"Tai Shou Zhi Chuan 4" All military commanders have achieved Doskey Lee, I would like to have "Too Solden Lizhizi 4" game. There are 600 characters inside to choose. Have a high flexibility. If the light is completely collected, it is almost impossible. Since several students are interested in collecting cards. Therefore, recently studied some research on this game, and wanted to use a modified means to obtain military command cards. Here is the process I operate. The game is found from Tibetan Classic Pavilion 287. After the game is installed, it is 289MB, not very big. It is found in the game to obtain a variety of military command cards. Archive after the game begins. It is found that there are more two protagonists ("Fengchen Xiuji" and "Qi Tian Lijia"). In addition, there are more new files in the game directory, and another file is modified. Many files are savedat0.dat, and the modified file is SaveData.dat. After deleting the SaveDat0.dat file, it is found that there is no archive in the game. The data inside the set card is still there. You can determine that savdat0.dat is an archive file, while savedata.dat is a file that saves the set card. SaveData.dat file size is 1024 bytes, just 1KB. Open the file with WinHex, discover the following data: Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F00000000 54 41 49 4B 4F 55 34 57 49 4E 20 20 20 20 00 TAIKOU4WIN.0000000010 01 00 00 00 00 00 00000010 01 00 00 00 00 00 00 00 00 00000010 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ......? ... ...... 00000290 00 00 00 00 00 00 00 00 00 00 00 A8 00 90 00 00 ........... ??. 000002A0 00 00 00 00 00 00 0E 90 53 0B 70 01 00 00 00 45 ....... hasty .p .... E000002B0 40 82 28 81 00 00 00 00 00 00 00 00 00 00 00 00 @ ?? ...... ..... ... The rest is 0. The front Taikou4win must be a file header, and the first line does not take it. Then I found 01 at 10h, and there is a F9 at 0ABH, which must be a game modification. Then change 01 at 10h to 00, and then re-enter the game, it is found that the column is less "Feng Chen Xiuji" in the column. Change the F9 at 0ABH to 00, and found less protagonist "pre-Tian Tian Lijia". It can be determined that this segment is to save the position of the protagonist. I tried to change the card directly, change the 11h to 02, and changed other locations in this range, and I can't modify the new role. Explain that the code of the military will be obtained by a more complex algorithm. Only search for it. Record a piece of data of 2B7H to 2BBH, open Softice, search this data in Softice: S 400000 L ffffffffff 10E, 90, 53, 0B, 70, 01 After finding, discovering the entire file in memory in the memory window . The same data start address found in memory is 604528h. The offset address of the protagonist "Fengchen Shiji" code is 604538h.
Memory read breakpoint set here: bpm 604538 r open book-card, interrupt 489816h, the following code is near :: 00489806 56 push esi: 00489807 E864651200 call 005AFD70: 0048980C 68FF000000 push 000000FF: 00489811 E87A651200 call 005AFD90; here It is a function of obtaining correct military code: 00489816 8A9638456000 MOV DL, BYTE PTR [ESI 00604538] <= Interrupt here, read data into DL from memory, prepare for comparison: 0048981C 83C408 Add ESP, 00000008: 0048981F FEC0 INC AL; calculate the correct military code: 00489821 33c9 xor ECX, ECX: 00489823 3AD0 CMP DL, Al; Compare the correctness of the military code: 00489825 5E POP ESI: 00489826 0F94C1 STE CL: 00489829 8BC1 MOV EAX, ECX: 0048982B 5D POP EBP: 0048982C C3 RET Pack 489823H Directly fills directly to the corresponding memory can be displayed in the set of arms. It is very troublesome of a one. 600! In order to promote our spirit of Pediyer. I just need to change the code. Since the program gives us a calculation code, I just need to let the program save the military code directly back to the memory.
Made in Softice: a 489816INC Almov [ESI 604538], ALADD ESP, 8XOR ECX, ECXCMP Al, Al, ------------------- ------------- ---------------------------------------------------------------------------------------------------------- --------- | Original code | Modified code | explanation | ------------------------- ----- ------------------------------------------------------------------------------------------------------------------------------------ - | MOV DL, BYTE PTR [ESI 00604538] | INC AL | AL plus one, acquired military command code || Add ESP, 00000008 | MOV [ESI 604538], Al | Save the military code to memory || INC Al | Add ESP, 00000008 | Unrimmed code || xor ECX, ECX | XOR ECX, ECX | Unrimmed code || CMP DL, Al | CMP AL, Al | Al and Al Comparison, must be true | --------------------------------------- ---- ---------------------- , which should be noted is that the two unchanged code. Keep yourself without modification, some code in the program keep. Otherwise an unpredictable error will occur. Then return to the game, then click the set card, 600 martial arts will come out. More than 50 messy things! ? it's okay. Wait a minute. Take a look at the data in the 604528h in memory, which is saved here is the data of 600 military commanders! Hurry with iCEDUMP out of data DUMP: / Dump 604528 400 c: /a.bin Exit game, open file A.bin with WinHex. Clear the code from more than 50 things. Data of 268h to 299h is filled with 0. Finally, copy A.BIN to the game's directory, renamed Savedata.dat. Then enter the game, we can enjoy the fun of using 600 martial arts! In addition, the storage structure of other cards is relatively simple, all of which are stored in the binary position, and the data that fills 29ah to 2B4H with FF can get all other cards. Go back to the game to see 100% set card book! :) Give the UUE file of SaveData.dat below, copy the following content to a new text file and change its extension to UUE, then use WinRAR to open the unpack.
---------------------- Beginning (excluding this line) ------------------ Filetime 764696804Begin 644 SaveData.TR4M5 $%) 2t] 5 -% =) 3B` @ ("` @ ``%%%%%? 8 8 8 g????? 4 4 4 4 2 2 3 3 3 9: S4 & U *) P0 @ _9JW5 $ .: l @ DP = [[6 42; lphq> * _ 7 D6
____________ m _______________________ `` `` `` `` `` `` `` `` `` `` `` `` `` `` `` `` `` `` `` `` `` `` ```````````` `` `` `` `` `` `` `` `` `` `` `` `` `` `` `` `` `` `` `` `` `` `` `` ``` `` `` `` `` `` `` `` `` `` `` `` `` `` `` `` `` `` `` `` `` `` `` `` `` ` `` `` `` `` `````````````````````````````````````````````````````````````````````````````````````````` `` `` `` `` `` `` `` `` `` `````````````````````````````````````````````````````````````````````````````````````` `` `` `` `` `` `` `` `` `` `` `` `` `` `` `` ``````````````````` `` `` `` `` `` `` `` `` `` `` `` `` `` `` `` `` `` `` `` `` ``````
