MapleMoon Ver_174.2.1(原楓之明月) 數據

2014-10-19

原作誤植了版本，應該是174.1.2。
這個外掛用的是Themida加殼，在對API保護上有一定強度，而且也是以DLL方式注入。

在此爆破所使用的數據，不過數據也都是找得到的。

// 174.1 怪物不退、人物不退、只撿楓幣
// Cracked by Toby
[Enable]
GlobalAlloc(MobNoKB_SW, 4)
GlobalAlloc(CharNoKB_SW, 4)
GlobalAlloc(OnlyPickMony_SW, 4)
Alloc(MoonScript, 1024)
Label(Next1)
Label(Next2)
Label(Return)
Label(CharNoKB_Main)

MobNoKB_SW:
DD 0

CharNoKB_SW:
DD 0

OnlyPickMony_SW:
DD 0

MoonScript:
Cmp [MobNoKB_SW], 01
Jne Next1
Cmp [Esp+3C], 007FECC7
Jne Next1
Mov [Esp+3C], 007FECDA

Next1:
Cmp [CharNoKB_SW], 01
Jne Next2
Cmp [Esp+5C], 00DE28E8
Jne Next2
Mov [Esp+5C], CharNoKB_Main

Next2:
Cmp [OnlyPickMony_SW], 01
Jne Return
Cmp [Esp+13C], 005DC41F
Jne Return
Mov [Esp+13C], 005DC4B3
Jmp Return

Return:
Jmp 0098833E

CharNoKB_Main:
Add Esp, 18
Mov [Ebp-20], FFFFFFFF
Lea Edi, [Ebx+B0]
Jmp 00DE28F9

015E2F44:
DD MoonScript
[Disable]
015E2F44:
DD 0098833E
DeAlloc(MobNoKB_SW)
DeAlloc(CharNoKB_SW)
DeAlloc(OnlyPickMony_SW)
DeAlloc(MoonScript)

// 174.1 移除背景
// Cracked by Toby
[Enable]
Alloc(HideBackGround, 512)
Label(Return)

Cmp [HBG_SW], 01
Jne Return
Cmp [Esp+08], 007B6692
Jne Return
Mov [Esp+08], 007B6747

Return:
Jmp VariantClear

0118C2A8:
DD HideBackGround
[Disable]
0118C2A8:
DD VariantClear
DeAlloc(HideBackGround)

// 174.1 超級笨怪
// Cracked by Toby
[Enable]
GlobalAlloc(MobStupid_SW, 4)
Alloc(MobStupid, 512)
Label(Return)
Label(MobStupid_Main)

MobStupid_SW:
DD 0

Cmp [MobStupid_SW], 01
Jne Return
Cmp [Esp+3C], 00E8844E
Jne Return
Mov [Esp+3C], MobStupid_Main

Return:
Jmp RtlSetLastWin32Error

MobStupid_Main:
Xor Edi, Edi
Jmp 00E88455

0118C25C:
DD MobStupid
[Disable]
0118C25C:
DD RtlSetLastWin32Error
DeAlloc(MobStupid_SW)
DeAlloc(MobStupid)

// 174.1 滑鼠移動
// Cracked by Toby
[Enable]
GlobalAlloc(MouseMove_SW, 4)
Alloc(MouseMove, 1024)
Label(Return)
Label(MouseMove_Back)

MouseMove_SW:
DD 0

MouseMove:
Pushad 
Cmp [MouseMove_SW], 01
Jne Return
Mov Eax, [01612C60]
Cmp Eax, 00
Je Return
Cmp dword ptr[Eax+00000A34], 0C
Jne Return
Mov Eax, [01612C60]
Mov Eax, [Eax+00000978]
Mov Ebx, [Eax+00000088]
Mov Eax, [Eax+0000008C]
Mov Ecx, [01612C64]
Mov [Ecx+0000A700], Ebx
Mov [Ecx+0000A704], Eax
Mov [Ecx+0000A6F8], 00000001
Jmp MouseMove_Back

MouseMove_Back:
Popad
Mov Edi, Edi
Push Ebp
Mov Ebp, Esp
Mov Eax, [Ebp+08]
Test Eax, Eax
Jmp PtInRect+A

PtInRect+5:
Jmp MouseMove
[Disable]
PtInRect+5:
DB 8B FF 55 8B EC
DeAlloc(MouseMove_SW)
DeAlloc(MouseMovee)

// 174.1 全職全圖
// Cracked by Toby
[Enable]
GlobalAlloc(FMA_SW, 4)
Alloc(FullMapAttack, 2048)
Label(Step1)
Label(Step2)
Label(Return)
Label(Step1_Main)
Label(Step2_Main)
Label(Step2_Back)
Label(Step2_FakeCall)

FMA_SW:
DD 0

FullMapAttack:
Cmp [FMA_SW], 00
Je Return
Cmp [Esp+0C], 00810D31
Je Step1
Cmp [Esp+0C], 00810B8E
Je Step2
Jmp Return

Step1:
Mov [Esp+0C], Step1_Main
Jmp Return

Step2:
Mov [Esp+0C], Step2_Main

Return:
Jmp VariantInit

Step1_Main:
mov ecx,[ebx+000001D8]
mov [ebp-04],0000000E
cmp ecx,esi
je Step1_Back
lea eax,[ebp-7C]
push eax
push esi
push esi
push esi
push esi
push esi
push esi
lea eax,[ebp-58]
push eax
lea eax,[ebp-5C]
push eax
call 004969BB
or dword ptr [ebp-04],-01
lea eax,[ebp-7C]
push eax
call 00457196
pop ecx
lea eax,[ebp-5C]
push eax
lea ecx,[ebx+000008D4]
call 007D6D33
test eax,eax
Jmp 00810D81
Step1_Back:
Jmp 00810960

Step2_Main:
mov ecx,[ebx+000001D8]
mov [ebp-04],0000000D
cmp ecx,esi
je Step2_Back
lea eax,[ebp-7C]
push eax
push esi
push esi
push esi
push esi
push esi
push esi
lea eax,[ebp-58]
push eax
lea eax,[ebp-5C]
push eax
call 004969BB
or [ebp-04],FFFFFFFF
lea eax,[ebp-7C]
push eax
call 00457196
pop ecx
lea eax,[ebp-5C]
push eax
mov ecx,edi
call Step2_FakeCall
Jmp 00810BD3
Step2_Back:
Jmp 00810960

Step2_FakeCall:
push esi
push edi
mov edi,[esp+0C]
pushad 
mov ecx,[01612C64]
add ecx,04
push edi
call 00573286
popad
Jmp 00498286

0118C2A4:
DD FullMapAttack
[Disable]
0118C2A4:
DD VariantInit
DeAlloc(FMA_SW)
DeAlloc(FullMapAttack)