幻想游戏里面的小游戏Insaniquarium Deluxe(怪怪水族馆)的带pet数破解。
自认难度:简单
[color=#008000] 初学破解,书是看了不少,可是始终没有什么真正的实践,最近春节放假在家happy,发现一个小游戏Insaniquarium Deluxe(幻想游戏中的怪怪水族馆)挺有意思,可是越玩到后面越手忙脚乱,这么多的pet每次却只能带3个,真是不爽,于是决定拿它开刀,小搞一下。[/color]
[color=#008000] 目的很明确:我要所有pet全上阵。目标明确了,开始行动。[/color]
[color=#008000] 掏出OllyDbg打开游戏的exe,HOHO,没有壳,于是大致浏览了一下,开始寻找切入点,观察游戏中choose your pets这一步,发现当选择的pet数超过3个时候是不会有任何提示的,可就是选不上,但是,如果你选的pet数不够3个的话,它就会问你是不是要select more pets?嘿嘿,这个提示窗口就是切入点了,到OllyDbg中去搜它窗口中的关键字,找到这里[/color]
00553DF8 41 72 65 20 79 6F 75 20 Are you
00553E00 73 75 72 65 20 79 6F 75 sure you
00553E08 20 77 61 6E 74 20 74 6F want to
00553E10 20 63 6F 6E 74 69 6E 75 continu
00553E18 65 20 74 6F 20 74 68 65 e to the
00553E20 20 6E 65 78 74 20 6C 65 next le
00553E28 76 65 6C 20 77 69 74 68 vel with
00553E30 6F 75 74 20 73 65 6C 65 [color=#0000D0]out[/color] sele
00553E38 63 74 69 6E 67 20 61 74 cting at
00553E40 20 6C 65 61 73 74 20 33 least 3
00553E48 20 70 65 74 73 3F 00 00 pets?..
[color=#008000]然后在00553DF8处Find Reference,找到2处,跟过去,来到这2处引用的地方[/color]
0044E6C7 |. 2BC2 [color=#0000D0]SUB[/color] [color=#FF0000]EAX[/color],[color=#FF0000]EDX[/color]
0044E6C9 |. 50 [color=#0000D0]PUSH[/color] [color=#FF0000]EAX[/color] [color=#008000]; /Arg2[/color]
0044E6CA |. 68 09835400 [color=#0000D0]PUSH[/color] Insaniqu.00548309 [color=#008000]; |Arg1 = 00548309[/color]
0044E6CF |. 8D8D 64FFFFFF [color=#0000D0]LEA[/color] [color=#FF0000]ECX[/color],[color=#b000b0]DWORD[/color] [color=#b000b0]PTR[/color] [color=#FF0000]SS[/color]:[[color=#FF0000]EBP[/color]-9C] [color=#008000]; |[/color]
0044E6D5 |. E8 86C8FCFF [color=#0000D0]CALL[/color] Insaniqu.0041AF60 [color=#008000]; \Insaniqu.0041AF60[/color]
0044E6DA |. B8 F83D5500 [color=#0000D0]MOV[/color] [color=#FF0000]EAX[/color],Insaniqu.00553DF8 [color=#008000]; ASCII “Are you sure you want to continue to the next level without selecting at least 3 pets?”[/color]
0044E6DF |. 897D B4 [color=#0000D0]MOV[/color] [color=#b000b0]DWORD[/color] [color=#b000b0]PTR[/color] [color=#FF0000]SS[/color]:[[color=#FF0000]EBP[/color]-4C],[color=#FF0000]EDI[/color]
0044E6E2 |. 895D FC [color=#0000D0]MOV[/color] [color=#b000b0]DWORD[/color] [color=#b000b0]PTR[/color] [color=#FF0000]SS[/color]:[[color=#FF0000]EBP[/color]-4],[color=#FF0000]EBX[/color]
0044E6E5 |. 895D B0 [color=#0000D0]MOV[/color] [color=#b000b0]DWORD[/color] [color=#b000b0]PTR[/color] [color=#FF0000]SS[/color]:[[color=#FF0000]EBP[/color]-50],[color=#FF0000]EBX[/color]
0044E6E8 |. 885D A0 [color=#0000D0]MOV[/color] [color=#b000b0]BYTE[/color] [color=#b000b0]PTR[/color] [color=#FF0000]SS[/color]:[[color=#FF0000]EBP[/color]-60],[color=#FF0000]BL[/color]
0044E6EB |. 8D78 01 [color=#0000D0]LEA[/color] [color=#FF0000]EDI[/color],[color=#b000b0]DWORD[/color] [color=#b000b0]PTR[/color] [color=#FF0000]DS[/color]:[[color=#FF0000]EAX[/color]+1]
0044E6EE |. 8BFF [color=#0000D0]MOV[/color] [color=#FF0000]EDI[/color],[color=#FF0000]EDI[/color]
0044E6F0 |> 8A08 /[color=#0000D0]MOV[/color] [color=#FF0000]CL[/color],[color=#b000b0]BYTE[/color] [color=#b000b0]PTR[/color] [color=#FF0000]DS[/color]:[[color=#FF0000]EAX[/color]]
0044E6F2 |. 40 |[color=#0000D0]INC[/color] [color=#FF0000]EAX[/color]
0044E6F3 |. 3ACB |[color=#0000D0]CMP[/color] [color=#FF0000]CL[/color],[color=#FF0000]BL[/color]
0044E6F5 |.^75 F9 \JNZ SHORT Insaniqu.0044E6F0
0044E6F7 |. 2BC7 [color=#0000D0]SUB[/color] [color=#FF0000]EAX[/color],[color=#FF0000]EDI[/color]
0044E6F9 |. 50 [color=#0000D0]PUSH[/color] [color=#FF0000]EAX[/color] [color=#008000]; /Arg2[/color]
0044E6FA |. 68 F83D5500 [color=#0000D0]PUSH[/color] Insaniqu.00553DF8 [color=#008000]; |Arg1 = 00553DF8 ASCII “Are you sure you want to continue to the next level without selecting at least 3 pets?”[/color]
0044E6FF |. 8D4D 9C [color=#0000D0]LEA[/color] [color=#FF0000]ECX[/color],[color=#b000b0]DWORD[/color] [color=#b000b0]PTR[/color] [color=#FF0000]SS[/color]:[[color=#FF0000]EBP[/color]-64] [color=#008000]; |[/color]
0044E702 |. E8 59C8FCFF [color=#0000D0]CALL[/color] Insaniqu.0041AF60 [color=#008000]; \Insaniqu.0041AF60[/color]
[color=#008000]断点确认了一下,这块应该就是弹出那个窗口的代码,然后反向往回走,一直来到这里,在开始处下了个断点,发现在选择pet那里按下任何一个pet都会来到这里,猜想这里应该离我找的东西不远了,于是单步跟踪了一遍这段代码,找到了一些眉目。[/color]
0044E530 /. 55 [color=#0000D0]PUSH[/color] [color=#FF0000]EBP[/color]
0044E531 |. 8BEC [color=#0000D0]MOV[/color] [color=#FF0000]EBP[/color],[color=#FF0000]ESP[/color]
0044E533 |. 6A FF [color=#0000D0]PUSH[/color] -1
0044E535 |. 68 36DA5300 [color=#0000D0]PUSH[/color] Insaniqu.0053DA36 [color=#008000]; SE handler installation[/color]
0044E53A |. 64:A1 00000000 [color=#0000D0]MOV[/color] [color=#FF0000]EAX[/color],[color=#b000b0]DWORD[/color] [color=#b000b0]PTR[/color] [color=#FF0000]FS[/color]:[0]
0044E540 |. 50 [color=#0000D0]PUSH[/color] [color=#FF0000]EAX[/color]
0044E541 |. 64:8925 000000>[color=#0000D0]MOV[/color] [color=#b000b0]DWORD[/color] [color=#b000b0]PTR[/color] [color=#FF0000]FS[/color]:[0],[color=#FF0000]ESP[/color]
0044E548 |. 81EC AC000000 [color=#0000D0]SUB[/color] [color=#FF0000]ESP[/color],0AC
0044E54E |. 8B45 08 [color=#0000D0]MOV[/color] [color=#FF0000]EAX[/color],[color=#b000b0]DWORD[/color] [color=#b000b0]PTR[/color] [color=#FF0000]SS[/color]:[[color=#FF0000]EBP[/color]+8]
0044E551 |. 53 [color=#0000D0]PUSH[/color] [color=#FF0000]EBX[/color]
0044E552 |. 56 [color=#0000D0]PUSH[/color] [color=#FF0000]ESI[/color]
0044E553 |. 33DB [color=#0000D0]XOR[/color] [color=#FF0000]EBX[/color],[color=#FF0000]EBX[/color]
0044E555 |. 3BC3 [color=#0000D0]CMP[/color] [color=#FF0000]EAX[/color],[color=#FF0000]EBX[/color]
0044E557 |. 57 [color=#0000D0]PUSH[/color] [color=#FF0000]EDI[/color]
0044E558 |. 8BF1 [color=#0000D0]MOV[/color] [color=#FF0000]ESI[/color],[color=#FF0000]ECX[/color]
0044E55A |. 7C 79 [color=#0000D0]JL[/color] SHORT Insaniqu.0044E5D5
0044E55C |. 83F8 18 [color=#0000D0]CMP[/color] [color=#FF0000]EAX[/color],18 [color=#008000]; 一共24个pet,eax保存的是当前点到的pet号[/color]
0044E55F |. 7D 74 [color=#0000D0]JGE[/color] SHORT Insaniqu.0044E5D5
0044E561 |. 8B4C86 14 [color=#0000D0]MOV[/color] [color=#FF0000]ECX[/color],[color=#b000b0]DWORD[/color] [color=#b000b0]PTR[/color] [color=#FF0000]DS[/color]:[[color=#FF0000]ESI[/color]+[color=#FF0000]EAX[/color]*4+14]
0044E565 |. 3899 00010000 [color=#0000D0]CMP[/color] [color=#b000b0]BYTE[/color] [color=#b000b0]PTR[/color] [color=#FF0000]DS[/color]:[[color=#FF0000]ECX[/color]+100],[color=#FF0000]BL[/color] [color=#008000]; 这个DS:[ECX+100]处保存的就是当前选择的pet是否被选中标志[/color]
0044E56B |. 75 4F [color=#0000D0]JNZ[/color] SHORT Insaniqu.0044E5BC
[color=#008000]点了一下1号pet,查看DS:[ECX+100]找到这里04E86FA8(所选pet的选中标志)[/color]
04E86FA8 00 F0 AD BA 10 42 3F 00 .[color=#008000]瓠?B?.[/color]
[color=#008000]1号pet当前的选中标志是00,因为我当时已经选了3个了,再选这第4个就选不上了。[/color]
[color=#008000]于是回到游戏调整了一下选择的pet,让1号pet能够被选上,然后再点一下1号pet,发现在进入0044E530之前04E86FA8这个byte已经被改成01了(被选中),于是判断这里还不是关键,应该是前面的某段程序来决定这个pet是否能被选中的,于是对04E86FA8这里下Memory, on access断点,看看是哪里修改了这个标志,然后在游戏中反复点选了几次pet,最后找到了关键的一段代码:[/color]
00458350 /$ 55 [color=#0000D0]PUSH[/color] [color=#FF0000]EBP[/color]
00458351 |. 8BEC [color=#0000D0]MOV[/color] [color=#FF0000]EBP[/color],[color=#FF0000]ESP[/color]
00458353 |. 8A45 08 [color=#0000D0]MOV[/color] [color=#FF0000]AL[/color],[color=#b000b0]BYTE[/color] [color=#b000b0]PTR[/color] [color=#FF0000]SS[/color]:[[color=#FF0000]EBP[/color]+8]
00458356 |. 56 [color=#0000D0]PUSH[/color] [color=#FF0000]ESI[/color]
00458357 |. 8BF1 [color=#0000D0]MOV[/color] [color=#FF0000]ESI[/color],[color=#FF0000]ECX[/color]
00458359 |. 3A86 00010000 [color=#0000D0]CMP[/color] [color=#FF0000]AL[/color],[color=#b000b0]BYTE[/color] [color=#b000b0]PTR[/color] [color=#FF0000]DS[/color]:[[color=#FF0000]ESI[/color]+100]
0045835F |. 74 39 [color=#0000D0]JE[/color] SHORT Insaniqu.0045839A
00458361 |. 8886 00010000 [color=#0000D0]MOV[/color] [color=#b000b0]BYTE[/color] [color=#b000b0]PTR[/color] [color=#FF0000]DS[/color]:[[color=#FF0000]ESI[/color]+100],[color=#FF0000]AL[/color] [color=#008000]; 就是这里改变了pet的选中标志[/color]
00458367 |. 8D86 90000000 [color=#0000D0]LEA[/color] [color=#FF0000]EAX[/color],[color=#b000b0]DWORD[/color] [color=#b000b0]PTR[/color] [color=#FF0000]DS[/color]:[[color=#FF0000]ESI[/color]+90]
0045836D |. 50 [color=#0000D0]PUSH[/color] [color=#FF0000]EAX[/color]
0045836E |. 8D8E B0000000 [color=#0000D0]LEA[/color] [color=#FF0000]ECX[/color],[color=#b000b0]DWORD[/color] [color=#b000b0]PTR[/color] [color=#FF0000]DS[/color]:[[color=#FF0000]ESI[/color]+B0]
00458374 |. 51 [color=#0000D0]PUSH[/color] [color=#FF0000]ECX[/color]
00458375 |. E8 86FEFFFF [color=#0000D0]CALL[/color] Insaniqu.00458200
0045837A |. 8D96 F0000000 [color=#0000D0]LEA[/color] [color=#FF0000]EDX[/color],[color=#b000b0]DWORD[/color] [color=#b000b0]PTR[/color] [color=#FF0000]DS[/color]:[[color=#FF0000]ESI[/color]+F0] [color=#008000]; |[/color]
00458380 |. 52 [color=#0000D0]PUSH[/color] [color=#FF0000]EDX[/color] [color=#008000]; |Arg2[/color]
00458381 |. 8D86 A0000000 [color=#0000D0]LEA[/color] [color=#FF0000]EAX[/color],[color=#b000b0]DWORD[/color] [color=#b000b0]PTR[/color] [color=#FF0000]DS[/color]:[[color=#FF0000]ESI[/color]+A0] [color=#008000]; |[/color]
00458387 |. 50 [color=#0000D0]PUSH[/color] [color=#FF0000]EAX[/color] [color=#008000]; |Arg1[/color]
00458388 |. E8 73FEFFFF [color=#0000D0]CALL[/color] Insaniqu.00458200 [color=#008000]; \Insaniqu.00458200[/color]
0045838D |. 8B16 [color=#0000D0]MOV[/color] [color=#FF0000]EDX[/color],[color=#b000b0]DWORD[/color] [color=#b000b0]PTR[/color] [color=#FF0000]DS[/color]:[[color=#FF0000]ESI[/color]]
0045838F |. 83C4 10 [color=#0000D0]ADD[/color] [color=#FF0000]ESP[/color],10
00458392 |. 8BCE [color=#0000D0]MOV[/color] [color=#FF0000]ECX[/color],[color=#FF0000]ESI[/color]
00458394 |. FF92 B8000000 [color=#0000D0]CALL[/color] [color=#b000b0]DWORD[/color] [color=#b000b0]PTR[/color] [color=#FF0000]DS[/color]:[[color=#FF0000]EDX[/color]+B8]
0045839A |> 5E [color=#0000D0]POP[/color] [color=#FF0000]ESI[/color]
0045839B |. 5D [color=#0000D0]POP[/color] [color=#FF0000]EBP[/color]
0045839C \. C2 0400 [color=#0000D0]RETN[/color] 4
[color=#008000]这段就是调整pet选中标志的代码,随即反复试验了几次,只要是选上了某个pet,或是取消选中的某个pet都会来到这里来调整pet的选中标志。这么说,调用这个过程的代码的附近应该就是判断是否能选中的地方,于是查看此段代码的被调用情况[/color]
[color=#b000b0]Local[/color] calls from 0044D8BD, 00458572, 004585AE
[color=#008000]有3处,逐一跟踪查看,发现这第3处就是我要找的地方[/color]
0045859C |. 8B88 F4000000 [color=#0000D0]MOV[/color] [color=#FF0000]ECX[/color],[color=#b000b0]DWORD[/color] [color=#b000b0]PTR[/color] [color=#FF0000]DS[/color]:[[color=#FF0000]EAX[/color]+F4]
004585A2 |. 3B88 00010000 [color=#0000D0]CMP[/color] [color=#FF0000]ECX[/color],[color=#b000b0]DWORD[/color] [color=#b000b0]PTR[/color] [color=#FF0000]DS[/color]:[[color=#FF0000]EAX[/color]+100] [color=#008000]; 这个cmp就是关键,DWORD PTR DS:[EAX+100] 这个就是保存的可选pet数(3),而这个ECX保存的就是当前选择的pet数[/color]
004585A8 |. 7D 22 [color=#0000D0]JGE[/color] SHORT Insaniqu.004585CC [color=#008000]; 超过3个就跳走,否则就调用上面那段把所选pet的标志置1,被选定或者0,取消选定[/color]
004585AA |. 6A 01 [color=#0000D0]PUSH[/color] 1 [color=#008000]; /Arg1 = 00000001[/color]
004585AC |. 8BCE [color=#0000D0]MOV[/color] [color=#FF0000]ECX[/color],[color=#FF0000]ESI[/color] [color=#008000]; |[/color]
004585AE |. E8 9DFDFFFF [color=#0000D0]CALL[/color] Insaniqu.00458350 [color=#008000]; \Insaniqu.00458350,这里调用上面那段调整所选pet的选定标志[/color]
[color=#008000]找到了关键点,于是下手修改,把这个DWORD PTR DS:[EAX+100]改大,改成18,让可选pet数量增大到24,再返回游戏,嘿嘿,这下爽了,所有pet全可以选了,目的达到了,任务完成。[/color]
博主友情提示:
如您在评论中需要提及如QQ号、电子邮件地址或其他隐私敏感信息,欢迎使用>>博主专用加密工具v3<<处理后发布,原文只有博主可以看到。
