|
文章分析的程序和外挂可以本站下载区下载
程序说明:
以Windows消息循环的方式来分析这个游戏,先用PEID查看,发现什么也没有,再用OD载入发现没有加壳。从代码的风格上来看不是用VC,BC或汇编写的可能是其它的编译器编译的。
流程概述:
1. 解密数据,注册窗口
2. 创建窗口
3. 消息循环,等待
4. 在消息空闲的时候,开始游戏的数据,控制处理
5. 如果收到退出消息就退出进程
程序分析:
00402020 > $ 53 push ebx
00402021 . 83C4 E4 add esp, -1C
00402024 . 6A 00 push 0 /pModule = NULL
00402026 . E8 C7270000 call <jmp.&KERNEL32.GetModuleHandleA> \GetModuleHandleA
0040202B . A3 D8694000 mov dword ptr [4069D8], eax
得到程序实例句柄。
00402030 . E8 D3010000 call 00402208
跟入此call:
0040220E |. E8 6F260000 call <jmp.&WINMM.timeGetTime>
00402213 |. A3 005C4000 mov dword ptr [405C00], eax
得到系统时间放到全局变量里面
0040221A |. BE B0634000 mov esi, 004063B0
0040221F |> 8B06 /mov eax, dword ptr [esi]
00402221 |. E8 CEFFFFFF |call 004021F4
00402226 |. 43 |inc ebx
00402227 |. 83C6 04 |add esi, 4
0040222A |. 83FB 0D |cmp ebx, 0D
0040222D |.^ 7C F0 \jl short 0040221F
将一些文本字符串数据解密
004022B8 |. C74424 04 182>mov dword ptr [esp+4], 00402318
004022C0 |. 33D2 xor edx, edx
004022C2 |. 895424 08 mov dword ptr [esp+8], edx
004022C6 |. 33C9 xor ecx, ecx
004022C8 |. 894C24 0C mov dword ptr [esp+C], ecx
004022CC |. 8B1D D8694000 mov ebx, dword ptr [4069D8]
004022D2 |. 895C24 10 mov dword ptr [esp+10], ebx
004022D6 |. 6A 65 push 65 /RsrcName = 101.
004022D8 |. 53 push ebx |hInst => NULL
004022D9 |. E8 68250000 call <jmp.&USER32.LoadIconA> \LoadIconA
004022DE |. 894424 14 mov dword ptr [esp+14], eax
004022E2 |. 68 007F0000 push 7F00 /RsrcName = IDC_ARROW
004022E7 |. 6A 00 push 0 |hInst = NULL
004022E9 |. E8 5E250000 call <jmp.&USER32.LoadCursorA> \LoadCursorA
004022EE |. 894424 18 mov dword ptr [esp+18], eax
004022F2 |. 33C0 xor eax, eax
004022F4 |. 894424 1C mov dword ptr [esp+1C], eax
004022F8 |. 33D2 xor edx, edx
004022FA |. 895424 20 mov dword ptr [esp+20], edx
004022FE |. C74424 24 565>mov dword ptr [esp+24], 00405C56 ASCII "wcTKKN"
00402306 |. 54 push esp /pWndClass
00402307 |. E8 22250000 call <jmp.&USER32.RegisterClassA> \RegisterClassA
可见是注册窗口类,00402318就是消息处理函数了。
马上调用00402059 > \E8 12010000 call 00402170
进入
00402170 /$ 53 push ebx
00402171 |. 83C4 F0 add esp, -10
00402174 |. 33C0 xor eax, eax
00402176 |. 894424 04 mov dword ptr [esp+4], eax
0040217A |. 890424 mov dword ptr [esp], eax
0040217D |. C74424 08 400>mov dword ptr [esp+8], 140
00402185 |. C74424 0C F00>mov dword ptr [esp+C], 0F0
0040218D |. 6A 00 push 0 /ExtStyle = 0
0040218F |. 6A 00 push 0 |HasMenu = FALSE
00402191 |. 68 0000CA00 push 0CA0000 |Style = WS_OVERLAPPED|WS_MINIMIZEBOX|WS_SYSMENU|WS_CAPTION
00402196 |. 8D5424 0C lea edx, dword ptr [esp+C] |
0040219A |. 52 push edx |pRect
0040219B |. E8 DC260000 call <jmp.&USER32.AdjustWindowRectEx> \AdjustWindowRectEx
004021A0 |. 6A 00 push 0 /lParam = NULL
004021A2 |. 8B0D D8694000 mov ecx, dword ptr [4069D8] |
004021A8 |. 51 push ecx |hInst => NULL
004021A9 |. 6A 00 push 0 |hMenu = NULL
004021AB |. 6A 00 push 0 |hParent = NULL
004021AD |. 8B4424 1C mov eax, dword ptr [esp+1C] |
004021B1 |. 8B5424 14 mov edx, dword ptr [esp+14] |
004021B5 |. 2BC2 sub eax, edx |
004021B7 |. 50 push eax |Height
004021B8 |. 8B4C24 1C mov ecx, dword ptr [esp+1C] |
004021BC |. 8B4424 14 mov eax, dword ptr [esp+14] |
004021C0 |. 2BC8 sub ecx, eax |
004021C2 |. 51 push ecx |Width
004021C3 |. 68 00000080 push 80000000 |Y = 80000000 (-2147483648.)
004021C8 |. 68 00000080 push 80000000 |X = 80000000 (-2147483648.)
004021CD |. 68 0000CA00 push 0CA0000 |Style = WS_OVERLAPPED|WS_MINIMIZEBOX|WS_SYSMENU|WS_CAPTION
004021D2 |. 68 515C4000 push 00405C51 |WindowName = ""93,"翆P"
004021D7 |. 68 565C4000 push 00405C56 |Class = "wcTKKN"
004021DC |. 6A 00 push 0 |ExtStyle = 0
004021DE |. E8 8D260000 call <jmp.&USER32.CreateWindowExA> \CreateWindowExA
004021E3 |. 8BD8 mov ebx, eax
004021E5 |. 6A 0A push 0A /ShowState = SW_SHOWDEFAULT
004021E7 |. 53 push ebx |hWnd
004021E8 |. E8 2F260000 call <jmp.&USER32.ShowWindow> \ShowWindow
004021ED |. 8BC3 mov eax, ebx
004021EF |. 83C4 10 add esp, 10
004021F2 |. 5B pop ebx
004021F3 \. C3 retn
创建并显示窗口了,通过参数可以看出游戏窗口的信息。
返回
00402095 . 54 push esp /pMsg
00402096 . E8 7B270000 call <jmp.&USER32.TranslateMessage> \TranslateMessage
0040209B . 54 push esp /pMsg
0040209C . E8 C3270000 call <jmp.&USER32.DispatchMessageA> \DispatchMessageA
004020A1 > 6A 01 push 1 /RemoveMsg = PM_REMOVE
004020A3 . 6A 00 push 0 |MsgFilterMax = WM_NULL
004020A5 . 6A 00 push 0 |MsgFilterMin = WM_NULL
004020A7 . 6A 00 push 0 |hWnd = NULL
004020A9 . 8D5424 10 lea edx, dword ptr [esp+10] |
004020AD . 52 push edx |pMsg
004020AE . E8 87270000 call <jmp.&USER32.PeekMessageA> \PeekMessageA
消息循环
后面的调用WaitMessage附近是一些游戏的逻辑。
再向后才是最重要的地方之-:
004020FB . E8 00130000 call 00403400
关于call 00403400函数的作用是控制游戏和核心,下几篇详细分析
00402112 . 51 push ecx /ExitCode
00402113 . E8 EC260000 call <jmp.&KERNEL32.ExitProcess> \ExitProcess
退出进程
(责任编辑:科锐软件教育机构) |
