STAR 5.7 5.6 [ԭ佫] ޸

    ִ֧6 ԭ佫ܹ趨Χͷ񡢱֣
    һMOD ԸѡıְҵΪԭ佫ָͬRS ͡ɱɳȵȡ
    ԭ佫ⷽ佫ظлgodtypeṩ

    ⲿDLL ʵ֣ΪVC++Ϸֻ޸ģ5.6  5.7 ޸ķȫһ





    
    *. ע 1. ͨ[71H: Ч] ָ, ЧֵָΪԭ佫DATA ţָ1023 ֵᵼָִУ
               MOD ߿ɶЩֵĴ

            2. ʹ[4050][4051]ͱ8 ҿѡְҵֵΪ޸￴ֵ1ÿһֽڱʾһ
               ѡְҵ: ᲽıֱΪ3ӦΪ4ָѡְҵĬΪȺҽѡ

            3. [71H: Ч] ָʱ[4050]ͱѡְҵĿMOD߿Բ
               ĽΪ0 ʾѡǵһְҵ磺籾ֿѡְҵֱΪȺֺۡʹ̿
               71H ָغ4050 ͱֵΪ1 ʾѡְҵΪ

            4. [71H: Ч] ָʱ[4051]ͱԭ佫Ա0ʾԣ1ʾŮԣMOD
               ߿ʹ[77H: ] ָ[4051]ͱ޸սš磺77: ͱ 4051 += 5
               ԭΪսŽָΪ5ԭΪսŽָΪ6

            5. ͨ޸[ԭ佫Ի]ļϵͳԿƣ

            VC++ԭΣ
              _DKEXPORTS_API  BOOL  _DkOriPerCreateDlg(
                                                      <DWORD: 汾Ϣ>,		// 0ʾ5.6棬1ʾ5.7
                                                      <DWORD: 佫ⷶΧ>, 		// 0ʾ
                                                      <DWORD: 佫DATA>,
                                                      <DWORD: ܺ>, 
                                                      <DWORD: 佫Ĭϵı׼ֵ>,
                                                      <DWORD: 佫ֵ>);

            ӦʽĬã
                      005181EA    6A 5A                push    5A
                      005181EC    6A 46                push    46
                      005181EE    6A 28                push    28
                      005181F0    FF75 FC              push    dword ptr [ebp-4]
                      005181F3    68 00040000          push    400
                      005181F8    6A 01                push    1
                      005181FA    FFD0                 call    eax


            6. 籾ٲʹ佫һЩţԵľS 籾[19H: ʤ]ָ磺ʧXXX
               XXX Ϊԭ佫ʱMOD ߽޷֪ʵʵ֣Ϊ籾һЩָ߶˸ʽ
               ֻҪ籾ָа*.x x ȡֵΧΪ1 ~6 Ӧ1 ~6ԭ佫ԶתΪʵ佫

               ͨԵָ
               [12H: ѡ]
               [14H: Ի]磺&*.2\nãҵ*.2
               [15H: սԻ2]
               [16H: Ϣ]
               [17H: ]
               [18H: ¼趨]
               [19H: ʤ]
               [1AH: ʾʤ]
               [2CH: ͼʾ]
               [63H: Ի]
               [67H: ]
               [69H: ԰]
               зָֻ޷ʽĻλظӣ

            7. Ϸ򲻻ˢ佫SAV ӳе佫R 籾佫ֶΣʹһname.e5 ļ
               Ϸ浵ʱд뵽ļʱȴdata.e5 ж浵ԭ佫
               SAV ӳ䣬֮ٴname.e5 ļж佫ԭĿǷֹA 浵DATA XX 佫Ϊԭ佫
               B 浵ûXX ԭ佫µ佫ʾ

            8. ԭ佫ͷŮ10ţŰŵ600 (908 - 301 - 7) Tou.dll ļҪͷˣ֮Ӧ
               Сͷ Face.e5 ļӦӵ뵽608 ~ 627 

               Tou.dll ǽñMOD ûBMP ļһһµʮ˷ʱ䣬ҵʹResHacker 
               DLL ļеλͼȫ޸Դű±룬ʹַءԴɰ޸˵

               ͷ񹤳ļдΪWin32asmߵᷴ淢VC ̡

            9. ʹ[71H: Ч] ָ֮ǰʹ[3BH: 佫]ⱾϵͳǻΧʾģҲԴ
               ǰȽΪʾ
                                                                                             ϸ﷨վ籾

;--------------------------------------------------------------------------------------------------------------------

һ޸ģ װ _text2.bin ļ

    1. LordPE ==> [ѡ] ==> [PE ༭] һѡ[αԶС] ==> [ȷ]

    2. [PE༭] ==> Ekd5.exe ==> [] ==> Ҽ ==> [Ӵ] ==>  _text2.bin ļ
       ==>   ʾɹ 

    3. [_text2.b] Ҽ ==> [༭] ==> [] Ϊ.text2

    4. [־] ߵ[ ..] ť[α־] ==> ȡ[δʼ] Ĺѡ ==> [ȷ]
       ʱ[־] ֵΪE0000060 ==> [] ==> ˳LordPE

;--------------------------------------------------------------------------------------------------------------------

ڶ޸ģ ޸

    (1). [佫鱨]ʱͷʾ

       00407660     /E9 00010000   jmp     00407765

    (2). Ϸʱװ_DkExports.dll

       0047558C    - E9 8F2B0A00   jmp     00518120

    (3). Ϸ˳ʱж_DkExports.dll

       00409239    - E9 0EEF1000   jmp     0051814C

    (4). ԭ佫浵

       0041ADC1    - E9 9ED30F00   jmp     00518164

    (5). ԭ佫浵д봦

       0041B22E    - E9 55CF0F00   jmp     00518188

    (6). ע[71H: Ч] ָڵַ

       00410C02  B4 81 51 00

    (7). EEX 籾ӳжȡָʽ

       004179C3     80FA 2A       |cmp     dl, 2A
       004179C6     75 06         |jnz     short 004179CE
       004179C8     FF15 A0805100 |call    dword ptr [5180A0]
       004179CE     80FA 20       cmp     dl, 20
       004179D1     7D 35         jge     short 00417A08
       004179D3     80FA 0A       cmp     dl, 0A
       004179D6     75 12         |jnz     short 004179EA
       004179D8     90            nop
       004179D9     90            |nop
       004179DA     90            nop

         ݣ

         80 FA 2A 75 06 FF 15 A0 80 51 00 80 FA 20 7D 35 80 FA 0A 75 12 90 90 90


    (8). [14H: Ի] ָ佫ͷʾʽ

       004137F3    80F9 0A           ||cmp     cl, 0A
       004137F6    74 26             ||je      short 0041381E
       004137F8    80F9 2A           ||cmp     cl, 2A
       004137FB    75 06             ||jnz     short 00413803
       004137FD    FF15 A4805100     call    dword ptr [5180A4]
       00413803    8B55 F4           mov     edx, dword ptr [ebp-C]
       00413806    888C2A F0FBFFFF   mov     byte ptr [edx+ebp-410], cl
       0041380D    FF45 F4           ||inc     dword ptr [ebp-C]

         ݣ

         80 F9 0A 74 26 80 F9 2A 75 06 FF 15 A4 80 51 00 8B 55 F4 88 8C 2A F0 FB FF FF FF 45 F4

    (9). [1AH: ʾʤ] ָݸʽ

       0044BF23    0FB602          ||movzx   eax, byte ptr [edx]
       0044BF26    84C0            test    al, al
       0044BF28    74 37           je      short 0044BF61
       0044BF2A    3C 2A           cmp     al, 2A
       0044BF2C    75 06           jnz     short 0044BF34
       0044BF2E    FF15 A8805100   call    dword ptr [5180A8]
       0044BF34    3C 0A           ||cmp     al, 0A
       0044BF36    75 0C           jnz     short 0044BF44
       0044BF38    90              nop

         ݣ

         0F B6 02 84 C0 74 37 3C 2A 75 06 FF 15 A8 80 51 00 3C 0A 75 0C 90

    (10). [18H: ¼趨] ָݸʽ

       0040BB4B   B8 28114A00     mov   eax, 004A1128
       0040BB50   50              push  eax
       0040BB51   FF75 08         push  dword ptr [ebp+8]
       0040BB54   50              push  eax
       0040BB55   E8 4BBE0000     call  004179A5
       0040BB5A   90              nop
       0040BB5B   90              nop
       0040BB5C   90              nop
       0040BB5D   90              nop
       0040BB5E   90              nop
       0040BB5F   90              nop
       0040BB60 |.E8 AAA90600     call  0047650F
       0040BB65   90              nop
       0040BB66   90              nop
       0040BB67   90              nop
       0040BB68   90              nop
       0040BB69   90              nop
       0040BB6A   90              nop
       0040BB6B   90              nop

         ݣ

         B8 28 11 4A 00 50 FF 75 08 50 E8 4B BE 00 00 90 90 90 90 90 90 E8 AA A9 06 00 90 90 90 90 90 90
         90

;-----------------------------------------------------------------------------------------------------------

_DkExports.dll Ϸӿڵ˵ǳҪ


    *. ע 1. ⲿλ _DkOriPerInitInsVar ڣ _DkExports.dll װڴʱʼΪֵָ
               ϷĶ޷Դ佫дԴ佫ʧܡʽԴ佫ʧܵʱο޸


	g_lpProcAddrHead = (LPDWORD)0x518090;		// Խ_DkExports.dllڵַ׵ַ0x518090DLLģ
	lpDwordVar = (LPDWORD)0x4B6A60;
	g_hInstanceMain = (HINSTANCE)*lpDwordVar;	// ģ
	lpDwordVar += 2;
	g_hWinMain = (HWND)*lpDwordVar;				// ھ
	lpDwordVar = (LPDWORD)0x500EF5;
	g_hTouDll = (HMODULE)*lpDwordVar;			// TouDllģ
	lpDwordVar = (LPDWORD)0x4CEA00;
	g_lpSavImage = (LPBYTE)*lpDwordVar;		// 佫SAVӳָ
	g_lpNameImage = (PORI_PER_NAME_IMAGE)0x518010;		// ԭ佫
	g_lpGalVar_4050 = (LPDWORD)0x505F48;		// 4050αַ
	_48BEA8H = 0x48BEA8;						// ַ

	_4179B4H = 0x4179B4;	// EEX 籾ӳжȡָʽʱɹ
	_417A08H = 0x417A08;	// EEX 籾ӳжȡָʽʱԴ佫
	_41383CH = 0x41383C;	// [14H: Ի] ָ佫ͷʾʽʱɹ
	_413801H = 0x413801;	// [14H: Ի] ָ佫ͷʾʽʱԴ佫
	_44BEF5H = 0x44BEF5;	// [1AH: ʾʤ] ָݸʽʱɹ
	_44BF44H = 0x44BF44;	// [1AH: ʾʤ] ָݸʽʱԴ佫


         ʽַҵϵͳ

       021D20AC    C705 A8B11D02 90805100   mov     dword ptr [21DB1A8], 518090
       021D20B6    C745 F4 606A4B00         mov     dword ptr [ebp-C], 4B6A60
       021D20BD    8B45 F4                  mov     eax, dword ptr [ebp-C]
       021D20C0    8B08                     mov     ecx, dword ptr [eax]
       021D20C2    890D D0B11D02            mov     dword ptr [21DB1D0], ecx
       021D20C8    8B45 F4                  mov     eax, dword ptr [ebp-C]
       021D20CB    83C0 08                  add     eax, 8
       021D20CE    8945 F4                  mov     dword ptr [ebp-C], eax
       021D20D1    8B45 F4                  mov     eax, dword ptr [ebp-C]
       021D20D4    8B08                     mov     ecx, dword ptr [eax]
       021D20D6    890D CCB11D02            mov     dword ptr [21DB1CC], ecx
       021D20DC    C745 F4 F50E5000         mov     dword ptr [ebp-C], 500EF5
       021D20E3    8B45 F4                  mov     eax, dword ptr [ebp-C]
       021D20E6    8B08                     mov     ecx, dword ptr [eax]
       021D20E8    890D C8B11D02            mov     dword ptr [21DB1C8], ecx
       021D20EE    C745 F4 00EA4C00         mov     dword ptr [ebp-C], 4CEA00
       021D20F5    8B45 F4                  mov     eax, dword ptr [ebp-C]
       021D20F8    8B08                     mov     ecx, dword ptr [eax]
       021D20FA    890D C0B11D02            mov     dword ptr [21DB1C0], ecx
       021D2100    C705 B8B11D02 10805100   mov     dword ptr [21DB1B8], 518010
       021D210A    C705 ACB11D02 485F5000   mov     dword ptr [21DB1AC], 505F48
       021D2114    C705 98B11D02 A8BE4800   mov     dword ptr [21DB198], 48BEA8
       021D211E    C705 94B11D02 B4794100   mov     dword ptr [21DB194], 4179B4
       021D2128    C705 90B11D02 087A4100   mov     dword ptr [21DB190], 417A08
       021D2132    C705 8CB11D02 3C384100   mov     dword ptr [21DB18C], 41383C
       021D213C    C705 88B11D02 01384100   mov     dword ptr [21DB188], 413801
       021D2146    C705 84B11D02 F5BE4400   mov     dword ptr [21DB184], 44BEF5
       021D2150    C705 80B11D02 44BF4400   mov     dword ptr [21DB180], 44BF44

;-----------------------------------------------------------------------------------------------------------

_test2.bin ļ˵


    *. ע 1. ϷĶ޷Դ佫дԴ佫ʧܡʽԴ佫ʧܵʱο޸


һ ʼԭ佫ڴ棬_DkExports.dll ַʼ뺯ַ
    00 ݽϷʱᱻӳ䣩

00518000  CE E4 BD AB BC EC CB F7 C7 F8 D3 F2 CA BC 00 00  佫ʼ..
00518010  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00518020  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00518030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00518040  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00518050  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00518060  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00518070  5F 44 6B 45 78 70 6F 72 74 73 2E 64 6C 6C 00 00  _DkExports.dll..
00518080  B5 BC C8 EB BA AF CA FD B5 D8 D6 B7 B1 ED 00 00  뺯ַ..
00518090  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
005180A0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
005180B0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
005180C0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
005180D0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
005180E0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
005180F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00518100  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00518110  00 00 00 00 00 00 00 00 B4 FA C2 EB C7 F8 00 00  ..........


 벿

    (1). Ϸɹʱװ_DkExports.dll

00518120    68 70805100       push    00518070                               ; ASCII "_DkExports.dll"
00518125    FF15 24614800     call    dword ptr [<&KERNEL32.LoadLibraryA>]   ; kernel32.LoadLibraryA
0051812B    09C0              or      eax, eax
0051812D  - 0F84 7BD4F5FF     je      004755AE
00518133    BA 90805100       mov     edx, 00518090
00518138    8902              mov     dword ptr [edx], eax
0051813A    6A 00             push    0
0051813C    68 F4010000       push    1F4
00518141  - E9 4DD4F5FF       jmp     00475593


    (2). Ϸ˳ʱж_DkExports.dll

0051814C    B8 90805100       mov     eax, 00518090
00518151    FF30              push    dword ptr [eax]
00518153    FF15 1C614800     call    dword ptr [<&KERNEL32.FreeLibrary>]    ; kernel32.FreeLibrary
00518159  - E9 A134F1FF       jmp     0042B5FF


    (3). ԭ佫浵

00518164    B8 90805100       mov     eax, 00518090
00518169    B9 01000000       mov     ecx, 1
0051816E    8D0488            lea     eax, dword ptr [eax+ecx*4]
00518171    8B00              mov     eax, dword ptr [eax]
00518173    09C0              or      eax, eax
00518175    74 05             je      short 0051817C
00518177    FF75 08           push    dword ptr [ebp+8]
0051817A    FFD0              call    eax
0051817C  - E9 D171FBFF       jmp     004CF352


    (4). ԭ佫浵д봦

00518188    FF75 08           push    dword ptr [ebp+8]
0051818B    E8 3A6DFBFF       call    004CEECA
00518190    B8 90805100       mov     eax, 00518090
00518195    B9 02000000       mov     ecx, 2
0051819A    8D0488            lea     eax, dword ptr [eax+ecx*4]
0051819D    8B00              mov     eax, dword ptr [eax]
0051819F    09C0              or      eax, eax
005181A1    74 05             je      short 005181A8
005181A3    FF75 08           push    dword ptr [ebp+8]
005181A6    FFD0              call    eax
005181A8  - E9 8930F0FF       jmp     0041B236


    (5). [71H: Ч] ָ

005181B4    55                push    ebp
005181B5    8BEC              mov     ebp, esp
005181B7    83C4 FC           add     esp, -4
005181BA    6A 04             push    4
005181BC    8B4D 08           mov     ecx, dword ptr [ebp+8]
005181BF    E8 3302F0FF       call    004183F7
005181C4    3D 00000080       cmp     eax, 80000000
005181C9    74 07             je      short 005181D2
005181CB    3D FF030000       cmp     eax, 3FF
005181D0    76 02             jbe     short 005181D4
005181D2    EB 33             jmp     short 00518207
005181D4    8945 FC           mov     dword ptr [ebp-4], eax
005181D7    B8 90805100       mov     eax, 00518090
005181DC    B9 03000000       mov     ecx, 3
005181E1    8D0488            lea     eax, dword ptr [eax+ecx*4]
005181E4    8B00              mov     eax, dword ptr [eax]
005181E6    0BC0              or      eax, eax
005181E8    74 1D             je      short 00518207
005181EA    6A 5A             push    5A
005181EC    6A 46             push    46
005181EE    6A 28             push    28
005181F0    FF75 FC           push    dword ptr [ebp-4]
005181F3    68 00040000       push    400
005181F8    6A 01             push    1
005181FA    FFD0              call    eax
005181FC    0BC0              or      eax, eax
005181FE    74 07             je      short 00518207
00518200    B8 01000000       mov     eax, 1
00518205    EB 05             jmp     short 0051820C
00518207    B8 05000000       mov     eax, 5
0051820C    C9                leave
0051820D    C2 0400           retn    4


    (6). 00518220 Ժδʹãɷ

;-----------------------------------------------------------------------------------------------------------