MapleMoon Ver_175.1.1A 破解

說明

這是破解MapleMoon Ver_175.1.1A(修復自動按鍵問題)的會員版(Member)用的程式碼,包含了免金鑰、免檢查版本等破解。

使用方法

  1. 下載MapleMoon Ver_175.1.1A(Member).rar
  2. 解壓縮MapleMoon Ver_175.1.1A(Member).rar
  3. MapleMoon Ver_175.1.1A(Member)內的MapleMoon.dll重新命名為MapleMoon_org.dll
  4. 儲存程式碼為DllMain.cpp
  5. 編譯MoonPatch.cpp(參考編譯指令)並重新命名為MapleMoon.dll
  6. MapleMoon.dll放到MapleMoon Ver_175.1.1A(Member)中。
  7. 開啟遊戲、開啟MapleMoon Injector.exe並按注入,如沒有注入器請自行用TobyInjector注入。

編譯指令

bcc32(C++Builder的編譯器): bcc32 -tWD -eMoonPatch.dll DllMain.cpp
cl(VC++的編譯器): cl /FeMoonPatch.dll /wd4068 DllMain.cpp /LD
如要用IDE來編譯,可參考C++Builder 教學:建立DLL專案Target FrameworkNone

MoonPatch.dll 程式碼:

DllMain.cpp
#include <tchar.h>
#include <Windows.h>
#include <Shlwapi.h>

#pragma hdrstop
#pragma argsused
#pragma comment(lib, "shlwapi")

#define JMP(frm,to) (((int)to - (int)frm)-5)

DWORD WINAPI Start(LPVOID lpThreadParameter);

BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
{
if (fdwReason == DLL_PROCESS_ATTACH)
{
CreateThread(NULL, 0, Start, hinstDLL, 0, NULL);
}
return 1;
}

DWORD CreateThread_Address;
DWORD ReturnAddress;
HANDLE hThread = 0;

void __declspec(naked) CreateThread_Call()
{
__asm
{
Mov Eax, [CreateThread_Address]
Add Eax, 0x05
Push Ebp
Mov Ebp, Esp
Jmp Eax
}
}

void __declspec(naked) CreateThread_Hook()
{
__asm
{
Mov Eax, [Esp]
Cmp dword ptr[Eax-0x0C], 0x0000FF68
Jne Return
Cmp [hThread], 0x00
Jne Return
Mov dword ptr[Esp+0x14], 0x04
Pop [ReturnAddress]
Mov Eax, [CreateThread_Address]
Add Eax, 0x05
Call CreateThread_Call
Push Eax
Pop [hThread]
Push [ReturnAddress]
Ret
Return:
Mov Eax, [CreateThread_Address]
Add Eax, 0x05
Push Ebp
Mov Ebp, Esp
Jmp Eax
}
}

DWORD WINAPI Start(LPVOID lpThreadParameter)
{
TCHAR szPath[MAX_PATH];
FARPROC fpCreateThread;
HMODULE hModule;
DWORD flOldProtect;
LPVOID lpAddress;

hModule = GetModuleHandle(_T("kernel32"));
if (hModule == NULL)
hModule = LoadLibrary(_T("kernel32"));
if (hModule == NULL)
return FALSE;

fpCreateThread = GetProcAddress(hModule, "CreateThread");
if (fpCreateThread == NULL)
return FALSE;

if (VirtualProtect(fpCreateThread, 5, PAGE_EXECUTE_READWRITE, &flOldProtect) == NULL)
return FALSE;

((BYTE *)fpCreateThread)[0] = 0xE9;
((DWORD *)((BYTE *)fpCreateThread + 1))[0] = JMP(fpCreateThread, CreateThread_Hook);

CreateThread_Address = (DWORD)fpCreateThread;

GetModuleFileName((HINSTANCE)lpThreadParameter, szPath, ARRAYSIZE(szPath));
PathRemoveFileSpec(szPath);
_tcscat(szPath, _T("\\MapleMoon_org.dll"));

hModule = LoadLibrary(szPath);
if (hModule == NULL)
return FALSE;

while (hThread == NULL)
Sleep(1000);

lpAddress = (LPVOID)((DWORD)hModule + 0x8309);
if (VirtualProtect(lpAddress, 5, PAGE_EXECUTE_READWRITE, &flOldProtect) == NULL)
return FALSE;
((BYTE *)lpAddress)[0] = 0x90;
((DWORD *)((BYTE *)lpAddress + 1))[0] = 0x90909090;

lpAddress = (LPVOID)((DWORD)hModule + 0x83DD);
if (VirtualProtect(lpAddress, 5, PAGE_EXECUTE_READWRITE, &flOldProtect) == NULL)
return FALSE;
((BYTE *)lpAddress)[0] = 0x90;
((DWORD *)((BYTE *)lpAddress + 1))[0] = 0x90909090;

lpAddress = (LPVOID)((DWORD)hModule + 0x9650);
if (VirtualProtect(lpAddress, 2, PAGE_EXECUTE_READWRITE, &flOldProtect) == NULL)
return FALSE;
((WORD *)lpAddress)[0] = 0x14EB;

lpAddress = (LPVOID)((DWORD)hModule + 0x9667);
if (VirtualProtect(lpAddress, 1, PAGE_EXECUTE_READWRITE, &flOldProtect) == NULL)
return FALSE;
((BYTE *)lpAddress)[0] = 0x40;

lpAddress = (LPVOID)((DWORD)hModule + 0x967B);
if (VirtualProtect(lpAddress, 2, PAGE_EXECUTE_READWRITE, &flOldProtect) == NULL)
return FALSE;
((WORD *)lpAddress)[0] = 0x09EB;

lpAddress = (LPVOID)((DWORD)hModule + 0x96CF);
if (VirtualProtect(lpAddress, 2, PAGE_EXECUTE_READWRITE, &flOldProtect) == NULL)
return FALSE;
((WORD *)lpAddress)[0] = 0x0EEB;

lpAddress = (LPVOID)((DWORD)hModule + 0x96F8);
if (VirtualProtect(lpAddress, 2, PAGE_EXECUTE_READWRITE, &flOldProtect) == NULL)
return FALSE;
((WORD *)lpAddress)[0] = 0x0000;

BYTE a[] = {0xAF, 0x7D, 0xB8, 0xD1, 0xB4, 0xA3, 0xBF, 0xF4, 0x00};
lpAddress = (LPVOID)((DWORD)hModule + 0x3957EC);
if (VirtualProtect(lpAddress, sizeof(a), PAGE_EXECUTE_READWRITE, &flOldProtect) == NULL)
return FALSE;
memcpy(lpAddress, a, sizeof(a));

BYTE b[] = {0xB1, 0x7A, 0xA8, 0xCF, 0xA5, 0xCE, 0xAA, 0xBA, 0xAC,
0x4F, 0x54, 0x6F, 0x62, 0x79, 0xAF, 0x7D, 0xB8, 0xD1,
0xAA, 0xA9, 0xA1, 0x41, 0xA6, 0x70, 0xB9, 0x43, 0xC0,
0xB8, 0xA7, 0xF3, 0xB7, 0x73, 0xBD, 0xD0, 0xA4, 0xC5,
0xC4, 0x7E, 0xC4, 0xF2, 0xA8, 0xCF, 0xA5, 0xCE, 0xA1,
0x43, 0x52, 0x43, 0xB8, 0x73, 0x3A, 0x32, 0x37, 0x30,
0x35, 0x39, 0x31, 0x34, 0x35, 0x00};

lpAddress = (LPVOID)((DWORD)hModule + 0x3957A7);
if (VirtualProtect(lpAddress, sizeof(b), PAGE_EXECUTE_READWRITE, &flOldProtect) == NULL)
return FALSE;
memcpy(lpAddress, b, sizeof(b));

ResumeThread(hThread);
return TRUE;
}