almost 4 years ago

說明

這是破解MapleMoon Ver_175.1.1A(修復自動按鍵問題)的會員版(Member)用的程式碼,包含了免金鑰、免檢查版本等破解。

使用方法

  1. 下載MapleMoon Ver_175.1.1A(Member).rar
  2. 解壓縮MapleMoon Ver_175.1.1A(Member).rar
  3. MapleMoon Ver_175.1.1A(Member)內的MapleMoon.dll重新命名為MapleMoon_org.dll
  4. 儲存程式碼為DllMain.cpp
  5. 編譯MoonPatch.cpp(參考編譯指令)並重新命名為MapleMoon.dll
  6. MapleMoon.dll放到MapleMoon Ver_175.1.1A(Member)中。
  7. 開啟遊戲、開啟MapleMoon Injector.exe並按注入,如沒有注入器請自行用TobyInjector注入。

編譯指令

bcc32(C++Builder的編譯器): bcc32 -tWD -eMoonPatch.dll DllMain.cpp
cl(VC++的編譯器): cl /FeMoonPatch.dll /wd4068 DllMain.cpp /LD
如要用IDE來編譯,可參考C++Builder 教學:建立DLL專案Target FrameworkNone

MoonPatch.dll 程式碼:

DllMain.cpp
#include <tchar.h>
#include <Windows.h>
#include <Shlwapi.h>

#pragma hdrstop
#pragma argsused
#pragma comment(lib, "shlwapi")

#define JMP(frm,to) (((int)to - (int)frm)-5)

DWORD WINAPI Start(LPVOID lpThreadParameter);

BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
{
    if (fdwReason == DLL_PROCESS_ATTACH)
    {
        CreateThread(NULL, 0, Start, hinstDLL, 0, NULL);
    }
    return 1;
}

DWORD CreateThread_Address;
DWORD ReturnAddress;
HANDLE hThread = 0;

void __declspec(naked) CreateThread_Call()
{
    __asm
    {
        Mov Eax, [CreateThread_Address]
        Add Eax, 0x05
        Push Ebp
        Mov Ebp, Esp
        Jmp Eax
    }
}

void __declspec(naked) CreateThread_Hook()
{
    __asm
    {
        Mov Eax, [Esp]
        Cmp dword ptr[Eax-0x0C], 0x0000FF68
        Jne Return
        Cmp [hThread], 0x00
        Jne Return
        Mov dword ptr[Esp+0x14], 0x04
        Pop [ReturnAddress]
        Mov Eax, [CreateThread_Address]
        Add Eax, 0x05
        Call CreateThread_Call
        Push Eax
        Pop [hThread]
        Push [ReturnAddress]
        Ret
Return:
        Mov Eax, [CreateThread_Address]
        Add Eax, 0x05
        Push Ebp
        Mov Ebp, Esp
        Jmp Eax
    }
}

DWORD WINAPI Start(LPVOID lpThreadParameter)
{
    TCHAR szPath[MAX_PATH];
    FARPROC fpCreateThread;
    HMODULE hModule;
    DWORD flOldProtect;
    LPVOID lpAddress;

    hModule = GetModuleHandle(_T("kernel32"));
    if (hModule == NULL)
        hModule = LoadLibrary(_T("kernel32"));
    if (hModule == NULL)
        return FALSE;

    fpCreateThread = GetProcAddress(hModule, "CreateThread");
    if (fpCreateThread == NULL)
        return FALSE;

    if (VirtualProtect(fpCreateThread, 5, PAGE_EXECUTE_READWRITE, &flOldProtect) == NULL)
        return FALSE;

    ((BYTE *)fpCreateThread)[0] = 0xE9;
    ((DWORD *)((BYTE *)fpCreateThread + 1))[0] = JMP(fpCreateThread, CreateThread_Hook);

    CreateThread_Address = (DWORD)fpCreateThread;

    GetModuleFileName((HINSTANCE)lpThreadParameter, szPath, ARRAYSIZE(szPath));
    PathRemoveFileSpec(szPath);
    _tcscat(szPath, _T("\\MapleMoon_org.dll"));

    hModule = LoadLibrary(szPath);
    if (hModule == NULL)
        return FALSE;

    while (hThread == NULL)
        Sleep(1000);

    lpAddress = (LPVOID)((DWORD)hModule + 0x8309);
    if (VirtualProtect(lpAddress, 5, PAGE_EXECUTE_READWRITE, &flOldProtect) == NULL)
        return FALSE;
    ((BYTE *)lpAddress)[0] = 0x90;
    ((DWORD *)((BYTE *)lpAddress + 1))[0] = 0x90909090;

    lpAddress = (LPVOID)((DWORD)hModule + 0x83DD);
    if (VirtualProtect(lpAddress, 5, PAGE_EXECUTE_READWRITE, &flOldProtect) == NULL)
        return FALSE;
    ((BYTE *)lpAddress)[0] = 0x90;
    ((DWORD *)((BYTE *)lpAddress + 1))[0] = 0x90909090;

    lpAddress = (LPVOID)((DWORD)hModule + 0x9650);
    if (VirtualProtect(lpAddress, 2, PAGE_EXECUTE_READWRITE, &flOldProtect) == NULL)
        return FALSE;
    ((WORD *)lpAddress)[0] = 0x14EB;

    lpAddress = (LPVOID)((DWORD)hModule + 0x9667);
    if (VirtualProtect(lpAddress, 1, PAGE_EXECUTE_READWRITE, &flOldProtect) == NULL)
        return FALSE;
    ((BYTE *)lpAddress)[0] = 0x40;

    lpAddress = (LPVOID)((DWORD)hModule + 0x967B);
    if (VirtualProtect(lpAddress, 2, PAGE_EXECUTE_READWRITE, &flOldProtect) == NULL)
        return FALSE;
    ((WORD *)lpAddress)[0] = 0x09EB;

    lpAddress = (LPVOID)((DWORD)hModule + 0x96CF);
    if (VirtualProtect(lpAddress, 2, PAGE_EXECUTE_READWRITE, &flOldProtect) == NULL)
        return FALSE;
    ((WORD *)lpAddress)[0] = 0x0EEB;

    lpAddress = (LPVOID)((DWORD)hModule + 0x96F8);
    if (VirtualProtect(lpAddress, 2, PAGE_EXECUTE_READWRITE, &flOldProtect) == NULL)
        return FALSE;
    ((WORD *)lpAddress)[0] = 0x0000;

    BYTE a[] = {0xAF, 0x7D, 0xB8, 0xD1, 0xB4, 0xA3, 0xBF, 0xF4, 0x00};
    lpAddress = (LPVOID)((DWORD)hModule + 0x3957EC);
    if (VirtualProtect(lpAddress, sizeof(a), PAGE_EXECUTE_READWRITE, &flOldProtect) == NULL)
        return FALSE;
    memcpy(lpAddress, a, sizeof(a));

    BYTE b[] = {0xB1, 0x7A, 0xA8, 0xCF, 0xA5, 0xCE, 0xAA, 0xBA, 0xAC,
                0x4F, 0x54, 0x6F, 0x62, 0x79, 0xAF, 0x7D, 0xB8, 0xD1,
                0xAA, 0xA9, 0xA1, 0x41, 0xA6, 0x70, 0xB9, 0x43, 0xC0,
                0xB8, 0xA7, 0xF3, 0xB7, 0x73, 0xBD, 0xD0, 0xA4, 0xC5,
                0xC4, 0x7E, 0xC4, 0xF2, 0xA8, 0xCF, 0xA5, 0xCE, 0xA1,
                0x43, 0x52, 0x43, 0xB8, 0x73, 0x3A, 0x32, 0x37, 0x30,
                0x35, 0x39, 0x31, 0x34, 0x35, 0x00};

    lpAddress = (LPVOID)((DWORD)hModule + 0x3957A7);
    if (VirtualProtect(lpAddress, sizeof(b), PAGE_EXECUTE_READWRITE, &flOldProtect) == NULL)
        return FALSE;
    memcpy(lpAddress, b, sizeof(b));

    ResumeThread(hThread);
    return TRUE;
}
← TobyVersion 版本檢查DLL HackShield Bypass tested on TWMS 175 →
 
comments powered by Disqus