手工 patch 浩方对战平台 5.8.1.516 使其兼容多开-转自透过树梢的阳光

浩方对战平台

许多对战平台都不允许自己被多开, 浩方也不例外. 本可以偷偷懒, 下载个多开补丁, 但是网络上的补丁对应版本都太旧, 担心补上后不能运行. 既然如此还不如我们自己动手呀!
Step1:
找到 GameClient.exe, 用 Peid 查壳. 查壳结果: Microsoft Visual C++ 6.0 [Debug].
看呐, 浩方连衣服都不穿. 这为我们下一步提供了极大方便.
Step2:
既然无壳, 那么直接用 OD 载入. 对 OpenMutexA 下断. F9 一次, 断下后再分别 Ctrl+F9 和 F7 一次后来到这个地方:

[php]

0044690F                                  .  E8 C4B40F00          call <jmp.&MFC42.#537>
00446914                                  .  68 70895A00          push GameClie.005A8970             ; /MutexName = "GameClient_Mutex"
00446919                                  .  6A 00                push 0                             ; |Inheritable = FALSE
0044691B                                  .  68 01001F00          push 1F0001                        ; |Access = 1F0001
00446920                                  .  C68424 5C030000 02   mov byte ptr ss:[esp+35C],2        ; |
00446928                                  .  FF15 60575600        call dword ptr ds:[<&KERNEL32.Open>; \OpenMutexA
[color=#FF0000]0044692E                                  .  85C0                 test eax,eax          <-来到这里[/color]00446930                                  .  8985 38040000        mov dword ptr ss:[ebp+438],eax
[color=#FF0000]00446936 .                                     E9 88000000 je GameClie.004469C3[/color]0044693C                                  .  50                   push eax                           ; /hObject
0044693D                                  .  FF15 E0575600        call dword ptr ds:[<&KERNEL32.Clos>; \CloseHandle
00446943                                  .  6A 05                push 5                             ; /Relation = GW_CHILD
00446945                                  .  C785 38040000 000000>mov dword ptr ss:[ebp+438],0       ; |
0044694F                                  .  FF15 3C675600        call dword ptr ds:[<&USER32.GetDes>; |[GetDesktopWindow
00446955                                  .  50                   push eax                           ; |hWnd
00446956                                  .  FF15 40675600        call dword ptr ds:[<&USER32.GetWin>; \GetWindow
0044695C                                  .  8BF0                 mov esi,eax
0044695E                                  .  85F6                 test esi,esi

[/php]

正如你所看到的, 浩方通过简单建立一个互斥量来防止多开. 将 je GameClie.004469C3 改为 jmp GameClie.004469C3 即可.
Step3:
本以为做完第二步就万事大吉, 没想开第二个 GameClient.exe 时, 第一个 GameClient.exe 就 "自动" 退出了.
呵呵, 原来浩方还留有一招. 看到这个现象, 自然想到了 TerminateProcess.
那么就继续深入吧. 先直接运行 GameClient.exe, 再用 OD 载入 GameClient.exe, 这次给 TerminateProcess 下断点.
F9 一次, 果然断下了.

[php]

00447510                                 |.  5E                   pop esi
00447511                                 |.  59                   pop ecx
00447512                                 |.  C2 0400              retn 4
00447515                                 |>  8B5424 04            mov edx,dword ptr ss:[esp+4]
00447519                                 |.  52                   push edx                           ; /ExitCode
0044751A                                 |.  56                   push esi                           ; |hProcess
[color=#FF0000]0044751B |. FF15 E4575600 call dword ptr ds:[<&KERNEL32.Term>; \TerminateProcess <--断在这里[/color]00447521                                 |.  56                   push esi                           ; /hObject
00447522                                 |.  FF15 E0575600        call dword ptr ds:[<&KERNEL32.Clos>; \CloseHandle
00447528                                 |.  B8 01000000          mov eax,1
0044752D                                 |.  5E                   pop esi
0044752E                                 |.  59                   pop ecx
分别按两次 Ctrl+F9 和 F7 后来到下面这个地方:
00446D28                                  .  8BCA                 mov ecx,edx
00446D2A                                  .  83E1 03              and ecx,3
00446D2D                                  .  F3:A4                rep movs byte ptr es:[edi],byte pt>
00446D2F                                  .  8D4C24 30            lea ecx,dword ptr ss:[esp+30]
00446D33                                  .  E8 4AAF0F00          call <jmp.&MFC42.#800>
00446D38                                  .  8D4424 3C            lea eax,dword ptr ss:[esp+3C]
00446D3C                                  .  8BCD                 mov ecx,ebp
[color=#FF0000]00446D3E                                 50 push eax ; /Arg1
00446D3F                                 E8 7C050000 call GameClie.004472C0 ; \GameClie.004472C0[/color]00446D44                                  .  B9 C0605B00          mov ecx,GameClie.005B60C0
00446D49                                  .  E8 02C30200          call GameClie.00473050
00446D4E                                  .  6A 01                push 1                             ; /Arg1 = 00000001
00446D50                                  .  B9 C0605B00          mov ecx,GameClie.005B60C0          ; |
00446D55                                  .  E8 B6D80200          call GameClie.00474610             ; \GameClie.00474610

[/php]

有兴趣的朋友可以看一下函数体 GameClie.004472C0, 在这个函数中浩方会遍历进程, 然后找到 GameClient.exe 并结束之.
解决方案很简单: 把 push eax + call 全部用 nop 填充.
Step4:
保存修改, 收拾工具, 运行平台. 完美了!

还没有评论,快来抢沙发!

发表评论

  • 😉
  • 😐
  • 😡
  • 😈
  • 🙂
  • 😯
  • 🙁
  • 🙄
  • 😛
  • 😳
  • 😮
  • emoji-mrgree
  • 😆
  • 💡
  • 😀
  • 👿
  • 😥
  • 😎
  • ➡
  • 😕
  • ❓
  • ❗
  • 69 queries in 0.485 seconds