004198E8 . 6A 04 push 4 ; \|nBytesToWrite = 4 004198EA . 68 687D5F00 push 005F7D68 ; \|Buffer = jtbl.005F7D68 004198EF . 8B8D B0F9FFFF mov ecx, dword ptr [ebp-650] ; \| 004198F5 . 51 push ecx ; \|hFile 004198F6 . FF15 40A24600 call dword ptr [<&kernel32.WriteFile>] ; \WriteFile 004198FC . 6A 00 push 0 ; /pOverlapped = NULL 004198FE . 8D95 B4F9FFFF lea edx, dword ptr [ebp-64C] ; \| 00419904 . 52 push edx ; \|pBytesWritten 00419905 . 6A 04 push 4 ; \|nBytesToWrite = 4 00419907 . 68 6C7D5F00 push 005F7D6C ; \|Buffer = jtbl.005F7D6C 0041990C . 8B85 B0F9FFFF mov eax, dword ptr [ebp-650] ; \| 00419912 . 50 push eax ; \|hFile 00419913 . FF15 40A24600 call dword ptr [<&kernel32.WriteFile>] ; \WriteFile 00419919 . 6A 00 push 0 ; /pOverlapped = NULL 0041991B . 8D8D B4F9FFFF lea ecx, dword ptr [ebp-64C] ; \| 00419921 . 51 push ecx ; \|pBytesWritten 00419922 . 68 40960100 push 19640 ; \|nBytesToWrite = 19640 (104000.) 00419927 . 68 18E65D00 push 005DE618 ; \|Buffer = jtbl.005DE618 0041992C . 8B95 B0F9FFFF mov edx, dword ptr [ebp-650] ; \| 00419932 . 52 push edx ; \|hFile 00419933 . FF15 40A24600 call dword ptr [<&kernel32.WriteFile>] ; \WriteFile 00419939 . 8B85 B0F9FFFF mov eax, dword ptr [ebp-650] 0041993F . 50 push eax ; /hObject 00419940 . FF15 44A24600 call dword ptr [<&kernel32.CloseHandle>>; \CloseHandle 00419946 . 8B8D 98F9FFFF mov ecx, dword ptr [ebp-668] 0041994C . E8 8F0D0000 call 0041A6E0 00419951 > 68 04040000 push 404 00419956 . 8B8D 98F9FFFF mov ecx, dword ptr [ebp-668] 0041995C . E8 87FC0300 call 004595E8 00419961 . 8985 5CFEFFFF mov dword ptr [ebp-1A4], eax 00419967 . 6A 01 push 1 00419969 . 8B8D 5CFEFFFF mov ecx, dword ptr [ebp-1A4] 0041996F . E8 A0FF0300 call 00459914 00419974 . 8B0D 787D5F00 mov ecx, dword ptr [5F7D78] ; kudrtgov.10213000 0041997A . 890D A0126500 mov dword ptr [6512A0], ecx 00419980 . 6A 00 push 0 ; /Timerproc = NULL 00419982 . 6A 64 push 64 ; \|Timeout = 100. ms 00419984 . 6A 01 push 1 ; \|TimerID = 1 00419986 . 8B95 98F9FFFF mov edx, dword ptr [ebp-668] ; \| 0041998C . 8B42 1C mov eax, dword ptr [edx+1C] ; \| 0041998F . 50 push eax ; \|hWnd 00419990 . FF15 6CA54600 call dword ptr [<&user32.SetTimer>] ; \SetTimer 00419996 > 8B4D F4 mov ecx, dword ptr [ebp-C] 00419999 . 64:890D 00000000 mov dword ptr fs:[0], ecx 004199A0 . 5F pop edi 004199A1 . 5E pop esi 004199A2 . 5B pop ebx 004199A3 . 8BE5 mov esp, ebp 004199A5 . 5D pop ebp 004199A6 . C3 retn ; 网络、本地验证全部结束 -------------------------------------------------------------------------------- 【经验总结】其实网络验证并不可怕，可怕的是它们身上穿着的“衣服（壳）”，不过随着大伙儿们的技术的不断提高，工具的不断更新强大，不脱壳也可以调试它了。最重要的就是细心！ 2007-7-14 21:19 0
kafly 雪币： 200 活跃值： (46) 能力值： ( LV2，RANK：10 ) 在线值：发帖 13 回帖 77 粉丝 0 关注私信	kafly 57 楼阅毕，虽然问题没解决，但是发现jackxx是个好同志！能力强，热心！要常来啊。 2007-7-26 00:21 0
云飘雪币： 791 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 16 粉丝 0 关注私信	云飘 58 楼我也想知道. 2007-7-27 18:08 0
webyjh 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 9 回帖 90 粉丝 0 关注私信	webyjh 59 楼呵呵，不要以为网络验证的服务器就只能是ＩＩＳ哦，有的外挂有专门的外挂服务端的，这种外挂跟网络游戏本质上已经类似了，破解起来相当麻烦的，搞不懂封包的加密算法，想破没门 2007-7-27 20:55 0
Freeng 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 20 粉丝 0 关注私信	Freeng 60 楼好。好久没见这么热情的帖子了，回一个 2007-7-28 23:37 0
ggttttgg 雪币： 213 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 9 回帖 111 粉丝 0 关注私信	ggttttgg 61 楼如果注册名用機器名的,那追出注册碼有用的嗎...? 2007-7-29 05:29 0
zoyu 雪币： 254 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 2 粉丝 0 关注私信	zoyu 62 楼截得到帐号登录的数据封包弄个本地验证应该容易了吧 2007-11-29 21:44 0
kenyuan 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 2 粉丝 0 关注私信	kenyuan 63 楼 12版脱了壳,但破不了,这挂以前不注册也能正常用,现在注册服务器坏了也能用这个12版本.另一个是21版本的,壳也脱不掉,破解就更不用说了.请高手指点,非常感谢.可是我是新手,传附档也不行.晕了 2007-12-20 12:34 0
kenyuan 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 2 粉丝 0 关注私信	kenyuan 64 楼 00543680 55 push ebp 00543681 8BEC mov ebp, esp 00543683 B905000000 mov ecx, $00000005 00543688 6A00 push $00 0054368A 6A00 push $00 0054368C 49 dec ecx 0054368D 75F9 jnz 00543688 0054368F 53 push ebx 00543690 56 push esi 00543691 8BD8 mov ebx, eax 00543693 33C0 xor eax, eax 00543695 55 push ebp 00543696 68FE385400 push $005438FE ***** TRY \| 0054369B 64FF30 push dword ptr fs:[eax] 0054369E 648920 mov fs:[eax], esp 005436A1 6840358024 push $24803540 005436A6 E9E9A91500 jmp 0069E094 005436AB 58 pop eax 005436AC AD lodsd 005436AD 8B00 mov eax, [eax] 005436AF BF13B6748A mov edi, $8A74B613 005436B4 BE80605D31 mov esi, $315D6080 005436B9 58 pop eax 005436BA 98 cwde 005436BB 04C3 add al, -$3D 005436BD AC lodsb 005436BE 4B dec ebx 005436BF 80F8B1 cmp al, $B1 005436C2 5D pop ebp 005436C3 3F aas 005436C4 9A48EA9BF8 call $F89BEA48 005436C9 53 push ebx 005436CA 7EB0 jle 0054367C 005436CC 8458D8 test [eax-$28], bl 005436CF 30F9 xor cl, bh 005436D1 F9 stc 005436D2 96 xchg eax, esi 005436D3 0570679937 add eax, +$37996770 005436D8 95 xchg eax, ebp 005436D9 61 popa 005436DA 9D pop 005436DB 7E4A jle 00543727 005436DD CF iret 005436DE A4 movsb 005436DF E36E jcxz +$6E 005436E1 B8BCA01111 mov eax, $1111A0BC 005436E6 6F outsd 005436E7 B1AF mov cl, $AF 005436E9 30A4A2EA62D245 xor [edx+$45D262EA], ah 005436F0 A20E6D17C2 mov byte ptr [$C2176D0E], al 005436F5 9B wait 005436F6 20FE and dh, bh 005436F8 CB ret 005436F9 19E5 sbb ebp, esp 005436FB 54 push esp 005436FC 6D insd 005436FD 67FB sti 005436FF 86D0 xchg al, dl 00543701 E417 in al, $17 00543703 8888E6287D49 mov [eax+$497D28E6], cl 00543709 B8D1EC9E07 mov eax, $079EECD1 0054370E 46 inc esi 0054370F DF732E fbstp ???? ptr [ebx+$2E] 00543712 51 push ecx 00543713 50 push eax 00543714 25D485A1B1 and eax, $B1A185D4 00543719 69593020F748C1 imul ebx, [ecx+$30], $C148F720 00543720 F0 lock 00543721 82B24B9B0D9ED9 xor dword ptr [edx+$9E0D9B4B], $D9 00543728 4A dec edx 00543729 A4 movsb 0054372A 14FD adc al, $FD 0054372C 68AB345400 push $005434AB \| 00543731 E958D3FBFF jmp 00500A8E 00543736 82B66829D75300 xor dword ptr [esi+$53D72968], $00 \| 0054373D E94CD3FBFF jmp 00500A8E 00543742 4B dec ebx 00543743 AD lodsd 00543744 A2A6AD9839 mov byte ptr [$3998ADA6], al 00543749 AB stosd 0054374A 10618D adc [ecx-$73], ah 0054374D 55 push ebp 0054374E FC cld * Reference to control MainButtonEdit : TRzButtonEdit \| 0054374F 8B8330030000 mov eax, [ebx+$0330] * Reference to: ActnMan.TActionListCollection.GetListItem(TActionListCollection;Integer):TActionListItem; \| or: ActnMan.TActionClientsCollection.GetActionClient(TActionClientsCollection;Integer):TActionClient; \| or: ActnMan.TActionBars.GetActionBar(TActionBars;Integer):TActionBarItem; \| or: ActnMan.TActionClients.GetActionClient(TActionClients;Integer):TActionClientItem; \| or: ActnMenus.TMenuList.GetMenu(TMenuList;Integer):TCustomActionMenuBar; \| or: ADODB.TParameters.GetItem(TParameters;Integer):TParameter; \| 00543755 E88690FCFF call 0050C7E0 0054375A 8B45FC mov eax, [ebp-$04] * Reference to: SysUtils.FileExists(AnsiString):Boolean; \| 0054375D E81256F5FF call 00498D74 00543762 84C0 test al, al 00543764 7511 jnz 00543777 * Possible String Reference to: '请先选好游戏路径再试!' \| 00543766 BA50395400 mov edx, $00543950 0054376B 8BC3 mov eax, ebx * Reference to: Controls.TControl.SetText(TControl;TCaption); \| 0054376D E84E89F9FF call 004DC0C0 00543772 E94A010000 jmp 005438C1 00543777 8D55EC lea edx, [ebp-$14] * Reference to control ComboBox2 : TComboBox \| 0054377A 8BB324030000 mov esi, [ebx+$0324] 00543780 8BC6 mov eax, esi * Reference to: Controls.TControl.GetText(TControl):TCaption; \| 00543782 E80989F9FF call 004DC090 00543787 8B55EC mov edx, [ebp-$14] 0054378A 8B863C020000 mov eax, [esi+$023C] 00543790 8B08 mov ecx, [eax] 00543792 FF5154 call dword ptr [ecx+$54] 00543795 8BD0 mov edx, eax 00543797 8BC6 mov eax, esi 00543799 8B08 mov ecx, [eax] 0054379B FF91D0000000 call dword ptr [ecx+$00D0] * Reference to control ComboBox2 : TComboBox \| 005437A1 8B8324030000 mov eax, [ebx+$0324] 005437A7 8B10 mov edx, [eax] 005437A9 FF92CC000000 call dword ptr [edx+$00CC] 005437AF 40 inc eax 005437B0 7511 jnz 005437C3 * Possible String Reference to: '请先选好登陆游戏的服务器!' \| 005437B2 BA70395400 mov edx, $00543970 005437B7 8BC3 mov eax, ebx * Reference to: Controls.TControl.SetText(TControl;TCaption); \| 005437B9 E80289F9FF call 004DC0C0 005437BE E9FE000000 jmp 005438C1 005437C3 8D55E4 lea edx, [ebp-$1C] * Reference to control Edit1 : TEdit \| 005437C6 8B8314030000 mov eax, [ebx+$0314] * Reference to: Controls.TControl.GetText(TControl):TCaption; \| 005437CC E8BF88F9FF call 004DC090 005437D1 8B45E4 mov eax, [ebp-$1C] 005437D4 8D55E8 lea edx, [ebp-$18] * Reference to: SysUtils.Trim(AnsiString):AnsiString;overload; \| 005437D7 E8C44DF5FF call 004985A0 005437DC 837DE800 cmp dword ptr [ebp-$18], +$00 005437E0 7511 jnz 005437F3 * Possible String Reference to: '请先选好游戏帐号!' \| 005437E2 BA94395400 mov edx, $00543994 005437E7 8BC3 mov eax, ebx * Reference to: Controls.TControl.SetText(TControl;TCaption); \| 005437E9 E8D288F9FF call 004DC0C0 005437EE E9CE000000 jmp 005438C1 005437F3 68D78CCDEA push $EACD8CD7 005437F8 E9B3621500 jmp 00699AB0 005437FD D2D2 rcl dl, cl 005437FF 7C3A jl 0054383B 00543801 1CFC sbb al, $FC 00543803 C54397 lds eax, [ebx-$69] 00543806 4B dec ebx 00543807 C519 lds ebx, [ecx] 00543809 BC3B962BCB mov esp, $CB2B963B 0054380E 5F pop edi 0054380F F8 clc 00543810 2C7A sub al, $7A 00543812 7332 jnb 00543846 00543814 2BBD4F7F8EDA sub edi, dword ptr [ebp+$DA8E7F4F] 0054381A 6D insd 0054381B 3929 cmp [ecx], ebp 0054381D BC4E8546FC mov esp, $FC46854E 00543822 BDD1440CFB mov ebp, $FB0C44D1 00543827 0F6454C5D9 pcmpgtb MM2, [ebp+eax8-$27] 0054382C EF out dx, eax 0054382D 67F5 cmc 0054382F AE scasb 00543830 CF iret 00543831 4C dec esp 00543832 A3D31235F4 mov dword ptr [$F43512D3], eax 00543837 ED in eax, dx 00543838 7F11 jnle 0054384B 0054383A 41 inc ecx 0054383B 1AA87464F789 sbb ch, byte ptr [eax+$89F76474] 00543841 C08137F80CB5FD rol byte ptr [ecx+$B50CF837], $FD 00543848 98 cwde 00543849 0302 add eax, [edx] 0054384B 2E1E push ds 0054384D 5B pop ebx 0054384E 1A30 sbb dh, byte ptr [eax] 00543850 7DAD jnl 005437FF 00543852 CA ret 00543853 DED7 DB $DE, $D7 // 00543855 4D dec ebp 00543856 F4 hlt 00543857 24BD and al, $BD 00543859 ED in eax, dx 0054385A 83C70F add edi, +$0F 0054385D AC lodsb 0054385E C0B94BDD0D1C68 sar byte ptr [ecx+$1C0DDD4B], $68 00543865 FB sti 00543866 C7B74ADC13D48A4B5FD2 mov dword ptr [edi+$D413DC4A], $D25F4B8A 00543870 9A899DF2E2 call $E2F29D89 00543875 53 push ebx 00543876 67DC85B59E5D56 fadd qword ptr [di+$565D9EB5] 0054387D AC lodsb 0054387E 6B9B3464FA3E86 imul ebx, [ebx+$3EFA6434], $86 00543885 5B pop ebx 00543886 6F outsd 00543887 8BAE6D313B05 mov ebp, [esi+$53B316D] 0054388D AE scasb 0054388E 9F lahf 0054388F 5B pop ebx 00543890 8B2454 mov esp, [esp+edx2] 00543893 FB sti 00543894 23684F and ebp, [eax+$4F] 00543897 770E jnbe 005438A7 00543899 5B pop ebx 0054389A B5E5 mov ch, $E5 0054389C 8CB41EDD766535 mov word ptr [esi+ebx+$356576DD], 005438A3 85F7 test edi, esi 005438A5 A7 cmpsd 005438A6 BC6D897950 mov esp, $5079896D 005438AB C013E3 rcl byte ptr [ebx], $E3 005438AE D9C8 fxch st(0), st(0) 005438B0 98 cwde 005438B1 E962912394 jmp 9477CA18 005438B6 EE out dx, al 005438B7 1E push ds 005438B8 4E dec esi 005438B9 A83E test al, $3E 005438BB 846CCD5B test [ebp+ecx8+$5B], ch 005438BF 624433C0 bound eax, qword ptr [ebx+esi-$40] 005438C3 5A pop edx 005438C4 59 pop ecx 005438C5 59 pop ecx 005438C6 648910 mov fs:[eax], edx ***** FINALLY \| * Possible String Reference to: '^[嬪]? \| 005438C9 6805395400 push $00543905 005438CE 8D45D8 lea eax, [ebp-$28] 005438D1 BA04000000 mov edx, $00000004 * Reference to: System.@LStrArrayClr(void;void;Integer); \| 005438D6 E8D908F5FF call 004941B4 005438DB 8D45E8 lea eax, [ebp-$18] * Reference to: System.@LStrClr(void;void); \| 005438DE E8AD08F5FF call 00494190 005438E3 8D45EC lea eax, [ebp-$14] 005438E6 BA03000000 mov edx, $00000003 * Reference to: System.@LStrArrayClr(void;void;Integer); \| 005438EB E8C408F5FF call 004941B4 005438F0 8D45F8 lea eax, [ebp-$08] 005438F3 BA02000000 mov edx, $00000002 * Reference to: System.@LStrArrayClr(void;void;Integer); \| 005438F8 E8B708F5FF call 004941B4 005438FD C3 ret ///// 0069E094 68AEF06000 push $0060F0AE \| 0069E099 E9F029E6FF jmp 00500A8E 0069E09E 6B68BCF4 imul ebp, [eax-$44], $F4 0069E0A2 60 pusha 0069E0A3 00E9 add cl, ch 0069E0A5 E529 in eax, $29 0069E0A7 E6FF out $FF, al 0069E0A9 4F dec edi 0069E0AA B668 mov dh, $68 0069E0AC 19F9 sbb ecx, edi 0069E0AE 60 pusha 0069E0AF 00E9 add cl, ch 0069E0B1 D929 fldcw word ptr [ecx] 0069E0B3 E6FF out $FF, al 0069E0B5 95 xchg eax, ebp 0069E0B6 48 dec eax 0069E0B7 BE053D68D9 mov esi, $D9683D05 0069E0BC FD std 0069E0BD 60 pusha 0069E0BE 00E9 add cl, ch 0069E0C0 CA ret ///// 00500A8E 50 push eax 00500A8F 52 push edx 00500A90 9C pushf 00500A91 57 push edi 00500A92 51 push ecx 00500A93 55 push ebp 00500A94 56 push esi 00500A95 50 push eax 00500A96 53 push ebx 00500A97 6800000000 push $00000000 00500A9C 8B742428 mov esi, [esp+$28] 00500AA0 FC cld 00500AA1 BA00005500 mov edx, $00550000 00500AA6 FF1594B15400 call dword ptr [$0054B194] 00500AAC 89C3 mov ebx, eax 00500AAE B900010000 mov ecx, $00000100 00500AB3 89D7 mov edi, edx 00500AB5 F2 repne 00500AB6 AF scasd 00500AB7 740D jz 00500AC6 00500AB9 B800010000 mov eax, $00000100 00500ABE 91 xchg eax, ecx 00500ABF 89D7 mov edi, edx 00500AC1 F2 repne 00500AC2 AF scasd 00500AC3 895FFC mov [edi-$04], ebx 00500AC6 89FD mov ebp, edi 00500AC8 29D7 sub edi, edx 00500ACA D1E7 shl edi, 1 00500ACC 8DBCFAC0030000 lea edi, [edx+edi8+$03C0] 00500AD3 89F3 mov ebx, esi 00500AD5 033424 add esi, [esp] 00500AD8 AC lodsb 00500AD9 00D8 add al, bl 00500ADB D0C0 rol al, 1 00500ADD 3433 xor al, $33 00500ADF FEC8 dec al 00500AE1 F6D0 not al 00500AE3 00C3 add bl, al 00500AE5 0FB6C0 movzx eax, al 00500AE8 8D0C85AE105400 lea ecx, [$5410AE+eax4] 00500AEF FF21 jmp dword ptr [ecx] 00500AF1 DB3C24 fstp tbyte ptr [esp] 00500AF4 E9DFFFFFFF jmp 00500AD8 00500AF9 58 pop eax 00500AFA 28ED sub ch, ch 00500AFC 658A08 mov cl, byte ptr gs:[eax] 00500AFF 6651 push cx 00500B01 E9D2FFFFFF jmp 00500AD8 00500B06 665A pop dx 00500B08 6658 pop ax 00500B0A 6659 pop cx 00500B0C 66F7F1 div cx 00500B0F 6650 push ax 00500B11 6652 push dx 00500B13 E9C0FFFFFF jmp 00500AD8 00500B18 D9FA fsqrt 00500B1A E9B9FFFFFF jmp 00500AD8 00500B1F 58 pop eax 00500B20 6659 pop cx 00500B22 658808 mov gs:[eax], cl 00500B25 E9AEFFFFFF jmp 00500AD8 00500B2A C9 leave 00500B2B 68F885AED2 push $D2AE85F8 00500B30 E9D3791A00 jmp 006A8508 00500B35 AC lodsb 00500B36 00D8 add al, bl 00500B38 D0C0 rol al, 1 00500B3A 04DC add al, -$24 00500B3C 3428 xor al, $28 00500B3E FEC8 dec al 00500B40 00C3 add bl, al 00500B42 665A pop dx 00500B44 88548701 mov [edi+eax4+$01], dl 00500B48 E98BFFFFFF jmp 00500AD8 00500B4D 665A pop dx 00500B4F 6659 pop cx 00500B51 D2EA shr dl, cl 00500B53 6652 push dx 00500B55 E97EFFFFFF jmp 00500AD8 00500B5A DF2C24 fild qword ptr [esp] 00500B5D E976FFFFFF jmp 00500AD8 00500B62 59 pop ecx 00500B63 6665FF31 push word ptr gs:[ecx] 00500B67 E96CFFFFFF jmp 00500AD8 00500B6C 58 pop eax 00500B6D 5A pop edx 00500B6E 6659 pop cx 00500B70 0FA5D0 shld eax, edx, cl 00500B73 50 push eax 00500B74 669C pushf 00500B76 E95DFFFFFF jmp 00500AD8 00500B7B D82C24 fsubr dword ptr [esp] 00500B7E E955FFFFFF jmp 00500AD8 00500B83 D93C24 fstcw word ptr [esp] 00500B86 E94DFFFFFF jmp 00500AD8 00500B8B 6659 pop cx 00500B8D E946FFFFFF jmp 00500AD8 00500B92 8A06 mov al, byte ptr [esi] 00500B94 00D8 add al, bl 00500B96 F6D0 not al 00500B98 46 inc esi 00500B99 FEC0 inc al 00500B9B C0C805 ror al, $05 00500B9E 0414 add al, +$14 00500BA0 00C3 add bl, al 00500BA2 FF3487 push dword ptr [edi+eax4] 00500BA5 E92EFFFFFF jmp 00500AD8 00500BAA 59 pop ecx 00500BAB 0F22C1 mov C0, ecx 00500BAE E925FFFFFF jmp 00500AD8 00500BB3 0FB70E movzx ecx, word ptr [esi] 00500BB6 6601D9 add cx, bx 00500BB9 66F7D9 neg cx 00500BBC 66C1C90D ror cx, $0D 00500BC0 6681F1CEB3 xor cx, $B3CE 00500BC5 6681E93C6B sub cx, $6B3C 00500BCA 6601CB add bx, cx 00500BCD 91 xchg eax, ecx 00500BCE 98 cwde 00500BCF 50 push eax 00500BD0 83C602 add esi, +$02 00500BD3 E900FFFFFF jmp 00500AD8 00500BD8 D90424 fld dword ptr [esp] 00500BDB E9F8FEFFFF jmp 00500AD8 00500BE0 0F20F9 mov ecx, C7 00500BE3 51 push ecx 00500BE4 E9EFFEFFFF jmp 00500AD8 00500BE9 59 pop ecx 00500BEA 648A01 mov al, byte ptr fs:[ecx] 00500BED 6650 push ax 00500BEF E9E4FEFFFF jmp 00500AD8 00500BF4 D9EC fldlg2 00500BF6 E9DDFEFFFF jmp 00500AD8 00500BFB 668CE0 mov ax, fs 00500BFE 6650 push ax 00500C00 E9D3FEFFFF jmp 00500AD8 00500C05 AF scasd 00500C06 A4 movsb 00500C07 51 push ecx 00500C08 33C0 xor eax, eax 00500C0A 8945F8 mov [ebp-$08], eax 00500C0D 6851549C8B push $8B9C5451 00500C12 E96ACD1900 jmp 0069D981 00500C17 58 pop eax 00500C18 2EFF30 push dword ptr cs:[eax] 00500C1B E9B8FEFFFF jmp 00500AD8 00500C20 DA2424 fisub dword ptr [esp] 00500C23 E9B0FEFFFF jmp 00500AD8 00500C28 D9F3 fpatan 00500C2A E9A9FEFFFF jmp 00500AD8 00500C2F 58 pop eax 00500C30 6636FF30 push word ptr ss:[eax] 00500C34 E99FFEFFFF jmp 00500AD8 00500C39 668CC0 mov ax, es 00500C3C 6650 push ax 00500C3E E995FEFFFF jmp 00500AD8 00500C43 661E push ds 00500C45 E98EFEFFFF jmp 00500AD8 00500C4A D9F7 fincstp 00500C4C E987FEFFFF jmp 00500AD8 00500C51 D9F2 fptan 00500C53 E980FEFFFF jmp 00500AD8 00500C58 665A pop dx 00500C5A 6658 pop ax 00500C5C F6EA imul dl, al 00500C5E 6650 push ax 00500C60 669C pushf 00500C62 E971FEFFFF jmp 00500AD8 00500C67 59 pop ecx 00500C68 368A01 mov al, byte ptr ss:[ecx] 00500C6B 6650 push ax 00500C6D E966FEFFFF jmp 00500AD8 00500C72 DFE0 fstsw ax 00500C74 6650 push ax 00500C76 E95DFEFFFF jmp 00500AD8 00500C7B D82424 fsub dword ptr [esp] 00500C7E E955FEFFFF jmp 00500AD8 00500C83 6659 pop cx 00500C85 665A pop dx 00500C87 F6D1 not cl 00500C89 F6D2 not dl 00500C8B 20D1 and cl, dl 00500C8D 6651 push cx 00500C8F 669C pushf 00500C91 E942FEFFFF jmp 00500AD8 00500C96 D9E0 fchs 00500C98 E93BFEFFFF jmp 00500AD8 00500C9D C745FC00000000 mov dword ptr [ebp-$04], $00000000 00500CA4 58 pop eax 00500CA5 5B pop ebx 00500CA6 58 pop eax 00500CA7 5E pop esi 00500CA8 5D pop ebp 00500CA9 59 pop ecx 00500CAA 5F pop edi 00500CAB 9D pop 00500CAC 5A pop edx 00500CAD 58 pop eax 00500CAE CB ret 2007-12-20 12:54 0
lionkinglk 雪币： 202 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 5 回帖 34 粉丝 0 关注私信	lionkinglk 65 楼这地球都想知道 2007-12-20 16:07 0
lionkinglk 雪币： 202 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 5 回帖 34 粉丝 0 关注私信	lionkinglk 66 楼一般来说,还是可以做到的,只要肯下工夫 2007-12-20 16:09 0
winsi 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 12 粉丝 0 关注私信	winsi 67 楼不是那么破解的 2008-1-8 21:13 0
wuyongyi 雪币： 204 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 43 粉丝 0 关注私信	wuyongyi 68 楼楼主的问题提的号！！我也想学学！！我下载了一个外挂我把db.DLL壳给脱了主程序没有壳是VC++的。我现在不知道下一步怎么办！！！！急啊！！！！！有哪位好心人帮帮我们这些小菜啊！！！！ 2008-1-8 21:43 0
hzwee 雪币： 0 能力值： (RANK：10 ) 在线值：发帖 7 回帖 36 粉丝 0 关注私信	hzwee 69 楼受教了谢谢~~~~~~~~~ 2008-1-8 23:20 0
xiaomai 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 4 粉丝 0 关注私信	xiaomai 70 楼 jackxx好人啊！ 2008-1-9 13:19 0
scbao 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 30 粉丝 0 关注私信	scbao 71 楼我也想知道，帮你顶！ 2008-1-9 18:49 0
wewewe 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 18 粉丝 0 关注私信	wewewe 72 楼改本地驗證這好像是現在對外掛的主要方式吧。有沒有人弄個教學來啊？ 2008-1-9 21:44 0
魔兽世界雪币： 201 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 12 粉丝 0 关注私信	魔兽世界 73 楼好贴子顶个先 2008-5-6 10:46 0
justu 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 3 粉丝 0 关注私信	justu 74 楼首先找到字符串`(登陆成功什么的)`如能直接找到是最好``往上看看有没有网页验证地址什么的 ⑴有的话修改本地HOST文件抓包建服务器`` ⑵如没有一个明确的网页地址只有一个IP 则找到那个ip语句通常有MOV *,*** 找块空地将二进制代码31 32 37 2E 30 2E 30 2E 31 00 粘贴进去(127.0.0.1) 同时记得把MOV 后面的地址改为空地代码地址保存 (两处都要保存) (此法有时还需要复制MOV 下面几行的代码然后再在空地跳回~具体情况自己看吧) 接下来和一样抓包建服务器~ 2008-5-6 14:19 0
fjxliaomm 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 4 回帖 21 粉丝 0 关注私信	fjxliaomm 75 楼都是强人！！！！！！ 2008-6-27 08:30 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

dsds小白兔

雪币： 200

活跃值： (10)

能力值：

( LV2，RANK：10 )

在线值：

发帖

54

回帖

124

粉丝

0

关注

私信

dsds小白兔: 51 楼

呵呵``现在网络验证很热门呀``我支持```请大老大搞个教程```

2007-7-10 17:03

0

mymelen

雪币： 200

活跃值： (10)

能力值：

( LV2，RANK：10 )

在线值：

发帖

1

回帖

11

粉丝

0

关注

私信

mymelen: 52 楼

到服务器验证的比较难弄。

2007-7-11 09:22

0

lygxuxu

雪币： 200

活跃值： (10)

能力值：

( LV2，RANK：10 )

在线值：

发帖

2

回帖

13

粉丝

0

关注

私信

lygxuxu: 53 楼

没看明白。。。。

2007-7-11 21:11

0

hzcool

雪币： 200

活跃值： (10)

能力值：

( LV2，RANK：10 )

在线值：

发帖

0

回帖

2

粉丝

0

关注

私信

hzcool: 54 楼

我也没有看明白

2007-7-13 21:04

0

不死神鸟

雪币： 9

活跃值： (142)

能力值：

( LV12，RANK：200 )

在线值：

发帖

105

回帖

757

粉丝

1

关注

私信

不死神鸟 1: 55 楼

先在HOST里添加要模拟的IP,然后再用net box就可以模拟80的端口的网络验证,具体怎么做还需要你们自己研究,方法已经告诉你了,接下来就看你们自己的了

2007-7-13 22:47

0

angelxiao

雪币： 200

活跃值： (10)

能力值：

( LV2，RANK：10 )

在线值：

发帖

4

回帖

14

粉丝

0

关注

私信

angelxiao: 56 楼

在网上找到的一篇关于把网络验证转为本地化希望对你有什么帮助。我自己也是菜鸟，现在正在学习关于破解
[网络验证破解]某外挂验证转本地化

【文章标题】: [网络验证破解]某外挂验证转本地化
【文章作者】: KuNgBiM
【作者邮箱】: kungbim@163.com
【作者主页】: b91K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3y4J5K9$3y4F1i4K6u0W2j5$3!0E0
【软件名称】: 惊天伴侣2.2.5会员增强版(2007年3月26日更新)
【软件大小】: 1.71 MB
【下载地址】: 自己搜索下载
【加壳方式】: ASProtect 2.1x SKE
【保护方式】: 网络验证
【编写语言】: Microsoft Visual C++ 6.0
【使用工具】: OllyICE
【操作平台】: 盗版非标准XPsp2
【软件介绍】: 大型网游惊天动地辅助工具，俗称“外挂”。
【作者声明】: 只是感兴趣，没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
由于该程序加的壳为标准的ASProtect 2.1x SKE，并未偷代码，所以为了方便起见，脱之分析。。。

脱壳后，OllyICE载入分析，由于程序关键字符处理的比较好，字符插件就不起作用了。
我们还是利用常用的办法“API函数断点”来调试它吧。

以下内容跟帖回复才能看到
==============================

命令下断：bpx closesocket

F9运行，输入用户名后点击“登陆”断下：

00418E79 . 6A 10 push 10 ; 外挂网络验证开始
00418E7B . 8D85 60FEFFFF lea eax, dword ptr [ebp-1A0] ; 计算游戏ID长度
00418E81 . 50 push eax
00418E82 . 6A 60 push 60
00418E84 . 8D8D 74FFFFFF lea ecx, dword ptr [ebp-8C]
00418E8A . 51 push ecx
00418E8B . 8D95 74FFFFFF lea edx, dword ptr [ebp-8C]
00418E91 . 52 push edx
00418E92 . E8 B9320100 call 0042C150 ; 判断外挂是否已经处于通信状态
00418E97 . 83C4 18 add esp, 18
00418E9A . 833D 9C826500 00 cmp dword ptr [65829C], 0
00418EA1 . 74 16 je short 00418EB9 ; 还未通信则跳(不管)
00418EA3 . A1 9C826500 mov eax, dword ptr [65829C]
00418EA8 . 50 push eax ; /Socket => 384
00418EA9 . FF15 E4A54600 call dword ptr [<&ws2_32.closesocket>] ; \closesocket
00418EAF . C705 9C826500 00000000 mov dword ptr [65829C], 0
00418EB9 > 833D 9C826500 00 cmp dword ptr [65829C], 0
00418EC0 . 75 11 jnz short 00418ED3 ; 还未通信则准备获取验证服务器地址
00418EC2 . 6A 00 push 0 ; /Protocol = IPPROTO_IP
00418EC4 . 6A 01 push 1 ; |Type = SOCK_STREAM
00418EC6 . 6A 02 push 2 ; |Family = AF_INET
00418EC8 . FF15 E0A54600 call dword ptr [<&ws2_32.socket>] ; \socket
00418ECE . A3 9C826500 mov dword ptr [65829C], eax
00418ED3 > 66:C785 18FAFFFF 0200 mov word ptr [ebp-5E8], 2
00418EDC . 68 AC836500 push 006583AC ; /ASCII "203.174.87.234"
00418EE1 . FF15 DCA54600 call dword ptr [<&ws2_32.inet_addr>] ; \inet_addr
00418EE7 . 8985 1CFAFFFF mov dword ptr [ebp-5E4], eax
00418EED . 66:8B0D 38105D00 mov cx, word ptr [5D1038]
00418EF4 . 51 push ecx ; /NetShort
00418EF5 . FF15 E8A54600 call dword ptr [<&ws2_32.htons>] ; \ntohs
00418EFB . 66:8985 1AFAFFFF mov word ptr [ebp-5E6], ax
00418F02 . 6A 10 push 10 ; /AddrLen = 10 (16.)
00418F04 . 8D95 18FAFFFF lea edx, dword ptr [ebp-5E8] ; |
00418F0A . 52 push edx ; |pSockAddr
00418F0B . A1 9C826500 mov eax, dword ptr [65829C] ; |
00418F10 . 50 push eax ; |Socket => 384
00418F11 . FF15 D0A54600 call dword ptr [<&ws2_32.connect>] ; \connect
00418F17 . 8985 58FEFFFF mov dword ptr [ebp-1A8], eax ; 获取服务器数据
00418F1D . 83BD 58FEFFFF FF cmp dword ptr [ebp-1A8], -1 ; 返回值是否大于等于FFFFFFFF
; 是则挂（通信不正常）
00418F24 75 14 jnz short 00418F3A ; ★所以这里必须跳！改为JMP★
00418F26 . C705 3C105D00 0D000000 mov dword ptr [5D103C], 0D
00418F30 . E8 EB180100 call 0042A820
00418F35 . E9 5C0A0000 jmp 00419996
00418F3A > 6A 00 push 0 ; /Flags = 0
00418F3C . 6A 60 push 60 ; |DataSize = 60 (96.)
00418F3E . 8D8D 74FFFFFF lea ecx, dword ptr [ebp-8C] ; |
00418F44 . 51 push ecx ; |Data
00418F45 . 8B15 9C826500 mov edx, dword ptr [65829C] ; |
00418F4B . 52 push edx ; |Socket => 384
00418F4C . FF15 D8A54600 call dword ptr [<&ws2_32.send>] ; \send
00418F52 . 8985 58FEFFFF mov dword ptr [ebp-1A8], eax ; 再次获取服务器数据
00418F58 . 83BD 58FEFFFF 60 cmp dword ptr [ebp-1A8], 60 ; 返回值是否小于等于96
; 是则挂（数据包不正确）
00418F5F 74 05 je short 00418F66 ; ★所以这里必须跳！改为JMP★
00418F61 . E9 300A0000 jmp 00419996
00418F66 > 6A 00 push 0 ; /Flags = 0
00418F68 . 6A 60 push 60 ; |BufSize = 60 (96.)
00418F6A . 8D85 74FFFFFF lea eax, dword ptr [ebp-8C] ; |
00418F70 . 50 push eax ; |Buffer
00418F71 . 8B0D 9C826500 mov ecx, dword ptr [65829C] ; |
00418F77 . 51 push ecx ; |Socket => 384
00418F78 . FF15 D4A54600 call dword ptr [<&ws2_32.recv>] ; \recv
00418F7E . 8985 58FEFFFF mov dword ptr [ebp-1A8], eax ; 再次获取服务器数据
00418F84 . 83BD 58FEFFFF 00 cmp dword ptr [ebp-1A8], 0 ; 返回值是否大于等于0
; 是则挂（数据包不正确）
00418F8B 75 05 jnz short 00418F92 ; ★则里可改可不改，保险起见改为JMP★
00418F8D . E9 040A0000 jmp 00419996
00418F92 > 8B15 9C826500 mov edx, dword ptr [65829C] ; 服务器通信结束
00418F98 . 52 push edx ; /Socket => 384
00418F99 . FF15 E4A54600 call dword ptr [<&ws2_32.closesocket>] ; \closesocket
00418F9F . 6A 01 push 1
00418FA1 . 6A 10 push 10
00418FA3 . 8D85 48FEFFFF lea eax, dword ptr [ebp-1B8]
00418FA9 . 50 push eax
00418FAA . 6A 60 push 60
00418FAC . 8D8D 74FFFFFF lea ecx, dword ptr [ebp-8C]
00418FB2 . 51 push ecx
00418FB3 . 8D95 74FFFFFF lea edx, dword ptr [ebp-8C]
00418FB9 . 52 push edx
00418FBA . E8 91310100 call 0042C150 ; 判断服务器是否有数据返回
00418FBF . 83C4 18 add esp, 18
00418FC2 . 75 04 jnz short 00418FC8 ; 有数据返回则跳！(必须跳)
00418FC4 . 74 02 je short 00418FC8
00418FC6 9A db 9A
00418FC7 E8 db E8
00418FC8 > 83BD 74FFFFFF 09 cmp dword ptr [ebp-8C], 9 ; 检测外挂程序版本是否有更新
00418FCF . 0F85 A7000000 jnz 0041907C ; 大于等于则跳
; （为了不让它自动更新，改为JMP）
00418FD5 . 6A 00 push 0
00418FD7 . 68 502E4800 push 00482E50
00418FDC . 68 082E4800 push 00482E08
00418FE1 . 8B8D 98F9FFFF mov ecx, dword ptr [ebp-668]
00418FE7 . E8 CCF40300 call 004584B8
00418FEC . B9 11000000 mov ecx, 11
00418FF1 . 33C0 xor eax, eax
00418FF3 . 8DBD C0F9FFFF lea edi, dword ptr [ebp-640]
00418FF9 . F3:AB rep stos dword ptr es:[edi]
00418FFB . C785 C0F9FFFF 44000000 mov dword ptr [ebp-640], 44
00419005 . 33C0 xor eax, eax
00419007 . 8985 04FAFFFF mov dword ptr [ebp-5FC], eax
0041900D . 8985 08FAFFFF mov dword ptr [ebp-5F8], eax
00419013 . 8985 0CFAFFFF mov dword ptr [ebp-5F4], eax
00419019 . 8985 10FAFFFF mov dword ptr [ebp-5F0], eax
0041901F . 8D8D 04FAFFFF lea ecx, dword ptr [ebp-5FC]
00419025 . 51 push ecx ; /pProcessInfo
00419026 . 8D95 C0F9FFFF lea edx, dword ptr [ebp-640] ; |
0041902C . 52 push edx ; |pStartupInfo
0041902D . 6A 00 push 0 ; |CurrentDir = NULL
0041902F . 6A 00 push 0 ; |pEnvironment = NULL
00419031 . 6A 00 push 0 ; |CreationFlags = 0
00419033 . 6A 00 push 0 ; |InheritHandles = FALSE
00419035 . 6A 00 push 0 ; |pThreadSecurity = NULL
00419037 . 6A 00 push 0 ; |pProcessSecurity = NULL
00419039 . 68 E42D4800 push 00482DE4 ; |CommandLine = "explorer
1bbK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3A6@1L8r3!0$3k6i4u0Q4x3X3g2F1k6i4c8Q4x3V1j5`.";
0041903E . 6A 00 push 0 ; |ModuleFileName = NULL
00419040 . FF15 34A24600 call dword ptr [<&kernel32.CreateProces>; \CreateProcessA
00419046 . 85C0 test eax, eax
00419048 . 75 07 jnz short 00419051
0041904A . 6A 00 push 0
0041904C . E8 87C30100 call 004353D8
00419051 > 8B85 04FAFFFF mov eax, dword ptr [ebp-5FC]
00419057 . 50 push eax ; /hObject
00419058 . FF15 44A24600 call dword ptr [<&kernel32.CloseHandle>>; \CloseHandle
0041905E . 8B8D 08FAFFFF mov ecx, dword ptr [ebp-5F8]
00419064 . 51 push ecx ; /hObject
00419065 . FF15 44A24600 call dword ptr [<&kernel32.CloseHandle>>; \CloseHandle
0041906B . 8B95 74FFFFFF mov edx, dword ptr [ebp-8C]
00419071 . 8915 3C105D00 mov dword ptr [5D103C], edx
00419077 . E9 1A090000 jmp 00419996
0041907C > 75 04 jnz short 00419082
0041907E . 74 02 je short 00419082
00419080 9A db 9A
00419081 E8 db E8
00419082 > 83BD 74FFFFFF 00 cmp dword ptr [ebp-8C], 0 ; 检测验证数据最后结果是否小于等于0
; 是则正确！
00419089 . 74 15 je short 004190A0 ; ★所以这里必须跳！改为JMP★
0041908B . 8B85 74FFFFFF mov eax, dword ptr [ebp-8C]
00419091 . A3 3C105D00 mov dword ptr [5D103C], eax
00419096 . E8 85170100 call 0042A820
0041909B . E9 F6080000 jmp 00419996
004190A0 > 8B4D CC mov ecx, dword ptr [ebp-34] ; 从这里就开始控制程序窗口、配置文件了
004190A3 . 890D C0836500 mov dword ptr [6583C0], ecx
004190A9 . C705 3C105D00 58000000 mov dword ptr [5D103C], 58
004190B3 . 68 F4030000 push 3F4
004190B8 . 8B8D 98F9FFFF mov ecx, dword ptr [ebp-668]
004190BE . E8 25050400 call 004595E8
004190C3 . 8985 5CFEFFFF mov dword ptr [ebp-1A4], eax
004190C9 . 6A 00 push 0
004190CB . 8B8D 5CFEFFFF mov ecx, dword ptr [ebp-1A4]
004190D1 . E8 3E080400 call 00459914
004190D6 . 51 push ecx
004190D7 . 8BCC mov ecx, esp
004190D9 . 89A5 ACF9FFFF mov dword ptr [ebp-654], esp
004190DF . 68 DC2D4800 push 00482DDC ; ASCII "TIP2"
004190E4 . E8 8BD50300 call 00456674
004190E9 . 8985 94F9FFFF mov dword ptr [ebp-66C], eax
004190EF . 8B95 94F9FFFF mov edx, dword ptr [ebp-66C]
004190F5 . 8995 90F9FFFF mov dword ptr [ebp-670], edx
004190FB . C745 FC 00000000 mov dword ptr [ebp-4], 0
00419102 . 51 push ecx
00419103 . 8BCC mov ecx, esp
00419105 . 89A5 A8F9FFFF mov dword ptr [ebp-658], esp
0041910B . 68 D42D4800 push 00482DD4 ; ASCII "Dialog1"
00419110 . E8 5FD50300 call 00456674
00419115 . 8985 8CF9FFFF mov dword ptr [ebp-674], eax ; |
0041911B . 8D85 A4F9FFFF lea eax, dword ptr [ebp-65C] ; |
00419121 . 50 push eax ; |Arg1
00419122 . B9 04156500 mov ecx, 00651504 ; |
00419127 . C745 FC FFFFFFFF mov dword ptr [ebp-4], -1 ; |
0041912E . E8 DD610000 call 0041F310 ; \jtbl.0041F310
00419133 . 8985 88F9FFFF mov dword ptr [ebp-678], eax
00419139 . 8B8D 88F9FFFF mov ecx, dword ptr [ebp-678]
0041913F . 898D A0F9FFFF mov dword ptr [ebp-660], ecx
00419145 . C745 FC 01000000 mov dword ptr [ebp-4], 1
0041914C . 8B95 A0F9FFFF mov edx, dword ptr [ebp-660]
00419152 . 8B02 mov eax, dword ptr [edx]
00419154 . 8985 9CF9FFFF mov dword ptr [ebp-664], eax
0041915A . 8B8D 9CF9FFFF mov ecx, dword ptr [ebp-664]
00419160 . 51 push ecx
00419161 . 68 B5040000 push 4B5
00419166 . B9 C87A6500 mov ecx, 00657AC8
0041916B . E8 69050400 call 004596D9
00419170 . C745 FC FFFFFFFF mov dword ptr [ebp-4], -1
00419177 . 8D8D A4F9FFFF lea ecx, dword ptr [ebp-65C]
0041917D . E8 84D40300 call 00456606
00419182 . 68 0000FF00 push 0FF0000
00419187 . B9 E8806500 mov ecx, 006580E8
0041918C . E8 FF4F0000 call 0041E190
00419191 . C645 D8 00 mov byte ptr [ebp-28], 0
00419195 . C645 D9 00 mov byte ptr [ebp-27], 0
00419199 . 33D2 xor edx, edx
0041919B . 8955 DA mov dword ptr [ebp-26], edx
0041919E . 8955 DE mov dword ptr [ebp-22], edx
004191A1 . 8955 E2 mov dword ptr [ebp-1E], edx
004191A4 . 8955 E6 mov dword ptr [ebp-1A], edx
004191A7 . 8955 EA mov dword ptr [ebp-16], edx
004191AA . 66:8955 EE mov word ptr [ebp-12], dx
004191AE . 8855 F0 mov byte ptr [ebp-10], dl
004191B1 . 6A 18 push 18 ; /Arg3 = 00000018
004191B3 . 8D45 D8 lea eax, dword ptr [ebp-28] ; |
004191B6 . 50 push eax ; |Arg2
004191B7 . 68 05040000 push 405 ; |Arg1 = 00000405
004191BC . 8B8D 98F9FFFF mov ecx, dword ptr [ebp-668] ; |
004191C2 . E8 AB040400 call 00459672 ; \jtbl.00459672
004191C7 . 68 382D4800 push 00482D38 ; /FileName = ".\Setting\config.ini"
004191CC . 8D4D D8 lea ecx, dword ptr [ebp-28] ; |
004191CF . 51 push ecx ; |String
004191D0 . 68 182D4800 push 00482D18 ; |Key = "Account"
004191D5 . 68 282D4800 push 00482D28 ; |Section = "Config"
004191DA . FF15 48A24600 call dword ptr [<&kernel32.WritePrivate>; \WritePrivateProfileStringA
004191E0 . C685 70FEFFFF 00 mov byte ptr [ebp-190], 0
004191E7 . C685 71FEFFFF 00 mov byte ptr [ebp-18F], 0
004191EE . B9 40000000 mov ecx, 40
004191F3 . 33C0 xor eax, eax
004191F5 . 8DBD 72FEFFFF lea edi, dword ptr [ebp-18E]
004191FB . F3:AB rep stos dword ptr es:[edi]
004191FD . 66:AB stos word ptr es:[edi]
004191FF . C745 D4 00000000 mov dword ptr [ebp-2C], 0
00419206 . 68 04010000 push 104 ; /BufSize = 104 (260.)
0041920B . 8D95 70FEFFFF lea edx, dword ptr [ebp-190] ; |
00419211 . 52 push edx ; |PathBuffer
00419212 . 6A 00 push 0 ; |hModule = NULL
00419214 . FF15 ECA14600 call dword ptr [<&kernel32.GetModuleFil>; \GetModuleFileNameA
0041921A . 8DBD 70FEFFFF lea edi, dword ptr [ebp-190]
00419220 . 83C9 FF or ecx, FFFFFFFF
00419223 . 33C0 xor eax, eax
00419225 . F2:AE repne scas byte ptr es:[edi]
00419227 . F7D1 not ecx
00419229 . 83C1 FE add ecx, -2
0041922C . 894D D4 mov dword ptr [ebp-2C], ecx
0041922F > 8B45 D4 mov eax, dword ptr [ebp-2C]
00419232 . 0FBE8C05 70FEFFFF movsx ecx, byte ptr [ebp+eax-190]
0041923A . 83F9 5C cmp ecx, 5C
0041923D . 74 16 je short 00419255
0041923F . 8B55 D4 mov edx, dword ptr [ebp-2C]
00419242 . C68415 70FEFFFF 00 mov byte ptr [ebp+edx-190], 0
0041924A . 8B45 D4 mov eax, dword ptr [ebp-2C]
0041924D . 83E8 01 sub eax, 1
00419250 . 8945 D4 mov dword ptr [ebp-2C], eax
00419253 .^ EB DA jmp short 0041922F
00419255 > 8D7D D8 lea edi, dword ptr [ebp-28] ; 获取用户名(准备计算试用时间验证)
00419258 . 8B15 787D5F00 mov edx, dword ptr [5F7D78] ; kudrtgov.10213000
0041925E . 83C9 FF or ecx, FFFFFFFF
00419261 . 33C0 xor eax, eax
00419263 . F2:AE repne scas byte ptr es:[edi]
00419265 . F7D1 not ecx
00419267 . 2BF9 sub edi, ecx
00419269 . 8BF7 mov esi, edi
0041926B . 8BC1 mov eax, ecx
0041926D . 8BFA mov edi, edx
0041926F . C1E9 02 shr ecx, 2
00419272 . F3:A5 rep movs dword ptr es:[edi], dword ptr>
00419274 . 8BC8 mov ecx, eax
00419276 . 83E1 03 and ecx, 3
00419279 . F3:A4 rep movs byte ptr es:[edi], byte ptr [>
0041927B . 8DBD 70FEFFFF lea edi, dword ptr [ebp-190]
00419281 . 8B0D 787D5F00 mov ecx, dword ptr [5F7D78] ; kudrtgov.10213000
00419287 . 83C1 1E add ecx, 1E
0041928A . 8BD1 mov edx, ecx
0041928C . 83C9 FF or ecx, FFFFFFFF
0041928F . 33C0 xor eax, eax
00419291 . F2:AE repne scas byte ptr es:[edi]
00419293 . F7D1 not ecx
00419295 . 2BF9 sub edi, ecx
00419297 . 8BF7 mov esi, edi
00419299 . 8BC1 mov eax, ecx
0041929B . 8BFA mov edi, edx
0041929D . C1E9 02 shr ecx, 2
004192A0 . F3:A5 rep movs dword ptr es:[edi], dword ptr>
004192A2 . 8BC8 mov ecx, eax
004192A4 . 83E1 03 and ecx, 3
004192A7 . F3:A4 rep movs byte ptr es:[edi], byte ptr [>
004192A9 . C685 38FBFFFF 00 mov byte ptr [ebp-4C8], 0
004192B0 . C685 39FBFFFF 00 mov byte ptr [ebp-4C7], 0
004192B7 . B9 40000000 mov ecx, 40
004192BC . 33C0 xor eax, eax
004192BE . 8DBD 3AFBFFFF lea edi, dword ptr [ebp-4C6]
004192C4 . F3:AB rep stos dword ptr es:[edi]
004192C6 . 66:AB stos word ptr es:[edi]
004192C8 . C685 3CFCFFFF 00 mov byte ptr [ebp-3C4], 0
004192CF . C685 3DFCFFFF 00 mov byte ptr [ebp-3C3], 0
004192D6 . B9 40000000 mov ecx, 40
004192DB . 33C0 xor eax, eax
004192DD . 8DBD 3EFCFFFF lea edi, dword ptr [ebp-3C2]
004192E3 . F3:AB rep stos dword ptr es:[edi]
004192E5 . 66:AB stos word ptr es:[edi]
004192E7 . C685 44FDFFFF 00 mov byte ptr [ebp-2BC], 0
004192EE . C685 45FDFFFF 00 mov byte ptr [ebp-2BB], 0
004192F5 . B9 40000000 mov ecx, 40
004192FA . 33C0 xor eax, eax
004192FC . 8DBD 46FDFFFF lea edi, dword ptr [ebp-2BA]
00419302 . F3:AB rep stos dword ptr es:[edi]
00419304 . 66:AB stos word ptr es:[edi]
00419306 . BF CC2D4800 mov edi, 00482DCC ; ASCII "\Users\"
0041930B . 8D95 70FEFFFF lea edx, dword ptr [ebp-190]
00419311 . 83C9 FF or ecx, FFFFFFFF
00419314 . 33C0 xor eax, eax
00419316 . F2:AE repne scas byte ptr es:[edi]
00419318 . F7D1 not ecx
0041931A . 2BF9 sub edi, ecx
0041931C . 8BF7 mov esi, edi
0041931E . 8BD9 mov ebx, ecx
00419320 . 8BFA mov edi, edx
00419322 . 83C9 FF or ecx, FFFFFFFF
00419325 . 33C0 xor eax, eax
00419327 . F2:AE repne scas byte ptr es:[edi]
00419329 . 83C7 FF add edi, -1
0041932C . 8BCB mov ecx, ebx
0041932E . C1E9 02 shr ecx, 2
00419331 . F3:A5 rep movs dword ptr es:[edi], dword ptr>
00419333 . 8BCB mov ecx, ebx
00419335 . 83E1 03 and ecx, 3
00419338 . F3:A4 rep movs byte ptr es:[edi], byte ptr [>
0041933A . 8DBD 70FEFFFF lea edi, dword ptr [ebp-190]
00419340 . 8D95 38FBFFFF lea edx, dword ptr [ebp-4C8]
00419346 . 83C9 FF or ecx, FFFFFFFF
00419349 . 33C0 xor eax, eax
0041934B . F2:AE repne scas byte ptr es:[edi]
0041934D . F7D1 not ecx
0041934F . 2BF9 sub edi, ecx
00419351 . 8BF7 mov esi, edi
00419353 . 8BC1 mov eax, ecx
00419355 . 8BFA mov edi, edx
00419357 . C1E9 02 shr ecx, 2
0041935A . F3:A5 rep movs dword ptr es:[edi], dword ptr>
0041935C . 8BC8 mov ecx, eax
0041935E . 83E1 03 and ecx, 3
00419361 . F3:A4 rep movs byte ptr es:[edi], byte ptr [>
00419363 . 8B3D 787D5F00 mov edi, dword ptr [5F7D78] ; kudrtgov.10213000
00419369 . 8D95 38FBFFFF lea edx, dword ptr [ebp-4C8]
0041936F . 83C9 FF or ecx, FFFFFFFF
00419372 . 33C0 xor eax, eax
00419374 . F2:AE repne scas byte ptr es:[edi]
00419376 . F7D1 not ecx
00419378 . 2BF9 sub edi, ecx
0041937A . 8BF7 mov esi, edi
0041937C . 8BD9 mov ebx, ecx
0041937E . 8BFA mov edi, edx
00419380 . 83C9 FF or ecx, FFFFFFFF
00419383 . 33C0 xor eax, eax
00419385 . F2:AE repne scas byte ptr es:[edi]
00419387 . 83C7 FF add edi, -1
0041938A . 8BCB mov ecx, ebx
0041938C . C1E9 02 shr ecx, 2
0041938F . F3:A5 rep movs dword ptr es:[edi], dword ptr>
00419391 . 8BCB mov ecx, ebx
00419393 . 83E1 03 and ecx, 3
00419396 . F3:A4 rep movs byte ptr es:[edi], byte ptr [>
00419398 . BF BC2D4800 mov edi, 00482DBC ; ASCII "\NewConfig.ini"
0041939D . 8D95 38FBFFFF lea edx, dword ptr [ebp-4C8]
004193A3 . 83C9 FF or ecx, FFFFFFFF
004193A6 . 33C0 xor eax, eax
004193A8 . F2:AE repne scas byte ptr es:[edi]
004193AA . F7D1 not ecx
004193AC . 2BF9 sub edi, ecx
004193AE . 8BF7 mov esi, edi
004193B0 . 8BD9 mov ebx, ecx
004193B2 . 8BFA mov edi, edx
004193B4 . 83C9 FF or ecx, FFFFFFFF
004193B7 . 33C0 xor eax, eax
004193B9 . F2:AE repne scas byte ptr es:[edi]
004193BB . 83C7 FF add edi, -1
004193BE . 8BCB mov ecx, ebx
004193C0 . C1E9 02 shr ecx, 2
004193C3 . F3:A5 rep movs dword ptr es:[edi], dword ptr>
004193C5 . 8BCB mov ecx, ebx
004193C7 . 83E1 03 and ecx, 3
004193CA . F3:A4 rep movs byte ptr es:[edi], byte ptr [>
004193CC . 8DBD 70FEFFFF lea edi, dword ptr [ebp-190]
004193D2 . 8D95 3CFCFFFF lea edx, dword ptr [ebp-3C4]
004193D8 . 83C9 FF or ecx, FFFFFFFF
004193DB . 33C0 xor eax, eax
004193DD . F2:AE repne scas byte ptr es:[edi]
004193DF . F7D1 not ecx
004193E1 . 2BF9 sub edi, ecx
004193E3 . 8BF7 mov esi, edi
004193E5 . 8BC1 mov eax, ecx
004193E7 . 8BFA mov edi, edx
004193E9 . C1E9 02 shr ecx, 2
004193EC . F3:A5 rep movs dword ptr es:[edi], dword ptr>
004193EE . 8BC8 mov ecx, eax
004193F0 . 83E1 03 and ecx, 3
004193F3 . F3:A4 rep movs byte ptr es:[edi], byte ptr [>
004193F5 . 8B3D 787D5F00 mov edi, dword ptr [5F7D78] ; kudrtgov.10213000
004193FB . 8D95 3CFCFFFF lea edx, dword ptr [ebp-3C4]
00419401 . 83C9 FF or ecx, FFFFFFFF
00419404 . 33C0 xor eax, eax
00419406 . F2:AE repne scas byte ptr es:[edi]
00419408 . F7D1 not ecx
0041940A . 2BF9 sub edi, ecx
0041940C . 8BF7 mov esi, edi
0041940E . 8BD9 mov ebx, ecx
00419410 . 8BFA mov edi, edx
00419412 . 83C9 FF or ecx, FFFFFFFF
00419415 . 33C0 xor eax, eax
00419417 . F2:AE repne scas byte ptr es:[edi]
00419419 . 83C7 FF add edi, -1
0041941C . 8BCB mov ecx, ebx
0041941E . C1E9 02 shr ecx, 2
00419421 . F3:A5 rep movs dword ptr es:[edi], dword ptr>
00419423 . 8BCB mov ecx, ebx
00419425 . 83E1 03 and ecx, 3
00419428 . F3:A4 rep movs byte ptr es:[edi], byte ptr [>
0041942A . BF AC2D4800 mov edi, 00482DAC ; ASCII "\ListFile.ini"
0041942F . 8D95 3CFCFFFF lea edx, dword ptr [ebp-3C4]
00419435 . 83C9 FF or ecx, FFFFFFFF
00419438 . 33C0 xor eax, eax
0041943A . F2:AE repne scas byte ptr es:[edi]
0041943C . F7D1 not ecx
0041943E . 2BF9 sub edi, ecx
00419440 . 8BF7 mov esi, edi
00419442 . 8BD9 mov ebx, ecx
00419444 . 8BFA mov edi, edx
00419446 . 83C9 FF or ecx, FFFFFFFF
00419449 . 33C0 xor eax, eax
0041944B . F2:AE repne scas byte ptr es:[edi]
0041944D . 83C7 FF add edi, -1
00419450 . 8BCB mov ecx, ebx
00419452 . C1E9 02 shr ecx, 2
00419455 . F3:A5 rep movs dword ptr es:[edi], dword ptr>
00419457 . 8BCB mov ecx, ebx
00419459 . 83E1 03 and ecx, 3
0041945C . F3:A4 rep movs byte ptr es:[edi], byte ptr [>
0041945E . 8DBD 70FEFFFF lea edi, dword ptr [ebp-190]
00419464 . 8D95 44FDFFFF lea edx, dword ptr [ebp-2BC]
0041946A . 83C9 FF or ecx, FFFFFFFF
0041946D . 33C0 xor eax, eax
0041946F . F2:AE repne scas byte ptr es:[edi]
00419471 . F7D1 not ecx
00419473 . 2BF9 sub edi, ecx
00419475 . 8BF7 mov esi, edi
00419477 . 8BC1 mov eax, ecx
00419479 . 8BFA mov edi, edx
0041947B . C1E9 02 shr ecx, 2
0041947E . F3:A5 rep movs dword ptr es:[edi], dword ptr>
00419480 . 8BC8 mov ecx, eax
00419482 . 83E1 03 and ecx, 3
00419485 . F3:A4 rep movs byte ptr es:[edi], byte ptr [>
00419487 . 8B3D 787D5F00 mov edi, dword ptr [5F7D78] ; kudrtgov.10213000
0041948D . 8D95 44FDFFFF lea edx, dword ptr [ebp-2BC]

00419493 . 83C9 FF or ecx, FFFFFFFF
00419496 . 33C0 xor eax, eax
00419498 . F2:AE repne scas byte ptr es:[edi]
0041949A . F7D1 not ecx
0041949C . 2BF9 sub edi, ecx
0041949E . 8BF7 mov esi, edi
004194A0 . 8BD9 mov ebx, ecx
004194A2 . 8BFA mov edi, edx
004194A4 . 83C9 FF or ecx, FFFFFFFF
004194A7 . 33C0 xor eax, eax
004194A9 . F2:AE repne scas byte ptr es:[edi]
004194AB . 83C7 FF add edi, -1
004194AE . 8BCB mov ecx, ebx
004194B0 . C1E9 02 shr ecx, 2
004194B3 . F3:A5 rep movs dword ptr es:[edi], dword ptr>
004194B5 . 8BCB mov ecx, ebx
004194B7 . 83E1 03 and ecx, 3
004194BA . F3:A4 rep movs byte ptr es:[edi], byte ptr [>
004194BC . BF 9C2D4800 mov edi, 00482D9C ; ASCII "\GuoLvFile.ini"
004194C1 . 8D95 44FDFFFF lea edx, dword ptr [ebp-2BC]
004194C7 . 83C9 FF or ecx, FFFFFFFF
004194CA . 33C0 xor eax, eax
004194CC . F2:AE repne scas byte ptr es:[edi]
004194CE . F7D1 not ecx
004194D0 . 2BF9 sub edi, ecx
004194D2 . 8BF7 mov esi, edi
004194D4 . 8BD9 mov ebx, ecx
004194D6 . 8BFA mov edi, edx
004194D8 . 83C9 FF or ecx, FFFFFFFF
004194DB . 33C0 xor eax, eax
004194DD . F2:AE repne scas byte ptr es:[edi]
004194DF . 83C7 FF add edi, -1
004194E2 . 8BCB mov ecx, ebx
004194E4 . C1E9 02 shr ecx, 2
004194E7 . F3:A5 rep movs dword ptr es:[edi], dword ptr>
004194E9 . 8BCB mov ecx, ebx
004194EB . 83E1 03 and ecx, 3
004194EE . F3:A4 rep movs byte ptr es:[edi], byte ptr [>
004194F0 . 68 982D4800 push 00482D98
004194F5 . 8D85 38FBFFFF lea eax, dword ptr [ebp-4C8]
004194FB . 50 push eax
004194FC . E8 97BE0100 call 00435398 ; 配置文件A是否已经存在
00419501 . 83C4 08 add esp, 8
00419504 . 8985 14FAFFFF mov dword ptr [ebp-5EC], eax
0041950A . 83BD 14FAFFFF 00 cmp dword ptr [ebp-5EC], 0
00419511 . 75 5A jnz short 0041956D ; 如果文件已经存在则跳
00419513 . 8B3D 787D5F00 mov edi, dword ptr [5F7D78] ; kudrtgov.10213000
00419519 . 8D95 70FEFFFF lea edx, dword ptr [ebp-190]
0041951F . 83C9 FF or ecx, FFFFFFFF
00419522 . 33C0 xor eax, eax
00419524 . F2:AE repne scas byte ptr es:[edi]
00419526 . F7D1 not ecx
00419528 . 2BF9 sub edi, ecx
0041952A . 8BF7 mov esi, edi
0041952C . 8BD9 mov ebx, ecx
0041952E . 8BFA mov edi, edx
00419530 . 83C9 FF or ecx, FFFFFFFF
00419533 . 33C0 xor eax, eax
00419535 . F2:AE repne scas byte ptr es:[edi]
00419537 . 83C7 FF add edi, -1
0041953A . 8BCB mov ecx, ebx
0041953C . C1E9 02 shr ecx, 2
0041953F . F3:A5 rep movs dword ptr es:[edi], dword ptr>
00419541 . 8BCB mov ecx, ebx
00419543 . 83E1 03 and ecx, 3
00419546 . F3:A4 rep movs byte ptr es:[edi], byte ptr [>
00419548 . 6A 00 push 0 ; /pSecurity = NULL
0041954A . 8D85 70FEFFFF lea eax, dword ptr [ebp-190] ; |
00419550 . 50 push eax ; |Path
00419551 . FF15 F0A14600 call dword ptr [<&kernel32.CreateDirect>; \CreateDirectoryA
00419557 . 6A 01 push 1 ; /FailIfExists = TRUE
00419559 . 8D8D 38FBFFFF lea ecx, dword ptr [ebp-4C8] ; |使用默认的配置文件A
0041955F . 51 push ecx ; |NewFileName
00419560 . 68 842D4800 push 00482D84 ; |ExistingFileName =
; "Setting\Default.ini"
00419565 . FF15 F4A14600 call dword ptr [<&kernel32.CopyFileA>] ; \CopyFileA
0041956B . EB 0F jmp short 0041957C
0041956D > 8B95 14FAFFFF mov edx, dword ptr [ebp-5EC]
00419573 . 52 push edx
00419574 . E8 71BD0100 call 004352EA
00419579 . 83C4 04 add esp, 4
0041957C > 68 982D4800 push 00482D98
00419581 . 8D85 3CFCFFFF lea eax, dword ptr [ebp-3C4]
00419587 . 50 push eax
00419588 . E8 0BBE0100 call 00435398 ; 配置文件B是否已经存在
0041958D . 83C4 08 add esp, 8
00419590 . 8985 14FAFFFF mov dword ptr [ebp-5EC], eax
00419596 . 83BD 14FAFFFF 00 cmp dword ptr [ebp-5EC], 0
0041959D . 75 25 jnz short 004195C4 ; 如果文件已经存在则跳
0041959F . 6A 00 push 0 ; /pSecurity = NULL
004195A1 . 8D8D 70FEFFFF lea ecx, dword ptr [ebp-190] ; |
004195A7 . 51 push ecx ; |Path
004195A8 . FF15 F0A14600 call dword ptr [<&kernel32.CreateDirect>; \CreateDirectoryA
004195AE . 6A 01 push 1 ; /FailIfExists = TRUE
004195B0 . 8D95 3CFCFFFF lea edx, dword ptr [ebp-3C4] ; |使用默认的配置文件B
004195B6 . 52 push edx ; |NewFileName
004195B7 . 68 6C2D4800 push 00482D6C ; |ExistingFileName =
; "Setting\DefaultList.ini"
004195BC . FF15 F4A14600 call dword ptr [<&kernel32.CopyFileA>] ; \CopyFileA
004195C2 . EB 0F jmp short 004195D3
004195C4 > 8B85 14FAFFFF mov eax, dword ptr [ebp-5EC]
004195CA . 50 push eax
004195CB . E8 1ABD0100 call 004352EA
004195D0 . 83C4 04 add esp, 4
004195D3 > 68 982D4800 push 00482D98
004195D8 . 8D8D 44FDFFFF lea ecx, dword ptr [ebp-2BC]
004195DE . 51 push ecx
004195DF . E8 B4BD0100 call 00435398 ; 配置文件C是否已经存在
004195E4 . 83C4 08 add esp, 8
004195E7 . 8985 14FAFFFF mov dword ptr [ebp-5EC], eax
004195ED . 83BD 14FAFFFF 00 cmp dword ptr [ebp-5EC], 0
004195F4 . 75 25 jnz short 0041961B ; 如果文件已经存在则跳
004195F6 . 6A 00 push 0 ; /pSecurity = NULL
004195F8 . 8D95 70FEFFFF lea edx, dword ptr [ebp-190] ; |
004195FE . 52 push edx ; |Path
004195FF . FF15 F0A14600 call dword ptr [<&kernel32.CreateDirect>; \CreateDirectoryA
00419605 . 6A 01 push 1 ; /FailIfExists = TRUE
00419607 . 8D85 44FDFFFF lea eax, dword ptr [ebp-2BC] ; |使用默认的配置文件C
0041960D . 50 push eax ; |NewFileName
0041960E . 68 502D4800 push 00482D50 ; |ExistingFileName =
; "Setting\DefaultGuoLv.ini"
00419613 . FF15 F4A14600 call dword ptr [<&kernel32.CopyFileA>] ; \CopyFileA
00419619 . EB 0F jmp short 0041962A
0041961B > 8B8D 14FAFFFF mov ecx, dword ptr [ebp-5EC]
00419621 . 51 push ecx
00419622 . E8 C3BC0100 call 004352EA
00419627 . 83C4 04 add esp, 4
0041962A > 68 382D4800 push 00482D38 ; /IniFileName = ".\Setting\config.ini"
0041962F . 6A 00 push 0 ; |Default = 0
00419631 . 68 0C2D4800 push 00482D0C ; |Key = "virtualcode"
00419636 . 68 282D4800 push 00482D28 ; |Section = "Config"
0041963B . FF15 F8A14600 call dword ptr [<&kernel32.GetPrivatePr>; \GetPrivateProfileIntA
00419641 . 66:8985 34FBFFFF mov word ptr [ebp-4CC], ax
00419648 . 68 382D4800 push 00482D38 ; /IniFileName = ".\Setting\config.ini"
0041964D . 6A 00 push 0 ; |Default = 0
0041964F . 68 002D4800 push 00482D00 ; |Key = "modifiers"
00419654 . 68 282D4800 push 00482D28 ; |Section = "Config"
00419659 . FF15 F8A14600 call dword ptr [<&kernel32.GetPrivatePr>; \GetPrivateProfileIntA
0041965F . 66:8985 2CFBFFFF mov word ptr [ebp-4D4], ax
00419666 . 8B95 34FBFFFF mov edx, dword ptr [ebp-4CC]
0041966C . 81E2 FFFF0000 and edx, 0FFFF
00419672 . A1 787D5F00 mov eax, dword ptr [5F7D78]
00419677 . 8990 22010000 mov dword ptr [eax+122], edx
0041967D . 8B8D 2CFBFFFF mov ecx, dword ptr [ebp-4D4]
00419683 . 81E1 FFFF0000 and ecx, 0FFFF
00419689 . 8B15 787D5F00 mov edx, dword ptr [5F7D78] ; kudrtgov.10213000
0041968F . 898A 26010000 mov dword ptr [edx+126], ecx
00419695 . A1 787D5F00 mov eax, dword ptr [5F7D78]
0041969A . C780 90010000 64000000 mov dword ptr [eax+190], 64
004196A4 . C685 28FAFFFF 00 mov byte ptr [ebp-5D8], 0
004196AB . C685 29FAFFFF 00 mov byte ptr [ebp-5D7], 0
004196B2 . B9 40000000 mov ecx, 40
004196B7 . 33C0 xor eax, eax
004196B9 . 8DBD 2AFAFFFF lea edi, dword ptr [ebp-5D6]
004196BF . F3:AB rep stos dword ptr es:[edi]
004196C1 . 66:AB stos word ptr es:[edi]
004196C3 . 6A 12 push 12 ; /Arg3 = 00000012
004196C5 . 8D8D 28FAFFFF lea ecx, dword ptr [ebp-5D8] ; |
004196CB . 51 push ecx ; |Arg2
004196CC . 68 05040000 push 405 ; |Arg1 = 00000405
004196D1 . 8B8D 98F9FFFF mov ecx, dword ptr [ebp-668] ; |
004196D7 . E8 96FF0300 call 00459672 ; \jtbl.00459672
004196DC . C785 40FDFFFF 00000000 mov dword ptr [ebp-2C0], 0
004196E6 . EB 0F jmp short 004196F7
004196E8 > 8B95 40FDFFFF mov edx, dword ptr [ebp-2C0]
004196EE . 83C2 01 add edx, 1
004196F1 . 8995 40FDFFFF mov dword ptr [ebp-2C0], edx
004196F7 > 8B85 40FDFFFF mov eax, dword ptr [ebp-2C0]
004196FD . 3B05 687D5F00 cmp eax, dword ptr [5F7D68]
00419703 . 0F83 A6000000 jnb 004197AF
00419709 . 8D8D 28FAFFFF lea ecx, dword ptr [ebp-5D8]
0041970F . 898D 84F9FFFF mov dword ptr [ebp-67C], ecx
00419715 . 8B95 40FDFFFF mov edx, dword ptr [ebp-2C0]
0041971B . 6BD2 68 imul edx, edx, 68
0041971E . 81C2 18E65D00 add edx, 005DE618 ; 获取曾经本地使用过的用户名
00419724 . 8995 80F9FFFF mov dword ptr [ebp-680], edx
0041972A > 8B85 80F9FFFF mov eax, dword ptr [ebp-680]
00419730 . 8A08 mov cl, byte ptr [eax]
00419732 . 888D 7FF9FFFF mov byte ptr [ebp-681], cl
00419738 . 8B95 84F9FFFF mov edx, dword ptr [ebp-67C]
0041973E . 3A0A cmp cl, byte ptr [edx]
00419740 . 75 46 jnz short 00419788
00419742 . 80BD 7FF9FFFF 00 cmp byte ptr [ebp-681], 0
00419749 . 74 31 je short 0041977C
0041974B . 8B85 80F9FFFF mov eax, dword ptr [ebp-680]
00419751 . 8A48 01 mov cl, byte ptr [eax+1]
00419754 . 888D 7EF9FFFF mov byte ptr [ebp-682], cl
0041975A . 8B95 84F9FFFF mov edx, dword ptr [ebp-67C]
00419760 . 3A4A 01 cmp cl, byte ptr [edx+1]
00419763 . 75 23 jnz short 00419788
00419765 . 8385 80F9FFFF 02 add dword ptr [ebp-680], 2
0041976C . 8385 84F9FFFF 02 add dword ptr [ebp-67C], 2
00419773 . 80BD 7EF9FFFF 00 cmp byte ptr [ebp-682], 0
0041977A .^ 75 AE jnz short 0041972A
0041977C > C785 78F9FFFF 00000000 mov dword ptr [ebp-688], 0
00419786 . EB 0B jmp short 00419793
00419788 > 1BC0 sbb eax, eax
0041978A . 83D8 FF sbb eax, -1
0041978D . 8985 78F9FFFF mov dword ptr [ebp-688], eax
00419793 > 8B8D 78F9FFFF mov ecx, dword ptr [ebp-688]
00419799 . 898D 74F9FFFF mov dword ptr [ebp-68C], ecx
0041979F . 83BD 74F9FFFF 00 cmp dword ptr [ebp-68C], 0
004197A6 . 75 02 jnz short 004197AA
004197A8 . EB 05 jmp short 004197AF
004197AA >^ E9 39FFFFFF jmp 004196E8
004197AF > 8B95 40FDFFFF mov edx, dword ptr [ebp-2C0]
004197B5 . 3B15 687D5F00 cmp edx, dword ptr [5F7D68] ; 判断是否该用户名为新用户名
004197BB . 0F82 EF000000 jb 004198B0 ; ★所以这里不能跳！NOP掉★
004197C1 . A1 687D5F00 mov eax, dword ptr [5F7D68]
004197C6 . A3 6C7D5F00 mov dword ptr [5F7D6C], eax
004197CB . 8DBD 28FAFFFF lea edi, dword ptr [ebp-5D8]
004197D1 . 8B0D 687D5F00 mov ecx, dword ptr [5F7D68]
004197D7 . 6BC9 68 imul ecx, ecx, 68
004197DA . 81C1 18E65D00 add ecx, 005DE618 ; ASCII "test"
004197E0 . 898D 70F9FFFF mov dword ptr [ebp-690], ecx
004197E6 . 8B95 70F9FFFF mov edx, dword ptr [ebp-690]
004197EC . A1 687D5F00 mov eax, dword ptr [5F7D68]
004197F1 . 83C0 01 add eax, 1
004197F4 . A3 687D5F00 mov dword ptr [5F7D68], eax
004197F9 . 83C9 FF or ecx, FFFFFFFF
004197FC . 33C0 xor eax, eax
004197FE . F2:AE repne scas byte ptr es:[edi]
00419800 . F7D1 not ecx
00419802 . 2BF9 sub edi, ecx
00419804 . 8BF7 mov esi, edi
00419806 . 8BC1 mov eax, ecx
00419808 . 8BFA mov edi, edx
0041980A . C1E9 02 shr ecx, 2
0041980D . F3:A5 rep movs dword ptr es:[edi], dword ptr>
0041980F . 8BC8 mov ecx, eax
00419811 . 83E1 03 and ecx, 3
00419814 . F3:A4 rep movs byte ptr es:[edi], byte ptr [>
00419816 . 6A 00 push 0 ; /准备写入用于本地记录的数据文件
00419818 . 68 00000002 push 2000000 ; |Attributes = BACKUP_SEMANTICS
0041981D . 6A 04 push 4 ; |Mode = OPEN_ALWAYS
0041981F . 6A 00 push 0 ; |pSecurity = NULL
00419821 . 6A 02 push 2 ; |ShareMode = FILE_SHARE_WRITE
00419823 . 68 00000040 push 40000000 ; |Access = GENERIC_WRITE
00419828 . 68 F42C4800 push 00482CF4 ; |FileName = "Account.dat"
0041982D . FF15 3CA24600 call dword ptr [<&kernel32.CreateFileA>>; \CreateFileA
00419833 . 8985 B8F9FFFF mov dword ptr [ebp-648], eax
00419839 . 6A 00 push 0 ; /pOverlapped = NULL
0041983B . 8D8D BCF9FFFF lea ecx, dword ptr [ebp-644] ; |
00419841 . 51 push ecx ; |pBytesWritten
00419842 . 6A 04 push 4 ; |nBytesToWrite = 4
00419844 . 68 687D5F00 push 005F7D68 ; |Buffer = jtbl.005F7D68
00419849 . 8B95 B8F9FFFF mov edx, dword ptr [ebp-648] ; |
0041984F . 52 push edx ; |hFile
00419850 . FF15 40A24600 call dword ptr [<&kernel32.WriteFile>] ; \WriteFile
00419856 . 6A 00 push 0 ; /pOverlapped = NULL
00419858 . 8D85 BCF9FFFF lea eax, dword ptr [ebp-644] ; |
0041985E . 50 push eax ; |pBytesWritten
0041985F . 6A 04 push 4 ; |nBytesToWrite = 4
00419861 . 68 6C7D5F00 push 005F7D6C ; |Buffer = jtbl.005F7D6C
00419866 . 8B8D B8F9FFFF mov ecx, dword ptr [ebp-648] ; |
0041986C . 51 push ecx ; |hFile
0041986D . FF15 40A24600 call dword ptr [<&kernel32.WriteFile>] ; \WriteFile
00419873 . 6A 00 push 0 ; /pOverlapped = NULL
00419875 . 8D95 BCF9FFFF lea edx, dword ptr [ebp-644] ; |
0041987B . 52 push edx ; |pBytesWritten
0041987C . 68 40960100 push 19640 ; |nBytesToWrite = 19640 (104000.)
00419881 . 68 18E65D00 push 005DE618 ; |Buffer = jtbl.005DE618
00419886 . 8B85 B8F9FFFF mov eax, dword ptr [ebp-648] ; |
0041988C . 50 push eax ; |hFile
0041988D . FF15 40A24600 call dword ptr [<&kernel32.WriteFile>] ; \WriteFile
00419893 . 8B8D B8F9FFFF mov ecx, dword ptr [ebp-648]
00419899 . 51 push ecx ; /hObject
0041989A . FF15 44A24600 call dword ptr [<&kernel32.CloseHandle>>; \CloseHandle
004198A0 . 8B8D 98F9FFFF mov ecx, dword ptr [ebp-668]
004198A6 . E8 350E0000 call 0041A6E0
004198AB . E9 A1000000 jmp 00419951
004198B0 > 8B95 40FDFFFF mov edx, dword ptr [ebp-2C0]
004198B6 . 8915 6C7D5F00 mov dword ptr [5F7D6C], edx
004198BC . 6A 00 push 0 ; /hTemplateFile = NULL
004198BE . 68 00000002 push 2000000 ; |Attributes = BACKUP_SEMANTICS
004198C3 . 6A 04 push 4 ; |Mode = OPEN_ALWAYS
004198C5 . 6A 00 push 0 ; |pSecurity = NULL
004198C7 . 6A 02 push 2 ; |ShareMode = FILE_SHARE_WRITE
004198C9 . 68 00000040 push 40000000 ; |Access = GENERIC_WRITE
004198CE . 68 F42C4800 push 00482CF4 ; |FileName = "Account.dat"
004198D3 . FF15 3CA24600 call dword ptr [<&kernel32.CreateFileA>>; \CreateFileA
004198D9 . 8985 B0F9FFFF mov dword ptr [ebp-650], eax
004198DF . 6A 00 push 0 ; /pOverlapped = NULL
004198E1 . 8D85 B4F9FFFF lea eax, dword ptr [ebp-64C] ; |
004198E7 . 50 push eax ; |pBytesWritten
004198E8 . 6A 04 push 4 ; |nBytesToWrite = 4
004198EA . 68 687D5F00 push 005F7D68 ; |Buffer = jtbl.005F7D68
004198EF . 8B8D B0F9FFFF mov ecx, dword ptr [ebp-650] ; |
004198F5 . 51 push ecx ; |hFile
004198F6 . FF15 40A24600 call dword ptr [<&kernel32.WriteFile>] ; \WriteFile
004198FC . 6A 00 push 0 ; /pOverlapped = NULL
004198FE . 8D95 B4F9FFFF lea edx, dword ptr [ebp-64C] ; |
00419904 . 52 push edx ; |pBytesWritten
00419905 . 6A 04 push 4 ; |nBytesToWrite = 4
00419907 . 68 6C7D5F00 push 005F7D6C ; |Buffer = jtbl.005F7D6C
0041990C . 8B85 B0F9FFFF mov eax, dword ptr [ebp-650] ; |
00419912 . 50 push eax ; |hFile
00419913 . FF15 40A24600 call dword ptr [<&kernel32.WriteFile>] ; \WriteFile
00419919 . 6A 00 push 0 ; /pOverlapped = NULL
0041991B . 8D8D B4F9FFFF lea ecx, dword ptr [ebp-64C] ; |
00419921 . 51 push ecx ; |pBytesWritten
00419922 . 68 40960100 push 19640 ; |nBytesToWrite = 19640 (104000.)
00419927 . 68 18E65D00 push 005DE618 ; |Buffer = jtbl.005DE618
0041992C . 8B95 B0F9FFFF mov edx, dword ptr [ebp-650] ; |
00419932 . 52 push edx ; |hFile
00419933 . FF15 40A24600 call dword ptr [<&kernel32.WriteFile>] ; \WriteFile
00419939 . 8B85 B0F9FFFF mov eax, dword ptr [ebp-650]
0041993F . 50 push eax ; /hObject
00419940 . FF15 44A24600 call dword ptr [<&kernel32.CloseHandle>>; \CloseHandle
00419946 . 8B8D 98F9FFFF mov ecx, dword ptr [ebp-668]
0041994C . E8 8F0D0000 call 0041A6E0
00419951 > 68 04040000 push 404
00419956 . 8B8D 98F9FFFF mov ecx, dword ptr [ebp-668]
0041995C . E8 87FC0300 call 004595E8
00419961 . 8985 5CFEFFFF mov dword ptr [ebp-1A4], eax
00419967 . 6A 01 push 1
00419969 . 8B8D 5CFEFFFF mov ecx, dword ptr [ebp-1A4]
0041996F . E8 A0FF0300 call 00459914
00419974 . 8B0D 787D5F00 mov ecx, dword ptr [5F7D78] ; kudrtgov.10213000
0041997A . 890D A0126500 mov dword ptr [6512A0], ecx
00419980 . 6A 00 push 0 ; /Timerproc = NULL
00419982 . 6A 64 push 64 ; |Timeout = 100. ms
00419984 . 6A 01 push 1 ; |TimerID = 1
00419986 . 8B95 98F9FFFF mov edx, dword ptr [ebp-668] ; |
0041998C . 8B42 1C mov eax, dword ptr [edx+1C] ; |
0041998F . 50 push eax ; |hWnd
00419990 . FF15 6CA54600 call dword ptr [<&user32.SetTimer>] ; \SetTimer
00419996 > 8B4D F4 mov ecx, dword ptr [ebp-C]
00419999 . 64:890D 00000000 mov dword ptr fs:[0], ecx
004199A0 . 5F pop edi
004199A1 . 5E pop esi
004199A2 . 5B pop ebx
004199A3 . 8BE5 mov esp, ebp
004199A5 . 5D pop ebp
004199A6 . C3 retn ; 网络、本地验证全部结束

--------------------------------------------------------------------------------
【经验总结】
其实网络验证并不可怕，可怕的是它们身上穿着的“衣服（壳）”，不过随着大伙儿们的技术的不断提高，工具的不断更新
强大，不脱壳也可以调试它了。最重要的就是细心！

2007-7-14 21:19

0

kafly

雪币： 200

活跃值： (46)

能力值：

( LV2，RANK：10 )

在线值：

发帖

13

回帖

77

粉丝

0

关注

私信

kafly: 57 楼

阅毕，虽然问题没解决，但是发现jackxx是个好同志！

能力强，热心！要常来啊。

2007-7-26 00:21

0

云飘

雪币： 791

活跃值： (10)

能力值：

( LV2，RANK：10 )

在线值：

发帖

0

回帖

16

粉丝

0

关注

私信

云飘: 58 楼

我也想知道.

2007-7-27 18:08

0

webyjh

雪币： 200

活跃值： (10)

能力值：

( LV2，RANK：10 )

在线值：

发帖

9

回帖

90

粉丝

0

关注

私信

webyjh: 59 楼

呵呵，不要以为网络验证的服务器就只能是ＩＩＳ哦，有的外挂有专门的外挂服务端的，这种外挂跟网络游戏本质上已经类似了，破解起来相当麻烦的，搞不懂封包的加密算法，想破没门

2007-7-27 20:55

0

Freeng

雪币： 200

活跃值： (10)

能力值：

( LV2，RANK：10 )

在线值：

发帖

0

回帖

20

粉丝

0

关注

私信

Freeng: 60 楼

好。
好久没见这么热情的帖子了，回一个

2007-7-28 23:37

0

ggttttgg

雪币： 213

活跃值： (10)

能力值：

( LV2，RANK：10 )

在线值：

发帖

9

回帖

111

粉丝

0

关注

私信

ggttttgg: 61 楼

如果注册名用機器名的,那追出注册碼有用的嗎...?

2007-7-29 05:29

0

zoyu

雪币： 254

活跃值： (10)

能力值：

( LV2，RANK：10 )

在线值：

发帖

0

回帖

2

粉丝

0

关注

私信

zoyu: 62 楼

截得到帐号登录的数据封包弄个本地验证应该容易了吧

2007-11-29 21:44

0

kenyuan

雪币： 200

活跃值： (10)

能力值：

( LV2，RANK：10 )

在线值：

发帖

0

回帖

2

粉丝

0

关注

私信

kenyuan: 63 楼

12版脱了壳,但破不了,这挂以前不注册也能正常用,现在注册服务器坏了也能用这个12版本.另一个是21版本的,壳也脱不掉,破解就更不用说了.请高手指点,非常感谢.可是我是新手,传附档也不行.晕了

2007-12-20 12:34

0

kenyuan

雪币： 200

活跃值： (10)

能力值：

( LV2，RANK：10 )

在线值：

发帖

0

回帖

2

粉丝

0

关注

私信

kenyuan: 64 楼

00543680 55                   push ebp
00543681 8BEC                mov    ebp, esp
00543683 B905000000          mov    ecx, $00000005
00543688 6A00                push $00
0054368A 6A00                push $00
0054368C 49                   dec    ecx
0054368D 75F9                jnz    00543688
0054368F 53                   push ebx
00543690 56                   push esi
00543691 8BD8                mov    ebx, eax
00543693 33C0                xor    eax, eax
00543695 55                   push ebp
00543696 68FE385400          push $005438FE

***** TRY
|
0054369B 64FF30                push dword ptr fs:[eax]
0054369E 648920                mov    fs:[eax], esp
005436A1 6840358024          push $24803540
005436A6 E9E9A91500          jmp    0069E094
005436AB 58                   pop    eax
005436AC AD                   lodsd
005436AD 8B00                mov    eax, [eax]
005436AF BF13B6748A          mov    edi, $8A74B613
005436B4 BE80605D31          mov    esi, $315D6080
005436B9 58                   pop    eax
005436BA 98                   cwde
005436BB 04C3                add    al, -$3D
005436BD AC                   lodsb
005436BE 4B                   dec    ebx
005436BF 80F8B1                cmp    al, $B1
005436C2 5D                   pop    ebp
005436C3 3F                   aas
005436C4 9A48EA9BF8          call $F89BEA48
005436C9 53                   push ebx
005436CA 7EB0                jle    0054367C
005436CC 8458D8                test [eax-$28], bl
005436CF 30F9                xor    cl, bh
005436D1 F9                   stc
005436D2 96                   xchg eax, esi
005436D3 0570679937          add    eax, +$37996770
005436D8 95                   xchg eax, ebp
005436D9 61                   popa
005436DA 9D                   pop
005436DB 7E4A                jle    00543727
005436DD CF                   iret
005436DE A4                   movsb
005436DF E36E                jcxz +$6E
005436E1 B8BCA01111          mov    eax, $1111A0BC
005436E6 6F                   outsd
005436E7 B1AF                mov    cl, $AF
005436E9 30A4A2EA62D245       xor    [edx+$45D262EA], ah
005436F0 A20E6D17C2          mov    byte ptr [$C2176D0E], al
005436F5 9B                   wait
005436F6 20FE                and    dh, bh
005436F8 CB                   ret

005436F9 19E5                sbb    ebp, esp
005436FB 54                   push esp
005436FC 6D                   insd
005436FD 67FB                sti
005436FF 86D0                xchg al, dl
00543701 E417                in    al, $17
00543703 8888E6287D49          mov    [eax+$497D28E6], cl
00543709 B8D1EC9E07          mov    eax, $079EECD1
0054370E 46                   inc    esi
0054370F DF732E                fbstp ???? ptr [ebx+$2E]
00543712 51                   push ecx
00543713 50                   push eax
00543714 25D485A1B1          and    eax, $B1A185D4
00543719 69593020F748C1       imul ebx, [ecx+$30], $C148F720
00543720 F0                   lock
00543721 82B24B9B0D9ED9       xor    dword ptr [edx+$9E0D9B4B], $D9
00543728 4A                   dec    edx
00543729 A4                   movsb
0054372A 14FD                adc    al, $FD
0054372C 68AB345400          push $005434AB

|
00543731 E958D3FBFF          jmp    00500A8E
00543736 82B66829D75300       xor    dword ptr [esi+$53D72968], $00

|
0054373D E94CD3FBFF          jmp    00500A8E
00543742 4B                   dec    ebx
00543743 AD                   lodsd
00543744 A2A6AD9839          mov    byte ptr [$3998ADA6], al
00543749 AB                   stosd
0054374A 10618D                adc    [ecx-$73], ah
0054374D 55                   push ebp
0054374E FC                   cld

* Reference to control MainButtonEdit : TRzButtonEdit
|
0054374F 8B8330030000          mov    eax, [ebx+$0330]

* Reference to: ActnMan.TActionListCollection.GetListItem(TActionListCollection;Integer):TActionListItem;
|          or: ActnMan.TActionClientsCollection.GetActionClient(TActionClientsCollection;Integer):TActionClient;
|          or: ActnMan.TActionBars.GetActionBar(TActionBars;Integer):TActionBarItem;
|          or: ActnMan.TActionClients.GetActionClient(TActionClients;Integer):TActionClientItem;
|          or: ActnMenus.TMenuList.GetMenu(TMenuList;Integer):TCustomActionMenuBar;
|          or: ADODB.TParameters.GetItem(TParameters;Integer):TParameter;
|
00543755 E88690FCFF          call 0050C7E0
0054375A 8B45FC                mov    eax, [ebp-$04]

* Reference to: SysUtils.FileExists(AnsiString):Boolean;
|
0054375D E81256F5FF          call 00498D74
00543762 84C0                test al, al
00543764 7511                jnz    00543777

* Possible String Reference to: '请先选好游戏路径再试!'
|
00543766 BA50395400          mov    edx, $00543950
0054376B 8BC3                mov    eax, ebx

* Reference to: Controls.TControl.SetText(TControl;TCaption);
|
0054376D E84E89F9FF          call 004DC0C0
00543772 E94A010000          jmp    005438C1
00543777 8D55EC                lea    edx, [ebp-$14]

* Reference to control ComboBox2 : TComboBox
|
0054377A 8BB324030000          mov    esi, [ebx+$0324]
00543780 8BC6                mov    eax, esi

* Reference to: Controls.TControl.GetText(TControl):TCaption;
|
00543782 E80989F9FF          call 004DC090
00543787 8B55EC                mov    edx, [ebp-$14]
0054378A 8B863C020000          mov    eax, [esi+$023C]
00543790 8B08                mov    ecx, [eax]
00543792 FF5154                call dword ptr [ecx+$54]
00543795 8BD0                mov    edx, eax
00543797 8BC6                mov    eax, esi
00543799 8B08                mov    ecx, [eax]
0054379B FF91D0000000          call dword ptr [ecx+$00D0]

* Reference to control ComboBox2 : TComboBox
|
005437A1 8B8324030000          mov    eax, [ebx+$0324]
005437A7 8B10                mov    edx, [eax]
005437A9 FF92CC000000          call dword ptr [edx+$00CC]
005437AF 40                   inc    eax
005437B0 7511                jnz    005437C3

* Possible String Reference to: '请先选好登陆游戏的服务器!'
|
005437B2 BA70395400          mov    edx, $00543970
005437B7 8BC3                mov    eax, ebx

* Reference to: Controls.TControl.SetText(TControl;TCaption);
|
005437B9 E80289F9FF          call 004DC0C0
005437BE E9FE000000          jmp    005438C1
005437C3 8D55E4                lea    edx, [ebp-$1C]

* Reference to control Edit1 : TEdit
|
005437C6 8B8314030000          mov    eax, [ebx+$0314]

* Reference to: Controls.TControl.GetText(TControl):TCaption;
|
005437CC E8BF88F9FF          call 004DC090
005437D1 8B45E4                mov    eax, [ebp-$1C]
005437D4 8D55E8                lea    edx, [ebp-$18]

* Reference to: SysUtils.Trim(AnsiString):AnsiString;overload;
|
005437D7 E8C44DF5FF          call 004985A0
005437DC 837DE800             cmp    dword ptr [ebp-$18], +$00
005437E0 7511                jnz    005437F3

* Possible String Reference to: '请先选好游戏帐号!'
|
005437E2 BA94395400          mov    edx, $00543994
005437E7 8BC3                mov    eax, ebx

* Reference to: Controls.TControl.SetText(TControl;TCaption);
|
005437E9 E8D288F9FF          call 004DC0C0
005437EE E9CE000000          jmp    005438C1
005437F3 68D78CCDEA          push $EACD8CD7
005437F8 E9B3621500          jmp    00699AB0
005437FD D2D2                rcl    dl, cl
005437FF 7C3A                jl    0054383B
00543801 1CFC                sbb    al, $FC
00543803 C54397                lds    eax, [ebx-$69]
00543806 4B                   dec    ebx
00543807 C519                lds    ebx, [ecx]
00543809 BC3B962BCB          mov    esp, $CB2B963B
0054380E 5F                   pop    edi
0054380F F8                   clc
00543810 2C7A                sub    al, $7A
00543812 7332                jnb    00543846
00543814 2BBD4F7F8EDA          sub    edi, dword ptr [ebp+$DA8E7F4F]
0054381A 6D                   insd
0054381B 3929                cmp    [ecx], ebp
0054381D BC4E8546FC          mov    esp, $FC46854E
00543822 BDD1440CFB          mov    ebp, $FB0C44D1
00543827 0F6454C5D9          pcmpgtb MM2, [ebp+eax*8-$27]
0054382C EF                   out    dx, eax
0054382D 67F5                cmc
0054382F AE                   scasb
00543830 CF                   iret
00543831 4C                   dec    esp
00543832 A3D31235F4          mov    dword ptr [$F43512D3], eax
00543837 ED                   in    eax, dx
00543838 7F11                jnle 0054384B
0054383A 41                   inc    ecx
0054383B 1AA87464F789          sbb    ch, byte ptr [eax+$89F76474]
00543841 C08137F80CB5FD       rol    byte ptr [ecx+$B50CF837], $FD
00543848 98                   cwde
00543849 0302                add    eax, [edx]
0054384B 2E1E                push ds
0054384D 5B                   pop    ebx
0054384E 1A30                sbb    dh, byte ptr [eax]
00543850 7DAD                jnl    005437FF
00543852 CA                   ret

00543853 DED7                DB  $DE, $D7  //
00543855 4D                   dec    ebp
00543856 F4                   hlt
00543857 24BD                and    al, $BD
00543859 ED                   in    eax, dx
0054385A 83C70F                add    edi, +$0F
0054385D AC                   lodsb
0054385E C0B94BDD0D1C68       sar    byte ptr [ecx+$1C0DDD4B], $68
00543865 FB                   sti
00543866 C7B74ADC13D48A4B5FD2 mov    dword ptr [edi+$D413DC4A], $D25F4B8A
00543870 9A899DF2E2          call $E2F29D89
00543875 53                   push ebx
00543876 67DC85B59E5D56       fadd qword ptr [di+$565D9EB5]
0054387D AC                   lodsb
0054387E 6B9B3464FA3E86       imul ebx, [ebx+$3EFA6434], $86
00543885 5B                   pop    ebx
00543886 6F                   outsd
00543887 8BAE6D313B05          mov    ebp, [esi+$53B316D]
0054388D AE                   scasb
0054388E 9F                   lahf
0054388F 5B                   pop    ebx
00543890 8B2454                mov    esp, [esp+edx*2]
00543893 FB                   sti
00543894 23684F                and    ebp, [eax+$4F]
00543897 770E                jnbe 005438A7
00543899 5B                   pop    ebx
0054389A B5E5                mov    ch, $E5
0054389C 8CB41EDD766535       mov    word ptr [esi+ebx+$356576DD],
005438A3 85F7                test edi, esi
005438A5 A7                   cmpsd
005438A6 BC6D897950          mov    esp, $5079896D
005438AB C013E3                rcl    byte ptr [ebx], $E3
005438AE D9C8                fxch st(0), st(0)
005438B0 98                   cwde
005438B1 E962912394          jmp    9477CA18
005438B6 EE                   out    dx, al
005438B7 1E                   push ds
005438B8 4E                   dec    esi
005438B9 A83E                test al, $3E
005438BB 846CCD5B             test [ebp+ecx*8+$5B], ch
005438BF 624433C0             bound eax, qword ptr [ebx+esi-$40]
005438C3 5A                   pop    edx
005438C4 59                   pop    ecx
005438C5 59                   pop    ecx
005438C6 648910                mov    fs:[eax], edx

****** FINALLY
|

* Possible String Reference to: '^[嬪]?
|
005438C9 6805395400          push $00543905
005438CE 8D45D8                lea    eax, [ebp-$28]
005438D1 BA04000000          mov    edx, $00000004

* Reference to: System.@LStrArrayClr(void;void;Integer);
|
005438D6 E8D908F5FF          call 004941B4
005438DB 8D45E8                lea    eax, [ebp-$18]

* Reference to: System.@LStrClr(void;void);
|
005438DE E8AD08F5FF          call 00494190
005438E3 8D45EC                lea    eax, [ebp-$14]
005438E6 BA03000000          mov    edx, $00000003

* Reference to: System.@LStrArrayClr(void;void;Integer);
|
005438EB E8C408F5FF          call 004941B4
005438F0 8D45F8                lea    eax, [ebp-$08]
005438F3 BA02000000          mov    edx, $00000002

* Reference to: System.@LStrArrayClr(void;void;Integer);
|
005438F8 E8B708F5FF          call 004941B4
005438FD C3                   ret

/////
0069E094 68AEF06000          push $0060F0AE

|
0069E099 E9F029E6FF          jmp    00500A8E
0069E09E 6B68BCF4             imul ebp, [eax-$44], $F4
0069E0A2 60                   pusha
0069E0A3 00E9                add    cl, ch
0069E0A5 E529                in    eax, $29
0069E0A7 E6FF                out    $FF, al
0069E0A9 4F                   dec    edi
0069E0AA B668                mov    dh, $68
0069E0AC 19F9                sbb    ecx, edi
0069E0AE 60                   pusha
0069E0AF 00E9                add    cl, ch
0069E0B1 D929                fldcw word ptr [ecx]
0069E0B3 E6FF                out    $FF, al
0069E0B5 95                   xchg eax, ebp
0069E0B6 48                   dec    eax
0069E0B7 BE053D68D9          mov    esi, $D9683D05
0069E0BC FD                   std
0069E0BD 60                   pusha
0069E0BE 00E9                add    cl, ch
0069E0C0 CA                   ret

/////

00500A8E 50                   push eax
00500A8F 52                   push edx
00500A90 9C                   pushf
00500A91 57                   push edi
00500A92 51                   push ecx
00500A93 55                   push ebp
00500A94 56                   push esi
00500A95 50                   push eax
00500A96 53                   push ebx
00500A97 6800000000          push $00000000
00500A9C 8B742428             mov    esi, [esp+$28]
00500AA0 FC                   cld
00500AA1 BA00005500          mov    edx, $00550000
00500AA6 FF1594B15400          call dword ptr [$0054B194]
00500AAC 89C3                mov    ebx, eax
00500AAE B900010000          mov    ecx, $00000100
00500AB3 89D7                mov    edi, edx
00500AB5 F2                   repne
00500AB6 AF                   scasd
00500AB7 740D                jz    00500AC6
00500AB9 B800010000          mov    eax, $00000100
00500ABE 91                   xchg eax, ecx
00500ABF 89D7                mov    edi, edx
00500AC1 F2                   repne
00500AC2 AF                   scasd
00500AC3 895FFC                mov    [edi-$04], ebx
00500AC6 89FD                mov    ebp, edi
00500AC8 29D7                sub    edi, edx
00500ACA D1E7                shl    edi, 1
00500ACC 8DBCFAC0030000       lea    edi, [edx+edi*8+$03C0]
00500AD3 89F3                mov    ebx, esi
00500AD5 033424                add    esi, [esp]
00500AD8 AC                   lodsb
00500AD9 00D8                add    al, bl
00500ADB D0C0                rol    al, 1
00500ADD 3433                xor    al, $33
00500ADF FEC8                dec    al
00500AE1 F6D0                not    al
00500AE3 00C3                add    bl, al
00500AE5 0FB6C0                movzx eax, al
00500AE8 8D0C85AE105400       lea    ecx, [$5410AE+eax*4]
00500AEF FF21                jmp    dword ptr [ecx]
00500AF1 DB3C24                fstp tbyte ptr [esp]
00500AF4 E9DFFFFFFF          jmp    00500AD8
00500AF9 58                   pop    eax
00500AFA 28ED                sub    ch, ch
00500AFC 658A08                mov    cl, byte ptr gs:[eax]
00500AFF 6651                push cx
00500B01 E9D2FFFFFF          jmp    00500AD8
00500B06 665A                pop    dx
00500B08 6658                pop    ax
00500B0A 6659                pop    cx
00500B0C 66F7F1                div    cx
00500B0F 6650                push ax
00500B11 6652                push dx
00500B13 E9C0FFFFFF          jmp    00500AD8
00500B18 D9FA                fsqrt
00500B1A E9B9FFFFFF          jmp    00500AD8
00500B1F 58                   pop    eax
00500B20 6659                pop    cx
00500B22 658808                mov    gs:[eax], cl
00500B25 E9AEFFFFFF          jmp    00500AD8
00500B2A C9                   leave
00500B2B 68F885AED2          push $D2AE85F8
00500B30 E9D3791A00          jmp    006A8508
00500B35 AC                   lodsb
00500B36 00D8                add    al, bl
00500B38 D0C0                rol    al, 1
00500B3A 04DC                add    al, -$24
00500B3C 3428                xor    al, $28
00500B3E FEC8                dec    al
00500B40 00C3                add    bl, al
00500B42 665A                pop    dx
00500B44 88548701             mov    [edi+eax*4+$01], dl
00500B48 E98BFFFFFF          jmp    00500AD8
00500B4D 665A                pop    dx
00500B4F 6659                pop    cx
00500B51 D2EA                shr    dl, cl
00500B53 6652                push dx
00500B55 E97EFFFFFF          jmp    00500AD8
00500B5A DF2C24                fild qword ptr [esp]
00500B5D E976FFFFFF          jmp    00500AD8
00500B62 59                   pop    ecx
00500B63 6665FF31             push word ptr gs:[ecx]
00500B67 E96CFFFFFF          jmp    00500AD8
00500B6C 58                   pop    eax
00500B6D 5A                   pop    edx
00500B6E 6659                pop    cx
00500B70 0FA5D0                shld eax, edx, cl
00500B73 50                   push eax
00500B74 669C                pushf
00500B76 E95DFFFFFF          jmp    00500AD8
00500B7B D82C24                fsubr dword ptr [esp]
00500B7E E955FFFFFF          jmp    00500AD8
00500B83 D93C24                fstcw word ptr [esp]
00500B86 E94DFFFFFF          jmp    00500AD8
00500B8B 6659                pop    cx
00500B8D E946FFFFFF          jmp    00500AD8
00500B92 8A06                mov    al, byte ptr [esi]
00500B94 00D8                add    al, bl
00500B96 F6D0                not    al
00500B98 46                   inc    esi
00500B99 FEC0                inc    al
00500B9B C0C805                ror    al, $05
00500B9E 0414                add    al, +$14
00500BA0 00C3                add    bl, al
00500BA2 FF3487                push dword ptr [edi+eax*4]
00500BA5 E92EFFFFFF          jmp    00500AD8
00500BAA 59                   pop    ecx
00500BAB 0F22C1                mov    C0, ecx
00500BAE E925FFFFFF          jmp    00500AD8
00500BB3 0FB70E                movzx ecx, word ptr [esi]
00500BB6 6601D9                add    cx, bx
00500BB9 66F7D9                neg    cx
00500BBC 66C1C90D             ror    cx, $0D
00500BC0 6681F1CEB3          xor    cx, $B3CE
00500BC5 6681E93C6B          sub    cx, $6B3C
00500BCA 6601CB                add    bx, cx
00500BCD 91                   xchg eax, ecx
00500BCE 98                   cwde
00500BCF 50                   push eax
00500BD0 83C602                add    esi, +$02
00500BD3 E900FFFFFF          jmp    00500AD8
00500BD8 D90424                fld    dword ptr [esp]
00500BDB E9F8FEFFFF          jmp    00500AD8
00500BE0 0F20F9                mov    ecx, C7
00500BE3 51                   push ecx
00500BE4 E9EFFEFFFF          jmp    00500AD8
00500BE9 59                   pop    ecx
00500BEA 648A01                mov    al, byte ptr fs:[ecx]
00500BED 6650                push ax
00500BEF E9E4FEFFFF          jmp    00500AD8
00500BF4 D9EC                fldlg2
00500BF6 E9DDFEFFFF          jmp    00500AD8
00500BFB 668CE0                mov    ax, fs
00500BFE 6650                push ax
00500C00 E9D3FEFFFF          jmp    00500AD8
00500C05 AF                   scasd
00500C06 A4                   movsb
00500C07 51                   push ecx
00500C08 33C0                xor    eax, eax
00500C0A 8945F8                mov    [ebp-$08], eax
00500C0D 6851549C8B          push $8B9C5451
00500C12 E96ACD1900          jmp    0069D981
00500C17 58                   pop    eax
00500C18 2EFF30                push dword ptr cs:[eax]
00500C1B E9B8FEFFFF          jmp    00500AD8
00500C20 DA2424                fisub dword ptr [esp]
00500C23 E9B0FEFFFF          jmp    00500AD8
00500C28 D9F3                fpatan
00500C2A E9A9FEFFFF          jmp    00500AD8
00500C2F 58                   pop    eax
00500C30 6636FF30             push word ptr ss:[eax]
00500C34 E99FFEFFFF          jmp    00500AD8
00500C39 668CC0                mov    ax, es
00500C3C 6650                push ax
00500C3E E995FEFFFF          jmp    00500AD8
00500C43 661E                push ds
00500C45 E98EFEFFFF          jmp    00500AD8
00500C4A D9F7                fincstp
00500C4C E987FEFFFF          jmp    00500AD8
00500C51 D9F2                fptan
00500C53 E980FEFFFF          jmp    00500AD8
00500C58 665A                pop    dx
00500C5A 6658                pop    ax
00500C5C F6EA                imul dl, al
00500C5E 6650                push ax
00500C60 669C                pushf
00500C62 E971FEFFFF          jmp    00500AD8
00500C67 59                   pop    ecx
00500C68 368A01                mov    al, byte ptr ss:[ecx]
00500C6B 6650                push ax
00500C6D E966FEFFFF          jmp    00500AD8
00500C72 DFE0                fstsw ax
00500C74 6650                push ax
00500C76 E95DFEFFFF          jmp    00500AD8
00500C7B D82424                fsub dword ptr [esp]
00500C7E E955FEFFFF          jmp    00500AD8
00500C83 6659                pop    cx
00500C85 665A                pop    dx
00500C87 F6D1                not    cl
00500C89 F6D2                not    dl
00500C8B 20D1                and    cl, dl
00500C8D 6651                push cx
00500C8F 669C                pushf
00500C91 E942FEFFFF          jmp    00500AD8
00500C96 D9E0                fchs
00500C98 E93BFEFFFF          jmp    00500AD8
00500C9D C745FC00000000       mov    dword ptr [ebp-$04], $00000000
00500CA4 58                   pop    eax
00500CA5 5B                   pop    ebx
00500CA6 58                   pop    eax
00500CA7 5E                   pop    esi
00500CA8 5D                   pop    ebp
00500CA9 59                   pop    ecx
00500CAA 5F                   pop    edi
00500CAB 9D                   pop
00500CAC 5A                   pop    edx
00500CAD 58                   pop    eax
00500CAE CB                   ret

2007-12-20 12:54

0

lionkinglk

雪币： 202

活跃值： (10)

能力值：

( LV2，RANK：10 )

在线值：

发帖

5

回帖

34

粉丝

0

关注

私信

lionkinglk: 65 楼

这地球都想知道

2007-12-20 16:07

0

lionkinglk

雪币： 202

活跃值： (10)

能力值：

( LV2，RANK：10 )

在线值：

发帖

5

回帖

34

粉丝

0

关注

私信

lionkinglk: 66 楼

一般来说,还是可以做到的,只要肯下工夫

2007-12-20 16:09

0

winsi

雪币： 200

活跃值： (10)

能力值：

( LV2，RANK：10 )

在线值：

发帖

1

回帖

12

粉丝

0

关注

私信

winsi: 67 楼

不是那么破解的

2008-1-8 21:13

0

wuyongyi

雪币： 204

活跃值： (10)

能力值：

( LV2，RANK：10 )

在线值：

发帖

2

回帖

43

粉丝

0

关注

私信

wuyongyi: 68 楼

楼主的问题提的号！！我也想学学！！我下载了一个外挂我把db.DLL壳给脱了主程序没有壳是VC++的。我现在不知道下一步怎么办！！！！急啊！！！！！有哪位好心人帮帮我们这些小菜啊！！！！

2008-1-8 21:43

0

hzwee

雪币： 0

能力值： (RANK：10 )

在线值：

发帖

7

回帖

36

粉丝

0

关注

私信

hzwee: 69 楼

受教了谢谢~~~~~~~~~

2008-1-8 23:20

0

xiaomai

雪币： 200

活跃值： (10)

能力值：

( LV2，RANK：10 )

在线值：

发帖

1

回帖

4

粉丝

0

关注

私信

xiaomai: 70 楼

jackxx好人啊！

2008-1-9 13:19

0

scbao

雪币： 200

活跃值： (10)

能力值：

( LV2，RANK：10 )

在线值：

发帖

1

回帖

30

粉丝

0

关注

私信

scbao: 71 楼

我也想知道，帮你顶！

2008-1-9 18:49

0

wewewe

雪币： 200

活跃值： (10)

能力值：

( LV2，RANK：10 )

在线值：

发帖

0

回帖

18

粉丝

0

关注

私信

wewewe: 72 楼

改本地驗證這好像是現在對外掛的主要方式吧。
有沒有人弄個教學來啊？

2008-1-9 21:44

0

魔兽世界

雪币： 201

活跃值： (10)

能力值：

( LV2，RANK：10 )

在线值：

发帖

0

回帖

12

粉丝

0

关注

私信

魔兽世界: 73 楼

好贴子顶个先

2008-5-6 10:46

0

justu

雪币： 200

活跃值： (10)

能力值：

( LV2，RANK：10 )

在线值：

发帖

0

回帖

3

粉丝

0

关注

私信

justu: 74 楼

首先找到字符串`(登陆成功什么的)`如能直接找到是最好``往上看看有没有网页验证地址什么的 ⑴有的话修改本地HOST文件抓包建服务器``
⑵如没有一个明确的网页地址  只有一个IP
则找到那个ip语句通常有MOV  ***,*****
找块空地  将二进制代码31 32 37 2E 30 2E 30 2E 31 00 粘贴进去(127.0.0.1)
同时记得把MOV 后面的地址改为空地代码地址保存 (两处都要保存)
(此法有时还需要复制MOV 下面几行的代码然后再在空地跳回~具体情况自己看吧)
接下来和一样抓包建服务器~

2008-5-6 14:19

0