爆破超级抓书狂 3.0(200902)
【文章标题】: 超级抓书狂 3.0(200902) 破解教程【文章作者】: kelvar(老马)
【作者邮箱】: [email protected]
【作者QQ号】: 44232165
【软件名称】: 超级抓书狂 3.0(200902)
【软件大小】: 3403KB
【下载地址】: 自己搜索下载
【加壳方式】: 无
【编写语言】: Delphi
【使用工具】: PEID,FlyOD,windowxp2
【操作平台】: Win9x/Me/NT/2000/XP/2003
【作者声明】: 悼念飘雪,发文纪念。
--------------------------------------------------------------------------------
【详细过程】
怀念飘雪,菜鸟水平有限,爆破纪念。
首先PEID查壳,Borland Delphi 6.0 - 7.0无壳,心下大慰。再看看安装目录下有个SysCfg.ini的文件。打开看看
language=chinese
regtype=0
regcode1=11111
regcode2=11111
savepath=D:\Software\试用软件\catchbook3\新建文件夹
proxy=...
proxyport=80
autodown=1
我们先试着改改,将
“regtype=0
regcode1=11111
regcode2=11111”
改为
“regtype=1
regcode1=11111
regcode2=11111”注释:我第一次改了以后,未注册消失了,但是有弹出框。
嘿嘿还是按正经的开工吧。点击开始运行,随便输入假注册码"1234567890123456789".弹出"注册码错误"。好有错误提示。
在汇编窗口右键超级字符串查找"注册"果然发现
"
00539194 --未注册
005391BD --未注册
"
好了,找到两个地方,直接双击来到代码窗口。然后在段首F2下断。见下面
0053916A \.C3 retn
0053916B .^ E9 FCABECFF jmp BookDown.00403D6C
00539170 .^ EB F0 jmp short BookDown.00539162 //向上跳转
00539172 .A1 D83D5400 mov eax,dword ptr ds: //看来只能在这里下断了
00539177 .8B00 mov eax,dword ptr ds:
00539179 .33D2 xor edx,edx
0053917B .E8 846AFFFF call BookDown.0052FC04 ;关键Call
00539180 .85C0 test eax,eax
00539182 .75 29 jnz short BookDown.005391AD
00539184 .8D55 C8 lea edx,dword ptr ss:
00539187 .A1 60705400 mov eax,dword ptr ds:
0053918C .E8 2384F2FF call BookDown.004615B4
00539191 .8D45 C8 lea eax,dword ptr ss:
00539194 .BA 24935300 mov edx,BookDown.00539324 ;--未注册
00539199 .E8 52B5ECFF call BookDown.004046F0
0053919E .8B55 C8 mov edx,dword ptr ss:
005391A1 .A1 60705400 mov eax,dword ptr ds:
005391A6 .E8 3984F2FF call BookDown.004615E4
005391AB .EB 27 jmp short BookDown.005391D4
005391AD >8D55 C4 lea edx,dword ptr ss:
005391B0 .A1 60705400 mov eax,dword ptr ds:
005391B5 .E8 FA83F2FF call BookDown.004615B4
005391BA .8D45 C4 lea eax,dword ptr ss:
005391BD .BA 38935300 mov edx,BookDown.00539338 ;--已注册
005391C2 .E8 29B5ECFF call BookDown.004046F0
005391C7 .8B55 C4 mov edx,dword ptr ss:
005391CA .A1 60705400 mov eax,dword ptr ds:
我们看到
00539182 /75 29 jnz short BookDown.005391AD ;关键跳转
我们试试改这个跳转为JMP试试,发现还是有开始的要求注册提示的框框,虽然里面显示为已注册,但是这显然还有一个地方
要调用到或者检测这里。
那我们试试修改eax里面的值吧,将
00539180 .85C0 test eax,eax ;将它改为XOR eax试试
发现不行,还是跟前面的一样会跳出注册提示框。看来只能跟进关键Call里面了,
Shift+F9运行,然后断在了0053917B这个位置,我们F7进去,来到
0052FC04 /$55 push ebp
0052FC05 |.8BEC mov ebp,esp
0052FC07 |.B9 05000000 mov ecx,5
0052FC0C |>6A 00 /push 0
0052FC0E |.6A 00 |push 0
0052FC10 |.49 |dec ecx
0052FC11 |.^ 75 F9 \jnz short BookDown.0052FC0C
0052FC13 |.51 push ecx
0052FC14 |.53 push ebx
0052FC15 |.8955 F8 mov ,edx
0052FC18 |.8945 FC mov ,eax
0052FC1B |.8B45 F8 mov eax,
0052FC1E |.E8 B54CEDFF call BookDown.004048D8
0052FC23 |.33C0 xor eax,eax
0052FC25 |.55 push ebp
0052FC26 |.68 8AFD5200 push BookDown.0052FD8A
0052FC2B |.64:FF30 push dword ptr fs:
0052FC2E |.64:8920 mov dword ptr fs:,esp
0052FC31 |.8D55 E0 lea edx,
0052FC34 |.A1 14425400 mov eax,dword ptr ds:
0052FC39 |.8B00 mov eax,dword ptr ds:
0052FC3B |.E8 B822F5FF call BookDown.00481EF8
0052FC40 |.8B45 E0 mov eax,
0052FC43 |.8D55 E4 lea edx,
0052FC46 |.E8 CD9AEDFF call BookDown.00409718
0052FC4B |.8D45 E4 lea eax,
0052FC4E |.BA A4FD5200 mov edx,BookDown.0052FDA4 ;syscfg.ini
0052FC53 |.E8 984AEDFF call BookDown.004046F0
0052FC58 |.8B4D E4 mov ecx,
0052FC5B |.B2 01 mov dl,1
0052FC5D |.A1 E8D84300 mov eax,dword ptr ds:
0052FC62 |.E8 31DDF0FF call BookDown.0043D998
0052FC67 |.8945 F0 mov ,eax
0052FC6A |.33C0 xor eax,eax
0052FC6C |.55 push ebp
0052FC6D |.68 13FD5200 push BookDown.0052FD13
0052FC72 |.64:FF30 push dword ptr fs:
0052FC75 |.64:8920 mov dword ptr fs:,esp
0052FC78 |.837D F8 00 cmp ,0
0052FC7C |.74 0D je short BookDown.0052FC8B
0052FC7E |.8D45 EC lea eax,
0052FC81 |.8B55 F8 mov edx,
0052FC84 |.E8 3748EDFF call BookDown.004044C0
0052FC89 |.EB 1A jmp short BookDown.0052FCA5
0052FC8B |>68 B8FD5200 push BookDown.0052FDB8 ;0
0052FC90 |.8D45 EC lea eax,
0052FC93 |.50 push eax
0052FC94 |.B9 C4FD5200 mov ecx,BookDown.0052FDC4 ;regcode1
0052FC99 |.BA D8FD5200 mov edx,BookDown.0052FDD8 ;system
0052FC9E |.8B45 F0 mov eax,
0052FCA1 |.8B18 mov ebx,dword ptr ds:
0052FCA3 |.FF13 call dword ptr ds:
0052FCA5 |>68 B8FD5200 push BookDown.0052FDB8 ;0
0052FCAA |.8D45 E8 lea eax,
0052FCAD |.50 push eax
0052FCAE |.B9 E8FD5200 mov ecx,BookDown.0052FDE8 ;regcode2
0052FCB3 |.BA D8FD5200 mov edx,BookDown.0052FDD8 ;system
0052FCB8 |.8B45 F0 mov eax,
0052FCBB |.8B18 mov ebx,dword ptr ds:
0052FCBD |.FF13 call dword ptr ds:
0052FCBF |.6A 00 push 0
0052FCC1 |.8D45 DC lea eax,
0052FCC4 |.50 push eax
0052FCC5 |.B9 FCFD5200 mov ecx,BookDown.0052FDFC ;regtype
0052FCCA |.BA D8FD5200 mov edx,BookDown.0052FDD8 ;system
0052FCCF |.8B45 F0 mov eax,
0052FCD2 |.8B18 mov ebx,dword ptr ds:
0052FCD4 |.FF13 call dword ptr ds:
0052FCD6 |.8B55 DC mov edx,
0052FCD9 |.8B45 FC mov eax,
0052FCDC |.05 18030000 add eax,318
0052FCE1 |.E8 9647EDFF call BookDown.0040447C
0052FCE6 |.8B45 FC mov eax,
0052FCE9 |.8B80 18030000 mov eax,dword ptr ds:
0052FCEF |.E8 8093EDFF call BookDown.00409074
0052FCF4 |.8B55 FC mov edx,
0052FCF7 |.8982 1C030000 mov dword ptr ds:,eax
0052FCFD |.33C0 xor eax,eax
0052FCFF |.5A pop edx
0052FD00 |.59 pop ecx
0052FD01 |.59 pop ecx
0052FD02 |.64:8910 mov dword ptr fs:,edx
0052FD05 |.68 1AFD5200 push BookDown.0052FD1A
0052FD0A |>8B45 F0 mov eax,
0052FD0D |.E8 C638EDFF call BookDown.004035D8
0052FD12 \.C3 retn //由于不知道程序在那里返回我们每个
0052FD13 .^ E9 5440EDFF jmp BookDown.00403D6C //retn上都下断点
0052FD18 .^ EB F0 jmp short BookDown.0052FD0A
0052FD1A .33C0 xor eax,eax
0052FD1C .8945 F4 mov dword ptr ss:,eax
0052FD1F .8D55 D8 lea edx,dword ptr ss:
0052FD22 .8B45 FC mov eax,dword ptr ss:
0052FD25 .E8 32020000 call BookDown.0052FF5C
0052FD2A .8B4D D8 mov ecx,dword ptr ss:
0052FD2D .8B55 EC mov edx,dword ptr ss:
0052FD30 .8B45 FC mov eax,dword ptr ss:
0052FD33 .E8 CC000000 call BookDown.0052FE04
0052FD38 .84C0 test al,al
0052FD3A .74 07 je short BookDown.0052FD43
0052FD3C .C745 F4 01000000 mov dword ptr ss:,1
0052FD43 >8D55 D4 lea edx,dword ptr ss:
0052FD46 .8B45 FC mov eax,dword ptr ss:
0052FD49 .E8 0E020000 call BookDown.0052FF5C
0052FD4E .8B4D D4 mov ecx,dword ptr ss:
0052FD51 .8B55 E8 mov edx,dword ptr ss:
0052FD54 .8B45 FC mov eax,dword ptr ss:
0052FD57 .E8 A8000000 call BookDown.0052FE04
0052FD5C .84C0 test al,al
0052FD5E .74 07 je short BookDown.0052FD67
0052FD60 .C745 F4 02000000 mov dword ptr ss:,2
0052FD67 >33C0 xor eax,eax
0052FD69 .5A pop edx
0052FD6A .59 pop ecx
0052FD6B .59 pop ecx
0052FD6C .64:8910 mov dword ptr fs:,edx
0052FD6F .68 91FD5200 push BookDown.0052FD91
0052FD74 >8D45 D4 lea eax,dword ptr ss:
0052FD77 .BA 07000000 mov edx,7
0052FD7C .E8 CB46EDFF call BookDown.0040444C
0052FD81 .8D45 F8 lea eax,dword ptr ss:
0052FD84 .E8 9F46EDFF call BookDown.00404428
0052FD89 .C3 retn //由于不知道程序会在那里返回
0052FD8A .^ E9 DD3FEDFF jmp BookDown.00403D6C //我们在每个retn都下断看看先触发那个
0052FD8F .^ EB E3 jmp short BookDown.0052FD74
0052FD91 .8B45 F4 mov eax,dword ptr ss:
0052FD94 .5B pop ebx
0052FD95 .8BE5 mov esp,ebp
0052FD97 .5D pop ebp
0052FD98 C3 retn //到达这里后发现Eax的值为0
0052FD99 0000 add byte ptr ds:,al
0052FD9B 00FF add bh,bh
0052FD9D FFFF ??? ;Unknown command
0052FD9F FF0A dec dword ptr ds:
实际运行发现最后程序在0052FD98这里开始返回,此时的EAX值为0。为了使程序中EAX为1
我们讲0052FD98开始的代码改为如下并保存,
0052FD98 B8 01000000 mov eax,1//注意,运行后我们发现此处程序会读取三次。
0052FD9D C3 retn
0052FD9E 90 nop
并保存,然后关掉OD试试,呵呵大功告成。
由于只是会爆破的菜鸟一只,追注册码的事情只能请大侠出马了。
--------------------------------------------------------------------------------
【经验总结】
爆破没多少技术含量,天草教程里有讲到这种方法。小试一把果然得逞。
--------------------------------------------------------------------------------
【版权声明】: 转载请注明作者并保持文章的完整, 谢谢!
2009年03月16日 20:54:13
Cracked file download link:
http://www.rayfile.com/files/cfb13070-122d-11de-8220-0019d11a795f/
[ 本帖最后由 kelvar 于 2009-3-16 21:32 编辑 ] 谢谢您的分享,学习了,/:001 什么时候能达到你这样的菜鸟水平?/:L 其实有更简单的方法。
0052FE40|.8B45 F4 mov eax, dword ptr
0052FE43|.E8 70F9FFFF call 0052F7B8
0052FE48|.8D45 D0 lea eax, dword ptr
0052FE3D|.8D55 D0 lea edx, dword ptr
0052FE40|.8B45 F4 mov eax, dword ptr
0052FE43|.E8 70F9FFFF call 0052F7B8
0052FE48|.8D45 D0 lea eax, dword ptr
0052FE4B|.8D55 E8 lea edx, dword ptr
0052FE4E|.E8 D9F9FFFF call 0052F82C
0052FE53|.8D4D EC lea ecx, dword ptr
0052FE56|.8B55 F8 mov edx, dword ptr
0052FE59|.8B45 FC mov eax, dword ptr
0052FE5C|.E8 BB030000 call 0053021C
0052FE61|.8B45 EC mov eax, dword ptr
0052FE64|.8B55 E8 mov edx, dword ptr
0052FE67|.E8 C849EDFF call 00404834
0052FE6C 74 00 je short 0052FE77// 此处改为 jmp short 0052FE6E 即可。
0052FE6E|.C645 F3 01 mov byte ptr , 1
0052FE72|.E9 89000000 jmp 0052FF00
0052FE77|>8B55 F4 mov edx, dword ptr
0052FE7A|.B8 40FF5200 mov eax, 0052FF40 ;33120
0052FE7F|.E8 A84BEDFF call 00404A2C
0052FE84|.85C0 test eax, eax
0052FE86|.7E 1E jle short 0052FEA6
0052FE88|.A0 48FF5200 mov al, byte ptr
0052FE8D|.50 push eax 学习了四楼的技术,保存了
页:
[1]