我在破解狗,遇到一点问题,望高手指教
这是第一跳狗对话框检测的地方..004F394D .55 PUSH EBP
004F394E .68 F6424F00 PUSH CR.004F42F6
004F3953 .64:FF30 PUSH DWORD PTR FS:
004F3956 .64:8920 MOV DWORD PTR FS:,ESP
004F3959 .8D45 FC LEA EAX,DWORD PTR SS:
004F395C .B9 0C434F00 MOV ECX,CR.004F430C ;ASCII "Title.dat"
004F3961 .8B15 60E65C00 MOV EDX,DWORD PTR DS:
004F3967 .E8 AC11F1FF CALL CR.00404B18
004F396C .8B45 FC MOV EAX,DWORD PTR SS:
004F396F .E8 F460F1FF CALL CR.00409A68
004F3974 .32C0 TEST AL,AL
004F3976 0F84 47090000 JE CR.004F42C3
004F397C .68 18434F00 PUSH CR.004F4318 ; /ResourceType = "dogfile"
004F3981 .68 20434F00 PUSH CR.004F4320 ; |ResourceName = "rsakey"
004F3986 .A1 18175C00 MOV EAX,DWORD PTR DS: ; |
004F398B .50 PUSH EAX ; |hModule => NULL
004F398C .E8 AF38F1FF CALL <JMP.&kernel32.FindResourceA> ; \FindResourceA
004F3991 .8BD8 MOV EBX,EAX
004F3993 .53 PUSH EBX ; /hResource
004F3994 .A1 18175C00 MOV EAX,DWORD PTR DS: ; |
004F3999 .50 PUSH EAX ; |hModule => NULL
004F399A .E8 013BF1FF CALL <JMP.&kernel32.SizeofResource> ; \SizeofResource
004F399F .8BF0 MOV ESI,EAX
004F39A1 .53 PUSH EBX ; /hResource
004F39A2 .A1 18175C00 MOV EAX,DWORD PTR DS: ; |
004F39A7 .50 PUSH EAX ; |hModule => NULL
004F39A8 .E8 433AF1FF CALL <JMP.&kernel32.LoadResource> ; \LoadResource
004F39AD .8BD8 MOV EBX,EAX
004F39AF .53 PUSH EBX ; /hResource
004F39B0 .E8 5B3AF1FF CALL <JMP.&kernel32.LockResource> ; \LockResource
004F39B5 .8D95 B0FCFFFF LEA EDX,DWORD PTR SS:
我修改以下任何一个都可以跳过狗框..
004F3974 .32C0 test AL,AL 改为xor al,al
或者改以下
004F3976 0F84 47090000 JE CR.004F42C3je改为jne
这是第二跳狗对话框检测的地方..这里我怎么去修改或分析...
004F4445 .55 PUSH EBP
004F4446 .68 D4514F00 PUSH CR.004F51D4
004F444B .64:FF30 PUSH DWORD PTR FS:
004F444E .64:8920 MOV DWORD PTR FS:,ESP
004F4451 .33C0 XOR EAX,EAX
004F4453 .8945 FC MOV DWORD PTR SS:,EAX
004F4456 .55 PUSH EBP ; /Arg1
004F4457 .E8 80FFFFFF CALL CR.004F43DC ; \CR.004F43DC
004F445C .59 POP ECX
004F445D .68 E4514F00 PUSH CR.004F51E4 ; /RsrcName = "draw"
004F4462 .A1 18175C00 MOV EAX,DWORD PTR DS: ; |
004F4467 .50 PUSH EAX ; |hInst => NULL
004F4468 .E8 3B37F1FF CALL <JMP.&user32.LoadCursorA> ; \LoadCursorA
004F446D .8BC8 MOV ECX,EAX
004F446F .8B07 MOV EAX,DWORD PTR DS:
004F4471 .BA 05000000 MOV EDX,5
004F4476 .E8 5DB6F7FF CALL CR.0046FAD8
004F447B .68 EC514F00 PUSH CR.004F51EC ; /RsrcName = "Drawing"
004F4480 .A1 18175C00 MOV EAX,DWORD PTR DS: ; |
004F4485 .50 PUSH EAX ; |hInst => NULL
004F4486 .E8 1D37F1FF CALL <JMP.&user32.LoadCursorA> ; \LoadCursorA
004F448B .8BC8 MOV ECX,EAX
004F448D .8B07 MOV EAX,DWORD PTR DS:
004F448F .BA 06000000 MOV EDX,6
004F4494 .E8 3FB6F7FF CALL CR.0046FAD8
004F4499 .68 F4514F00 PUSH CR.004F51F4 ; /RsrcName = "DrawingMuch"
004F449E .A1 18175C00 MOV EAX,DWORD PTR DS: ; |
004F44A3 .50 PUSH EAX ; |hInst => NULL
004F44A4 .E8 FF36F1FF CALL <JMP.&user32.LoadCursorA> ; \LoadCursorA
004F44A9 .8BC8 MOV ECX,EAX
004F44AB .8B07 MOV EAX,DWORD PTR DS:
004F44AD .BA 07000000 MOV EDX,7
004F44B2 .E8 21B6F7FF CALL CR.0046FAD8
004F44B7 .68 00524F00 PUSH CR.004F5200 ; /RsrcName = "pen"
004F44BC .A1 18175C00 MOV EAX,DWORD PTR DS: ; |
004F44C1 .50 PUSH EAX ; |hInst => NULL
004F44C2 .E8 E136F1FF CALL <JMP.&user32.LoadCursorA> ; \LoadCursorA
004F44C7 .8BC8 MOV ECX,EAX
004F44C9 .8B07 MOV EAX,DWORD PTR DS:
004F44CB .BA 08000000 MOV EDX,8
004F44D0 .E8 03B6F7FF CALL CR.0046FAD8
004F44D5 .68 04524F00 PUSH CR.004F5204 ; /RsrcName = "move"
004F44DA .A1 18175C00 MOV EAX,DWORD PTR DS: ; |
004F44DF .50 PUSH EAX ; |hInst => NULL
004F44E0 .E8 C336F1FF CALL <JMP.&user32.LoadCursorA> ; \LoadCursorA
004F44E5 .8BC8 MOV ECX,EAX
004F44E7 .8B07 MOV EAX,DWORD PTR DS:
004F44E9 .BA 0A000000 MOV EDX,0A
004F44EE .E8 E5B5F7FF CALL CR.0046FAD8
004F44F3 .68 0C524F00 PUSH CR.004F520C ; /FileName = "CaptureDll.dll"
004F44F8 .E8 E32EF1FF CALL <JMP.&kernel32.LoadLibraryA> ; \LoadLibraryA
004F44FD .A3 68E55B00 MOV DWORD PTR DS:,EAX
004F4502 .833D 68E55B00>CMP DWORD PTR DS:,0
004F4509 .75 3C JNZ SHORT CR.004F4547
004F450B .6A 10 PUSH 10
004F450D .8D95 BCF7FFFF LEA EDX,DWORD PTR SS:
004F4513 .A1 40045C00 MOV EAX,DWORD PTR DS:
004F4518 .8B00 MOV EAX,DWORD PTR DS:
004F451A .E8 0DD0F7FF CALL CR.0047152C
004F451F .8B85 BCF7FFFF MOV EAX,DWORD PTR SS:
004F4525 .E8 9A07F1FF CALL CR.00404CC4
004F452A .8BC8 MOV ECX,EAX
004F452C .BA 1C524F00 MOV EDX,CR.004F521C
004F4531 .A1 40045C00 MOV EAX,DWORD PTR DS:
004F4536 .8B00 MOV EAX,DWORD PTR DS:
004F4538 .E8 C7D5F7FF CALL CR.00471B04
004F453D .E8 3E01F1FF CALL CR.00404680
004F4542 .E9 620C0000 JMP CR.004F51A9
004F4547 >68 38524F00 PUSH CR.004F5238 ; /ProcNameOrOrdinal = "GetLanguage"
004F454C .A1 68E55B00 MOV EAX,DWORD PTR DS: ; |
004F4551 .50 PUSH EAX ; |hModule => NULL
004F4552 .E8 A92DF1FF CALL <JMP.&kernel32.GetProcAddress> ; \GetProcAddress
004F4557 .68 44524F00 PUSH CR.004F5244 ; /ResourceType = "dogfile"
004F455C .68 4C524F00 PUSH CR.004F524C ; |ResourceName = "rsakey"
004F4561 .A1 18175C00 MOV EAX,DWORD PTR DS: ; |
004F4566 .50 PUSH EAX ; |hModule => NULL
004F4567 .E8 D42CF1FF CALL <JMP.&kernel32.FindResourceA> ; \FindResourceA
004F456C .8BD8 MOV EBX,EAX
004F456E .53 PUSH EBX ; /hResource
004F456F .A1 18175C00 MOV EAX,DWORD PTR DS: ; |
004F4574 .50 PUSH EAX ; |hModule => NULL
004F4575 .E8 262FF1FF CALL <JMP.&kernel32.SizeofResource> ; \SizeofResource
004F457A .8BF0 MOV ESI,EAX
004F457C .53 PUSH EBX ; /hResource
004F457D .A1 18175C00 MOV EAX,DWORD PTR DS: ; |
004F4582 .50 PUSH EAX ; |hModule => NULL
004F4583 .E8 682EF1FF CALL <JMP.&kernel32.LoadResource> ; \LoadResource
004F4588 .8BD8 MOV EBX,EAX
004F458A .53 PUSH EBX ; /hResource
004F458B .E8 802EF1FF CALL <JMP.&kernel32.LockResource> ; \LockResource
004F4590 .8D95 E4FCFFFF LEA EDX,DWORD PTR SS:
004F4596 .8BCE MOV ECX,ESI
004F4598 .92 XCHG EAX,EDX
004F4599 .E8 2238F1FF CALL CR.00407DC0
004F459E .53 PUSH EBX ; /hResource
004F459F .E8 B42CF1FF CALL <JMP.&kernel32.FreeResource> ; \FreeResource
004F45A4 .C785 E0FCFFFF>MOV DWORD PTR SS:,400
004F45AE .E8 8D2DF1FF CALL <JMP.&kernel32.GetTickCount> ; [GetTickCount
004F45B3 .8B15 A8085C00 MOV EDX,DWORD PTR DS: ;CR.005B8008
004F45B9 .8902 MOV DWORD PTR DS:,EAX
004F45BB .33DB XOR EBX,EBX
004F45BD .8DB5 C0FCFFFF LEA ESI,DWORD PTR SS:
004F45C3 >B8 FF000000 MOV EAX,0FF
004F45C8 .E8 73EBF0FF CALL CR.00403140
004F45CD .8806 MOV BYTE PTR DS:,AL
004F45CF .43 INC EBX
004F45D0 .46 INC ESI
004F45D1 .80FB 20 CMP BL,20
004F45D4 .^ 75 ED JNZ SHORT CR.004F45C3
004F45D6 .8D85 E0FCFFFF LEA EAX,DWORD PTR SS:
004F45DC .50 PUSH EAX
第一个进入了后,可以进去了,进去到一半又跳出请插入加密狗..倒..
所以看到第二检测..不知又能改那里,望高手指点一下..谢谢~~~
页:
[1]