Skip to main content

东方妖妖梦破解手记

最近无聊, 又开始玩东方系列了, 其实我一直挺喜欢的, 但是水平太差.

不过这次我发现我可以7人通妖妖梦easy了, 挺高兴. 但是lunatic...哦...难以想像.

我的原则是"玩游戏, 而不被游戏玩", 于是只好...虽说网上有一堆现成的修改器, 但是那样就没有乐趣了.

首先是考虑简单的方法---金山游侠, 失败.

然后就只能去分析程序了. 首先看了眼, 没有壳. 再看导入表, 异常地干净, 只有windows库和一些direct3d的库.

让我觉得它好像是直接用汇编写的.

之后就要找切入点了. 我第一反应就是配置文件, th07.cfg, 因为选项里能调整默认人数, 那必定存在这里

经过简单地研究, 发现它存在1c出, 单字节, 为实际人数-1

初次尝试是直接修改配置文件, 比如改成7f, 然后启动游戏, 但是发现人数回到默认值了, 且退出游戏后发现配置文件也改回来了. 嗯. 有防备啊...

那只好再看代码了, 给所有CreateFileA设断, 运行时只看那些打开th07.cfg的, 一共两个, 且一个是打开后写些数据就CloseHandle了, 重点再另一个. 再找有关的ReadFile, 只有一个, 且在那之前有个GetFileSize, 看来是一次读入的, 呵呵, 给ReadFile的buffer下内存断, 不一会儿断在了00436f3d, 是个串移动指令rep movs...此时注意目标地址, 56ba64, 这可是重要情报!

然后该上静态分析了, 搜这个地址(一看就是全局变量), 没有多少, 其中看到了读完文件后进行校验的, 比如00436fbd处, 判断它是否比5大, 若是就回到默认值, 真是一清二楚. 那没什么说的了, 给exe做个备份, 然后ultraedit之...

但是事情没有想的那么顺利, 程序自动退出了, 看来这里也有防备.

不过既然网上有内存修改器, 那说明它肯定内存方面没有设防, 于是用olly载入, 修改后再运行, 就成功了!

后来想再整理一下, 找到最关键的修改位置, 找到了0044ff3f处, 简单地说如果当前人数小于4就加1, 否则不变, 我挺奇怪这里是干什么的, 下了断运行了半天, 发现原来是设置人数是, 按下右方向键, 则人数加1, 但是如果已经加到5个人就不能再加了. 啊哈哈, 被我抓住尾巴了, 从这里返回的数据似乎没有再做什么校验, 把小于4的限制去了, 再看看配置, 哈, 想加多少就加多少.其实也可以把代码直接改成mov byte ptr [56ba64], ff

现在再去玩Lunatic, 啊哈哈, 这才叫玩游戏. "轻松"通关. (你要是这样都过不去, 神也救不了你了)

最后是想玩Extra, 但是数据是内置的, 比较麻烦, 一开始一筹莫展, 不知从何下手.

一番苦战后, 想到看看字符串资源, 发现了Extra Rank字样, 于004269bd, 向上看发现了各个级别的名称, 再看一下, 原来是switch的[61c260], 那这个就是级别没错了.

据此下断, 找所有对级别==4(即extra)的特殊判断, 运行游戏, 选extra, 断在了00451803, 这里特殊的地方只是改了个全局变量[62583c], 第二次断在了0042d09e, 运行至0042d0a4时发现原来eax此时指的就是配置文件区,这里它把一个变量设为2, 然后判断一个全局变量[625628]的最低位, 若为1则又把此变量改为8, 这里很可疑, 我断在此处, 清了zf, 让它改成8, 然后运行, 啊, 果然它就是人数, 于是恍然大悟, 赶快去0042d0a4把人数改成7f. Extra, 我来了...

总结一下, 这次的成功主要是由于源程序本身很干净, 而我的思路正确, 运气也不错, 希望下次还能这样.

另外补充几点:
1.人数如果改的比较小, 而你又死光了, 好像会出除零错, 这个我就没再研究了, 总之改大些呗
2.游戏进到图形模式后, olly断下了却看不到, 我的办法是把分辨率调到1600x1200, 然后游戏只占左上角一小片, 其它地方看olly就好了
3.有时卡得连分辨率也改不了, 这是我就让电脑待机再启动, 这样就行了.
4.后来玩东方永夜抄, 过程几乎一样, 有了上次经验, 这次轻松破解, 不过感觉还是直接改配置文件, 然后把配置文件校验改了方便些. 另外, 改extra时直接搜了mov byte ptr [eax+1c], 2就搜到了, 比较搞笑
5.注, 永夜抄人数在[17ce88c], 而级别在[160f538]

Comments

Popular posts from this blog

Determine Perspective Lines With Off-page Vanishing Point

In perspective drawing, a vanishing point represents a group of parallel lines, in other words, a direction. For any point on the paper, if we want a line towards the same direction (in the 3d space), we simply draw a line through it and the vanishing point. But sometimes the vanishing point is too far away, such that it is outside the paper/canvas. In this example, we have a point P and two perspective lines L1 and L2. The vanishing point VP is naturally the intersection of L1 and L2. The task is to draw a line through P and VP, without having VP on the paper. I am aware of a few traditional solutions: 1. Use extra pieces of paper such that we can extend L1 and L2 until we see VP. 2. Draw everything in a smaller scale, such that we can see both P and VP on the paper. Draw the line and scale everything back. 3. Draw a perspective grid using the Brewer Method. #1 and #2 might be quite practical. #3 may not guarantee a solution, unless we can measure distances/p...

[转] UTF-8 and Unicode FAQ for Unix/Linux

这几天,这个东西把我搞得很头疼 而且这篇文章好像太大了,blogger自己的发布系统不能发 只好用mail了 //原文 http://www.cl.cam.ac.uk/~mgk25/unicode.html UTF-8 and Unicode FAQ for Unix/Linux by Markus Kuhn This text is a very comprehensive one-stop information resource on how you can use Unicode/UTF-8 on POSIX systems (Linux, Unix). You will find here both introductory information for every user, as well as detailed references for the experienced developer. Unicode has started to replace ASCII, ISO 8859 and EUC at all levels. It enables users to handle not only practically any script and language used on this planet, it also supports a comprehensive set of mathematical and technical symbols to simplify scientific information exchange. With the UTF-8 encoding, Unicode can be used in a convenient and backwards compatible way in environments that were designed entirely around ASCII, like Unix. UTF-8 is the way in which Unicode is used under Unix, Linux, and similar systems. It is now time to make sure that you are well familiar ...

Moving Items Along Bezier Curves with CSS Animation (Part 2: Time Warp)

This is a follow-up of my earlier article.  I realized that there is another way of achieving the same effect. This article has lots of nice examples and explanations, the basic idea is to make very simple @keyframe rules, usually just a linear movement, then use timing function to distort the time, such that the motion path becomes the desired curve. I'd like to call it the "time warp" hack. Demo See the Pen Interactive cubic Bezier curve + CSS animation by Lu Wang ( @coolwanglu ) on CodePen . How does it work? Recall that a cubic Bezier curve is defined by this formula : \[B(t) = (1-t)^3P_0+3(1-t)^2tP_1+3(1-t)t^2P_2+t^3P_3,\ 0 \le t \le 1.\] In the 2D case, \(B(t)\) has two coordinates, \(x(t)\) and \(y(t)\). Define \(x_i\) to the be x coordinate of \(P_i\), then we have: \[x(t) = (1-t)^3x_0+3(1-t)^2tx_1+3(1-t)t^2x_2+t^3x_3,\ 0 \le t \le 1.\] So, for our animated element, we want to make sure that the x coordiante (i.e. the "left" CSS property) is \(...