我破这个软件一个星期,也没破解,请高手指教!!
我破这个软件一个星期,也没破解,请高手指教!!最好能写详细过程,谢谢!! 我是刚学习破解知识的小菜鸟,请手指教 https://www.chinapyg.com/viewthread.php?tid=27128&highlight=参考我的破解版。具体的过程没写。只有一个破解文件。你可以跟一下看看是怎么回事。 首先脱壳,这个不说了。。。。
载入程序后随意输入注册码,再根据错误提示的字符串来到下面这里
0040AB8D .6A 02 push 2
0040AB8F .6A 00 push 0
0040AB91 .6A 00 push 0
0040AB93 .55 push ebp
0040AB94 .FFD7 call edi
0040AB96 .6A 00 push 0 ; /pOverlapped = NULL
0040AB98 .8D4424 18 lea eax,dword ptr ss: ; |
0040AB9C .50 push eax ; |pBytesWritten
0040AB9D .68 80000000 push 80 ; |nBytesToWrite = 80 (128.)
0040ABA2 .8D8C24 E4000000 lea ecx,dword ptr ss: ; |
0040ABA9 .51 push ecx ; |Buffer
0040ABAA .55 push ebp ; |hFile
0040ABAB .FFD6 call esi ; \WriteFile
0040ABAD .55 push ebp ; /hObject
0040ABAE .FF15 20E34300 call dword ptr ds:[<&kernel32.Clo>; \CloseHandle
0040ABB4 .6A 01 push 1
0040ABB6 .E8 41D90100 call dumped_.004284FC
0040ABBB >68 34014400 push dumped_.00440134 ;invalid sn number!
0040ABC0 .E8 31330000 call dumped_.0040DEF6
0040ABC5 .E8 83130000 call dumped_.0040BF4D
其中0040ABBB就是错误提示,它由0040A7A6跳来,
0040A782 .8D4C24 70 lea ecx,dword ptr ss:
0040A786 .51 push ecx ; /Arg1
0040A787 .8D4C24 20 lea ecx,dword ptr ss: ; |
0040A78B .E8 A0E1FFFF call dumped_.00408930 ; \dumped_.00408930
0040A790 .8B86 6C040000 mov eax,dword ptr ds:
0040A796 .334424 78 xor eax,dword ptr ss:
0040A79A .6A 00 push 0
0040A79C .3B86 68040000 cmp eax,dword ptr ds:
0040A7A2 .8BCE mov ecx,esi
0040A7A4 .6A 00 push 0
0040A7A6 .0F85 0F040000 jnz dumped_.0040ABBB
0040A7AC .68 70014400 push dumped_.00440170 ;注册成功,请重新启动软件
0040A7B1 .E8 40370000 call dumped_.0040DEF6
0040A7B6 .68 03010000 push 103
0040A7BB .8D9424 5D010000 lea edx,dword ptr ss:
0040A7C2 .6A 00 push 0
0040A7C4 .52 push edx
0040A7C5 .E8 B6D10100 call dumped_.00427980
而0040A78B则是判断注册码的关键CALL,进入后段首下断点
重载程序,程序断下后取消断点,F8步进来到下面的地址:
00407A1D .8D4C24 2C lea ecx,dword ptr ss: ; |
00407A21 .E8 0A0F0000 call dumped_.00408930 ; \dumped_.00408930
00407A26 .8BBC24 DC000000 mov edi,dword ptr ss:
00407A2D .6A 58 push 58
00407A2F .8D8C24 D8000000 lea ecx,dword ptr ss:
00407A36 .6A 00 push 0
00407A38 .51 push ecx
00407A39 .E8 42FF0100 call dumped_.00427980
00407A3E .6A 7F push 7F
00407A40 .8D9424 AD020000 lea edx,dword ptr ss:
00407A47 .6A 00 push 0
00407A49 .52 push edx
00407A4A .33EF xor ebp,edi
00407A4C .E8 2FFF0100 call dumped_.00427980
00407A51 .8DBC24 B4020000 lea edi,dword ptr ss:
00407A58 .83C4 18 add esp,18
00407A5B .66:C78424 9C020000>mov word ptr ss:,63
00407A65 .83C7 FF add edi,-1
00407A68 >8A47 01 mov al,byte ptr ds:
00407A6B .83C7 01 add edi,1
00407A6E .84C0 test al,al
00407A70 .^ 75 F6 jnz short dumped_.00407A68
00407A72 .66:A1 9CF04300 mov ax,word ptr ds:
00407A78 .66:8907 mov word ptr ds:,ax
00407A7B .8DBC24 9C020000 lea edi,dword ptr ss:
00407A82 .83C7 FF add edi,-1
00407A85 >8A47 01 mov al,byte ptr ds:
00407A88 .83C7 01 add edi,1
00407A8B .84C0 test al,al
00407A8D .^ 75 F6 jnz short dumped_.00407A85
00407A8F .66:8B0D 98F04300 mov cx,word ptr ds:
00407A96 .6A 0A push 0A ; /pFileSystemNameSize = 0000000A
00407A98 .6A 00 push 0 ; |pFileSystemNameBuffer = NULL
00407A9A .6A 00 push 0 ; |pFileSystemFlags = NULL
00407A9C .6A 00 push 0 ; |pMaxFilenameLength = NULL
00407A9E .8D5424 24 lea edx,dword ptr ss: ; |
00407AA2 .52 push edx ; |pVolumeSerialNumber
00407AA3 .6A 0C push 0C ; |MaxVolumeNameSize = C (12.)
00407AA5 .6A 00 push 0 ; |VolumeNameBuffer = NULL
00407AA7 .8D8424 B8020000 lea eax,dword ptr ss: ; |
00407AAE .50 push eax ; |RootPathName
00407AAF .66:890F mov word ptr ds:,cx ; |
00407AB2 .FF15 ACE24300 call dword ptr ds:[<&kernel32.Get>; \GetVolumeInformationA
00407AB8 .6A 7F push 7F
00407ABA .8D8C24 21030000 lea ecx,dword ptr ss:
00407AC1 .6A 00 push 0
00407AC3 .51 push ecx
00407AC4 .C68424 28030000 00 mov byte ptr ss:,0
00407ACC .E8 AFFE0100 call dumped_.00427980
00407AD1 .8B4424 20 mov eax,dword ptr ss:
00407AD5 .6A 10 push 10
00407AD7 .8D9424 2C030000 lea edx,dword ptr ss:
00407ADE .52 push edx
00407ADF .50 push eax
00407AE0 .E8 A4320300 call dumped_.0043AD89
00407AE5 .68 80000000 push 80
00407AEA .8D8C24 38030000 lea ecx,dword ptr ss:
00407AF1 .6A 00 push 0
00407AF3 .51 push ecx
00407AF4 .E8 87FE0100 call dumped_.00427980
00407AF9 .33C0 xor eax,eax ; |
00407AFB .6A 10 push 10 ; |Arg3 = 00000010
00407AFD .8D9424 54010000 lea edx,dword ptr ss: ; |
00407B04 .52 push edx ; |Arg2
00407B05 .68 17966482 push 82649617 ; |Arg1 = 82649617
00407B0A .898424 5C010000 mov dword ptr ss:,eax ; |
00407B11 .898424 60010000 mov dword ptr ss:,eax ; |
00407B18 .898424 64010000 mov dword ptr ss:,eax ; |
00407B1F .898424 68010000 mov dword ptr ss:,eax ; |
00407B26 .E8 5E320300 call dumped_.0043AD89 ; \dumped_.0043AD89
00407B2B .83C4 30 add esp,30
00407B2E .8D4424 7C lea eax,dword ptr ss:
00407B32 .50 push eax
00407B33 .8D4C24 2C lea ecx,dword ptr ss:
00407B37 .E8 54060000 call dumped_.00408190
00407B3C .8D8424 2C010000 lea eax,dword ptr ss:
00407B43 .8D48 01 lea ecx,dword ptr ds:
00407B46 >8A10 mov dl,byte ptr ds:
00407B48 .83C0 01 add eax,1
00407B4B .84D2 test dl,dl
00407B4D .^ 75 F7 jnz short dumped_.00407B46
00407B4F .2BC1 sub eax,ecx
00407B51 .50 push eax
00407B52 .8D8C24 30010000 lea ecx,dword ptr ss:
00407B59 .51 push ecx
00407B5A .8D9424 84000000 lea edx,dword ptr ss:
00407B61 .52 push edx
00407B62 .8D4C24 34 lea ecx,dword ptr ss:
00407B66 .E8 350D0000 call dumped_.004088A0
00407B6B .8D4424 7C lea eax,dword ptr ss:
00407B6F .50 push eax ; /Arg1
00407B70 .8D4C24 2C lea ecx,dword ptr ss: ; |
00407B74 .E8 B70D0000 call dumped_.00408930 ; \dumped_.00408930
00407B79 .8BBC24 88000000 mov edi,dword ptr ss:
00407B80 .6A 58 push 58
00407B82 .8D8C24 80000000 lea ecx,dword ptr ss:
00407B89 .6A 00 push 0
00407B8B .51 push ecx
00407B8C .E8 EFFD0100 call dumped_.00427980
00407B91 .317C24 20 xor dword ptr ss:,edi
00407B95 .83C4 0C add esp,0C
00407B98 .8BCE mov ecx,esi
00407B9A .E8 91D3FFFF call dumped_.00404F30
00407B9F .33C7 xor eax,edi
00407BA1 .3BE8 cmp ebp,eax
00407BA3 .C74424 14 00000000 mov dword ptr ss:,0
00407BAB .75 0C jnz short dumped_.00407BB9
00407BAD .C786 D82A0000 0100>mov dword ptr ds:,1
00407BB7 .EB 0A jmp short dumped_.00407BC3
00407BB9 >C786 D82A0000 0000>mov dword ptr ds:,0
00407BC3 >8D4C24 28 lea ecx,dword ptr ss:
00407BC7 .C78424 A8030000 FF>mov dword ptr ss:,-1
00407BD2 .E8 99050000 call dumped_.00408170
其中
00407BAB .75 0C jnz short dumped_.00407BB9
00407BAD .C786 D82A0000 0100>mov dword ptr ds:,1
00407BB7 .EB 0A jmp short dumped_.00407BC3
00407BB9 >C786 D82A0000 0000>mov dword ptr ds:,0
00407BC3 >8D4C24 28 lea ecx,dword ptr ss:
这段非常可疑,可以看到这段的目的给0或者1,将00407BAB NOP掉,进入即为注册版了 晕,后面还有个效验
修改后的文件下bp ExitWindowsEx断点
断下后返回到
00407825 .50 push eax
00407826 >C78424 500100>mov dword ptr , 2 ; |
00407831 .899C24 440100>mov dword ptr , ebx ; |
00407838 .FF15 14E04300 call dword ptr [<&ADVAPI32.AdjustToke>; \AdjustTokenPrivileges
0040783E .6A 00 push 0 ; /Reserved = 0
00407840 .53 push ebx ; |Options
00407841 .FF15 40E54300 call dword ptr [<&user32.ExitWindowsE>; \ExitWindowsEx
00407847 .F7D8 neg eax
00407849 .1BC0 sbb eax, eax
0040784B .F7D8 neg eax
0040784D .E9 1F070000 jmp 00407F71
00407852 >6A FF push -1 ; /hObject = FFFFFFFF
00407854 .FF15 20E34300 call dword ptr [<&kernel32.CloseHandl>; \CloseHandle
0040785A .FF15 0CE34300 call dword ptr [<&kernel32.IsDebugger>; [IsDebuggerPresent
00407860 .85C0 test eax, eax
00407862 /74 40 je short 004078A4
00407864 .8D4C24 14 lea ecx, dword ptr
00407868 .51 push ecx ; /phToken
00407869 .6A 28 push 28 ; |DesiredAccess = TOKEN_QUERY|TOKEN_ADJUST_PRIVILEGES
0040786B .FF15 1CE34300 call dword ptr [<&kernel32.GetCurrent>; |[GetCurrentProcess
00407871 .50 push eax ; |hProcess
00407872 .FF15 28E04300 call dword ptr [<&ADVAPI32.OpenProces>; \OpenProcessToken
00407878 .8D9424 300100>lea edx, dword ptr
0040787F .52 push edx ; /pLocalId
00407880 .68 A8ED4300 push 0043EDA8 ; |Privilege = "SeShutdownPrivilege"
00407885 .6A 00 push 0 ; |SystemName = NULL
00407887 .FF15 2CE04300 call dword ptr [<&ADVAPI32.LookupPriv>; \LookupPrivilegeValueA
0040788D .8B4C24 14 mov ecx, dword ptr
00407891 .6A 00 push 0
00407893 .6A 00 push 0
00407895 .6A 00 push 0
00407897 .8D8424 380100>lea eax, dword ptr
0040789E .50 push eax
0040789F .6A 00 push 0
004078A1 .51 push ecx
004078A2 .^ EB 82 jmp short 00407826
004078A4 >A0 18F44300 mov al, byte ptr
其中00407862改jnz为jmp
F9,断下后返回到
00401D97 .52 push edx
00401D98 .E8 535B0200 call cracked.004278F0
00401D9D .83C4 08 add esp,8
00401DA0 .85C0 test eax,eax
00401DA2 74 06 je short cracked.00401DAA
00401DA4 .6A 00 push 0
00401DA6 .6A 02 push 2
00401DA8 .FFD6 call esi
00401DAA >8D4424 20 lea eax,dword ptr ss:
其中00401da2中的je 该jmp,完成。
[ 本帖最后由 nszy007 于 2008-2-27 10:37 编辑 ] 感谢各位高手大哥,您们是真是太好了!!!:loveliness:
第一次发现这么猛的软件保护,谁用破解版关闭谁的电脑
/:L 第一次发现这么猛的软件保护,谁用破解版关闭谁的电脑/:L我试了破解版皇族软件-QQ四国军棋2人刷分外挂V1.9.9.1,发现这个软件保护超猛,破解版下棋用到八局左右,/:L 会关闭计算机/:L ,是不是里面还有暗桩没有破呀!?我调试了很久也发现不了,各位高手大哥请指教!!谢谢!!!!!! 也怨,芽薷转远鼗!!! 007耍梅龆?频
页:
[1]