VB from zero start of the supernumerary hanging (10)

The night before last I played with the bag for a whole night, just started (first time with the bag) tell me what I found all night.
I was directly intercepted by WPE, because the Golden Hill game itself has interception package protection measures (as MM said), directly with WPE interception I can not intercept, and later used ollydbg debugging when the interception to.
After the preparation of the front, sealed the report of the clear text ready has been OK, ready to encrypt, encryption is to take a 4-byte number of packets to the XOR operation, after the operation is directly sent out, I checked with WPE intercept packets of data, and I see the results of the operation are fully consistent, This means that a sealed packet can be obtained by using the 4-byte number to reverse-xor the packet.
In fact, the 4-byte number is the encryption key every time, that is, the server approved, this 4-byte how to arrive I did not follow, temporarily only found that as long as not to replace the scene, the 4-byte key will not accounts.
In the same way, the information returned by the service is processed by the 4-byte XOR operation, and the client decrypts the service-side 4-byte key to decrypt the packet to get the clear envelope.
In general, the encryption and decryption process of the seal of God
Send:
1, the production of clear sealed package
2, take 4 bytes send key
3, with a 4-byte key to the packet XOR operation (retain the first 2 bits), the last less than 4 bytes for single-byte operations.
4, send.
REVC:
1, received the package
2, take a 4-byte REVC key
3, with a 4-byte key to the packet XOR operation (retain the first 2 bits), the last less than 4 bytes for single-byte operations.
4, the analysis of the clear-letter packet


--------------------------------------------------------------------------------------------------------------- -----------------------------------------


The above method is more tiring! Let's talk about local production (both familiar with the FPE and other software)
make auxiliary plug (automatically add blood, automatically add blue, free weight, etc.)
HP's address is not fixed, I use Jinshan Ranger first to find the current address,
Then use SoftICE to set a breakpoint on the address, SoftICE should be immediately broken,
You'll see mov DWORD PTR ds:[eax+ecx*8+eb4],edi,
In the client, the position is 0x4b2c74,
You can change the course of the game,
Put mov DWORD PTR ds:[eax+ecx*8+eb4],
EDI changed into a E9 xx xx xx xx 90 90,
JMP the free address between the rsrc and. Data in the process.
The code (xx xx xx xx) + 0x4b2c74 + 5 is modified into MOV Y, EDI,
The next one does the original MOV DWORD PTR ds:[eax+ecx*8+eb4],edi,
One more E9 ZZ ZZ ZZ,
Set Good ZZ ZZ ZZ so that it jumps back to the original DWORD PTR DS:[EAX+ECX*8+EB4],
The next line of EDI is the 0x4b2c7b office,
So HP's address is fixed, just look at Y and know hp.

--------------------------------------------------------------------------------------------------------------- -----------------------------------------



Below say the lobbyist to end of the crack (small try a sledgehammer!) Interested friends can make a DLL
To achieve the increase in blood lock blood volume!
. text:004e8ef0 SUB_4E8EF0 Proc Near
. text:004e8ef0
. TEXT:004E8EF0 Arg_0 = dword ptr 4
. TEXT:004E8EF0 Arg_4 = dword ptr 8
. TEXT:004E8EF0 Arg_8 = dword ptr 0Ch
. text:004e8ef0
. TEXT:004E8EF0 mov ecx, [esp+arg_0]; Could be Len address of length
. TEXT:004E8EF4 Push EBX
. TEXT:004E8EF5 mov eax, [esp+4+arg_4]; Cache Address
. TEXT:004E8EF9 push ESI
. TEXT:004E8EFA mov esi, ecx
. TEXT:004E8EFC Push EDI
. TEXT:004E8EFD mov edi, [esp+0ch+arg_8]; Encrypt key Address
. Text:004e8f01 and ESI, 3; the remainder that corresponds to the cache length divided by 4
. text:004e8f04 shr ecx, 2; quotient of buffer length divided by 4
. text:004e8f07 mov edx, [edi]; Put the encryption key value into edx
. text:004e8f09 mov ebx, ecx;
. text:004e8f0b Dec ecx;
. text:004e8f0c test ebx, EBX;
. text:004e8f0e Jbe short loc_4e8f1e; judgment jump
. TEXT:004E8F10 Inc ECX;
. text:004e8f11
. TEXT:004E8F11 LOC_4E8F11:
. TEXT:004E8F11 mov ebx, [eax]
. Text:004e8f13 add eax, 4
. Text:004e8f16 xor ebx, edx, Edx=key value, core operation
. text:004e8f18 Dec ECX
. TEXT:004E8F19 mov [eax-4], ebx
. text:004e8f1c jnz short loc_4e8f11; equivalent to a for loop operation
. text:004e8f1e
. TEXT:004E8F1E LOC_4E8F1E:
. TEXT:004E8F1E mov ecx, esi
. text:004e8f20 Dec ESI
. TEXT:004E8F21 test ECX, ECX
. text:004e8f23 Jbe Short Loc_4e8f35
. text:004e8f25 Lea ECX, [esi+1]
. text:004e8f28
. Text:004e8f28 Loc_4e8f28:
. text:004e8f28 mov bl, [eax]
. text:004e8f2a xor bl, DL; exclusive or operational
. TEXT:004E8F2C mov [eax], BL
. TEXT:004E8F2E Inc EAX
. text:004e8f2f shr edx, 8
. text:004e8f32 Dec ECX
. text:004e8f33 jnz short loc_4e8f28; equivalent to a for loop operation
. text:004e8f35
. text:004e8f35 Loc_4e8f35:key pay value operation;
. TEXT:004E8F35 mov eax, [edi]
. text:004e8f37 mov edx, eax
. text:004e8f39 SHL edx, 5
. text:004e8f3c Sub edx, eax
. text:004e8f3e mov eax, 1
. text:004e8f43 add edx, 8088405h
. text:004e8f49 mov [edi], edx key pay value
. text:004e8f4b Pop EDI
. text:004e8f4c pop ESI
. text:004e8f4d Pop EBX
. text:004e8f4e RETN
. text:004e8f4e SUB_4E8EF0 ENDP

--------------------------------------------------------------------------------------------------------------- -----------------------------------------