带壳破解护花使者
该软件的壳是ASPack 1.07b -> Alexey Solodovnikov直接用OD载入程序后来到这里
00446AA7 >90 nop ;我开始就F8单步走
00446AA8 90 nop
00446AA9 75 00 jnz short iflower.00446AAB
00446AAB- E9 50250900 jmp iflower.004D9000
00446AB0 0000 add byte ptr ds:,al
00446AB2 0000 add byte ptr ds:,al
00446AB4 0000 add byte ptr ds:,al
00446AB6 0000 add byte ptr ds:,al
00446AB8 0000 add byte ptr ds:,al
00446ABA 0000 add byte ptr ds:,al
我们F8单步走了4次,看来到这里,哈哈
004D9000 60 pushad
004D9001 E8 00000000 call iflower.004D9006
004D9006 5D pop ebp
004D9007 81ED 3ED94300 sub ebp,iflower.0043D93E
004D900D B8 38D94300 mov eax,iflower.0043D938
004D9012 03C5 add eax,ebp
004D9014 2B85 0BDE4300 sub eax,dword ptr ss:[ebp+43DE0>
004D901A 8985 17DE4300 mov dword ptr ss:,e>
004D9020 80BD 01DE4300 0>cmp byte ptr ss:,0
004D9027 75 15 jnz short iflower.004D903E
004D9029 FE85 01DE4300 inc byte ptr ss:
004D902F E8 1D000000 call iflower.004D9051
004D9034 E8 79020000 call iflower.004D92B2
004D9039 E8 12030000 call iflower.004D9350
004D903E 8B85 03DE4300 mov eax,dword ptr ss:[ebp+43DE0>
004D9044 0385 17DE4300 add eax,dword ptr ss:[ebp+43DE1>
004D904A 894424 1C mov dword ptr ss:,eax
004D904E 61 popad
004D904F FFE0 jmp eax
004D9051 80BD 29E04300 0>cmp byte ptr ss:,0
004D9058 74 1D je short iflower.004D9077
很熟悉吧,用ESP定律很快来到程序的OEP处
因为该软件进行注册确认后,没有任何反应,所以我就查找字符串“感谢您对护花使者的支持”
00492F15 55 push ebp
00492F16 68 D7304900 push iflower.004930D7
00492F1B 64:FF30 push dword ptr fs:
00492F1E 64:8920 mov dword ptr fs:,esp
00492F21 8D55 FC lea edx,dword ptr ss:
00492F24 8B83 F4020000 mov eax,dword ptr ds:
00492F2A E8 B5BEF9FF call iflower.0042EDE4
00492F2F 8B45 FC mov eax,dword ptr ss:
00492F32 50 push eax
00492F33 8D45 F8 lea eax,dword ptr ss:
00492F36 E8 8523FCFF call iflower.004552C0
00492F3B 8B55 F8 mov edx,dword ptr ss: 单步走到这里注释窗口显示的 (ASCII "9AE73DA7")
00492F3E 58 pop eax 到这里寄存器窗口显示EDX 00E34264 ASCII "9AE73DA7"
00492F3F E8 1810F7FF call iflower.00403F5C
00492F44 75 05 jnz short iflower.00492F4B
00492F46 83CE FF or esi,FFFFFFFF
00492F49 EB 02 jmp short iflower.00492F4D
00492F4B 33F6 xor esi,esi
00492F4D 8BC6 mov eax,esi
00492F4F F7D8 neg eax
00492F51 1BC0 sbb eax,eax
00492F53 F7D8 neg eax
00492F55 3C 01 cmp al,1
00492F57 0F85 D7000000 jnz iflower.00493034 ;这里我改为JZ没有作用
00492F5D BA F0304900 mov edx,iflower.004930F0 ; 注册
00492F62 8BC3 mov eax,ebx
00492F64 E8 ABBEF9FF call iflower.0042EE14
00492F69 8D55 F0 lea edx,dword ptr ss:
00492F6C 8B83 F0020000 mov eax,dword ptr ds:
00492F72 E8 6DBEF9FF call iflower.0042EDE4
00492F77 8B4D F0 mov ecx,dword ptr ss:
00492F7A 8D45 F4 lea eax,dword ptr ss:
00492F7D BA 00314900 mov edx,iflower.00493100 ; 护花使者的注册用户是
00492F82 E8 110FF7FF call iflower.00403E98
00492F87 8B55 F4 mov edx,dword ptr ss:
00492F8A 8B83 E4020000 mov eax,dword ptr ds:
00492F90 E8 7FBEF9FF call iflower.0042EE14
00492F95 BA 20314900 mov edx,iflower.00493120 ; 感谢您对护花使者的支持
00492F9A 8B83 E8020000 mov eax,dword ptr ds:
00492FA0 E8 6FBEF9FF call iflower.0042EE14
经过验证ASCII码"9AE73DA7"就是我的注册码
注册机也完全可以运行成功!
注册后想重新练习可以删除注册表下的
HKEY_CLASSES_ROOT\下的Smart.DebugHelper.1\下的smartblock的
RegCode键值即可 /:good
00492F57 0F85 D7000000 jnz iflower.00493034 ;这里我改为JZ没有作用
脱壳后再改 试试~~ 进来看看,学习一下 向楼主学习/:good /:good 原帖由 天颖 于 2008-3-20 09:34 发表 https://www.chinapyg.com/images/common/back.gif
/:good
00492F57 0F85 D7000000 jnz iflower.00493034 ;这里我改为JZ没有作用
脱壳后再改 试试~~
直接SMC/:017 呵呵,很经典的追码 学习了.致敬. 学习了,谢谢! 学习中............ 向楼主学习ing
页:
[1]