第十轮教学考题交流帖
搞定的朋友 直接贴思路及破文好了这个程序的修改上有点麻烦 大家可以交流下修补心得
本帖只贴代码 成品的附件请发我邮箱
前十名提交破文的学员 每人奖励 50PYB
提交破文 并将程序的完成度超过80%的学员 我会将其组别调整为 PYG学员 本帖最后由 sdnyzjzx 于 2010-7-11 19:51 编辑
先占个位,慢慢补充,新手学习,请多指导!
破解说明:
通过对软件分析,发现以下几方面问题:
一、文件名自校验
004874F4 E8 33C9F7FF CALL Unpack_.00403E2C / 比较文件名与原文件是否一致
004874F9 74 05 JE SHORT Unpack_.00487500 --->EB
二、输入注册码长度检查
0047998D|.2D B4000000 sub eax,0xB4
00479992|.74 22 je short Unpack_.004799B6 --->EB
三、窗口启动Nag
0486C58 803D 64A64800>cmp byte ptr ds:,0x0------>1 去Nag
四、窗口启动 Tip of the day
00486CA8 .8038 00 cmp byte ptr ds:,0x0------>1 去Tip of the day
五、软件功能限制
通过分析发现,在功能限制地方,指令格式基本上都是以下形式
00481A7E .E8 A110F8FF call Unpack_3.00402B24
00481A83 .8B15 04A94800 mov edx,dword ptr ds: ;Unpack_3.00498CF4
00481A89 .8902 mov dword ptr ds:,eax
00481A8B .A1 04A94800 mov eax,dword ptr ds:
00481A90 .8B00 mov eax,dword ptr ds:
00481A92 .8B15 D4A64800 mov edx,dword ptr ds: ;Unpack_3.0049AC78
00481A98 .8B12 mov edx,dword ptr ds:
00481A9A .8A0402 mov al,byte ptr ds:
00481A9D .8B15 04A94800 mov edx,dword ptr ds: ;Unpack_3.00498CF4
00481AA3 .8B12 mov edx,dword ptr ds:
00481AA5 .8B0D 3CA74800 mov ecx,dword ptr ds: ;Unpack_3.0049AC7C
00481AAB .8B09 mov ecx,dword ptr ds:
00481AAD .3A0411 cmp al,byte ptr ds:
00481AB0 .74 14 je short Unpack_3.00481AC6
特征码
8B 15 04 A9 48 00 89 02 A1 04 A9 48 00 8B 00 8B 15 D4 A6 48 00 8B 12 8A 04 02 8B 15 04 A9 48 00 8B 12 8B 0D 3C A7 48 00 8B 09 3A 04 11 74 ??
用DUP搜索,改最后 74 为EB(全部)
另外再搜索 75 改 EB (一次)
==========================
脱壳步骤:
忽略所有异常都去掉
Shift +F911次
堆栈处 SE 0051c7f9 Ctrl +G
F2 下断
Shift +F9
F2 取消断点
tc eip<0051b000
OEP
00487420 55 PUSH EBP
00487421 8BEC MOV EBP,ESP
00487423 B9 08000000 MOV ECX,8
关OD,另开原始主程序
Improt Rec插件0.98#1 修复
4个无效指针 cut
打开 修复后文件 本帖最后由 cjteam 于 2010-7-11 19:54 编辑
二进制搜索,快速定位其他暗桩.
A1 04 A9 48 00 8B 00 8B 15 D4 A6 48 00 8B 12 8A 04 02 8B 15 04 A9 48 00 8B 12 8B 0D 3C A7 48 00
8B 09 3A 04 11
00477CCA /EB 69 jmp short 00477D35
00477D5A /EB 6C jmp short 00477DC8
00477F07 /EB 69 jmp short 00477F72
00478003 /EB 6C jmp short 00478071
00478780 /EB 53 jmp short 004787D5
00478D4B /EB 6E jmp short 00478DBB
0047E056 /E9 AD000000 jmp 0047E108
00486221 /EB 13 jmp short 00486236
00485E39 /EB 6B jmp short 00485EA6
004853DA /EB 5B jmp short 00485437
004822AF /E9 AD000000 jmp 00482361
00480B31 /E9 9F000000 jmp 00480BD5
00480548 /EB 14 jmp short 0048055E
00480275 /EB 25 jmp short 0048029C
0047F915 /EB 05 jmp short 0047F91C ;决定是否写unregister
0047F941 /EB 05 jmp short 0047F948
0047EEE2 /E9 AD000000 jmp 0047EF94
------------------------------------------------------------
0048483B 90 nop
--------------------------------------------------------------------
00487A1C 90 nop
00487A1D 90 nop
00487A1E|.A1 38BF4900 mov eax, dword ptr
00487A23|.E8 E4C2F7FF call 00403D0C
00487A28|.2D B4000000 sub eax, 0B4
00487A2D|.74 0D je short 00487A3C
00487A2F|.83E8 02 sub eax, 2
00487A32|.74 08 je short 00487A3C
00487A34|>A1 70AC4800 mov eax, dword ptr
00487A39 C600 00 mov byte ptr , 0脱壳直接脱壳机搞定,程序校验,没碰到,脱壳后,把脱好的文件与原文件替换就可以了, 【文章标题】: Crazy Tetris考题破文
【文章作者】: assume
【作者邮箱】: [email protected]
【软件名称】: Crazy Tetris
【下载地址】: 自己搜索下载
【加壳方式】: tElock 0.98b2 -> tE!
【编写语言】: Borland Delphi 4.0 - 5.0
【使用工具】: OD,DEDE以及SPY4WIN
【操作平台】: XP SP3
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
不会脱壳,直接用脱壳机解决了
破解这个软件主要用到软件本身的语言文件 还有DEDE以及SPY4WIN
主要是爆破,有语言文件得知有以下几个限制:
1.文件名校验去除
004874E6|.8902 MOV DWORD PTR DS:,EAX
004874E8|.A1 74A94800 MOV EAX,DWORD PTR DS:
004874ED|.8B00 MOV EAX,DWORD PTR DS:
004874EF|.BA 587A4800 MOV EDX,00487A58 ;ASCII "CRAZYTET.EXE"
004874F4|.E8 33C9F7FF CALL 00403E2C
004874F9|.74 05 JE SHORT 00487500 ;文件名校验,74改成EB
004874FB|.E8 64C4F7FF CALL 00403964
00487500|>33C0 XOR EAX,EAX
00487502|.E8 556EFFFF CALL 0047E35C
2.运行前后的NAG
运行前
方法一:
利用SPY4WIN这个软件得到启动时调用的NAG的模块是TFORM3,再利用DEDE得到TDFORM3的关闭地址:00479FF8
00479FF8 .A0 FCC14800 MOV AL,BYTE PTR DS:
00479FFD .8801 MOV BYTE PTR DS:,AL
00479FFF .C3 RETN
0047A000 .53 PUSH EBX
单步走
004878E7 .8B15 04A94800 MOV EDX,DWORD PTR DS: ;CrazyTet.00498CF4
004878ED .8902 MOV DWORD PTR DS:,EAX
004878EF .A1 04A94800 MOV EAX,DWORD PTR DS:
004878F4 .8B00 MOV EAX,DWORD PTR DS:
004878F6 .8B15 D4A64800 MOV EDX,DWORD PTR DS: ;CrazyTet.0049AC78
004878FC .8B12 MOV EDX,DWORD PTR DS:
004878FE .8A0402 MOV AL,BYTE PTR DS:
00487901 .8B15 04A94800 MOV EDX,DWORD PTR DS: ;CrazyTet.00498CF4
00487907 .8B12 MOV EDX,DWORD PTR DS:
00487909 .8B0D 3CA74800 MOV ECX,DWORD PTR DS: ;CrazyTet.0049AC7C
0048790F .8B09 MOV ECX,DWORD PTR DS:
00487911 .3A0411 CMP AL,BYTE PTR DS:
00487914 74 16 JE SHORT 0048792C 此为关键跳,不跳则去除了NAG了
00487916 .A1 3CBF4900 MOV EAX,DWORD PTR DS:
0048791B .E8 FCC3F7FF CALL 00403D1C
00487920 .2D B4000000 SUB EAX,0B4
00487925 .74 0D JE SHORT 00487934
00487927 .83E8 02 SUB EAX,2
0048792A .74 08 JE SHORT 00487934
运行后
利用SPY4WIN这个软件得到退出时调用的NAG的模块是TADFORM,再利用DEDE得到TADFORM的关闭地址:0047A870
0047A870 .55 PUSH EBP
0047A871 .8BEC MOV EBP,ESP
0047A873 .81C4 B0FEFFFF ADD ESP,-150
0047A879 .53 PUSH EBX
0047A87A .33DB XOR EBX,EBX
0047A87C .899D B0FEFFFF MOV DWORD PTR SS:,EBX
0047A882 .33C0 XOR EAX,EAX
0047A884 .55 PUSH EBP
0047A885 .68 05A94700 PUSH 0047A905
0047A88A .64:FF30 PUSH DWORD PTR FS:
0047A88D .64:8920 MOV DWORD PTR FS:,ESP
0047A890 .8B15 DCA84800 MOV EDX,DWORD PTR DS: ;CrazyTet.004996B0
0047A896 .8B12 MOV EDX,DWORD PTR DS:
0047A898 .8D85 B0FEFFFF LEA EAX,DWORD PTR SS:
0047A89E .B9 1CA94700 MOV ECX,0047A91C ;ASCII "tmp.bmp"
0047A8A3 .E8 C094F8FF CALL 00403D68
0047A8A8 .8B95 B0FEFFFF MOV EDX,DWORD PTR SS:
0047A8AE .8D85 B4FEFFFF LEA EAX,DWORD PTR SS:
0047A8B4 .E8 21AFF8FF CALL 004057DA
0047A8B9 .33C0 XOR EAX,EAX
0047A8BB .55 PUSH EBP
0047A8BC .68 E5A84700 PUSH 0047A8E5
0047A8C1 .64:FF30 PUSH DWORD PTR FS:
0047A8C4 .64:8920 MOV DWORD PTR FS:,ESP
0047A8C7 .8D85 B4FEFFFF LEA EAX,DWORD PTR SS:
0047A8CD .E8 AEB0F8FF CALL 00405980
0047A8D2 .E8 157FF8FF CALL 004027EC
0047A8D7 .33C0 XOR EAX,EAX
0047A8D9 .5A POP EDX
一直单步走到下面
004442B8 .53 PUSH EBX ;CrazyTet.004442B8
004442B9 .66:83B8 7A020>CMP WORD PTR DS:,0
004442C1 .74 12 JE SHORT 004442D5 跳过这个CALL。就能去除了NAG
004442C3 .8BCA MOV ECX,EDX
004442C5 .8BD8 MOV EBX,EAX
004442C7 .8BD0 MOV EDX,EAX
004442C9 .8B83 7C020000 MOV EAX,DWORD PTR DS:
004442CF .FF93 78020000 CALL DWORD PTR DS:
004442D5 >5B POP EBX
004442D6 .C3 RETN
3.去除每日一贴NAG
利用SPY4WIN这个软件得到每日一贴调用的NAG的模块是TTipsForm,再利用DEDE得到TTipsForm的地址:0047BF5C
0047BF5C .53 PUSH EBX
0047BF5D .8BD8 MOV EBX,EAX
0047BF5F .A1 ECAB4800 MOV EAX,DWORD PTR DS:
0047BF64 .8B00 MOV EAX,DWORD PTR DS:
0047BF66 .8B50 30 MOV EDX,DWORD PTR DS:
0047BF69 .A1 ECAB4800 MOV EAX,DWORD PTR DS:
0047BF6E .8B00 MOV EAX,DWORD PTR DS:
0047BF70 .8B40 38 MOV EAX,DWORD PTR DS:
0047BF73 .2B43 38 SUB EAX,DWORD PTR DS:
0047BF76 .D1F8 SAR EAX,1
0047BF78 .79 03 JNS SHORT 0047BF7D
0047BF7A .83D0 00 ADC EAX,0
0047BF7D >03D0 ADD EDX,EAX
0047BF7F .8BC3 MOV EAX,EBX
0047BF81 .E8 0EFEFAFF CALL 0042BD94
0047BF86 .A1 ECAB4800 MOV EAX,DWORD PTR DS:
0047BF8B .8B00 MOV EAX,DWORD PTR DS:
0047BF8D .8B50 34 MOV EDX,DWORD PTR DS:
0047BF90 .A1 ECAB4800 MOV EAX,DWORD PTR DS:
0047BF95 .8B00 MOV EAX,DWORD PTR DS:
0047BF97 .8B40 3C MOV EAX,DWORD PTR DS:
0047BF9A .2B43 3C SUB EAX,DWORD PTR DS:
0047BF9D .D1F8 SAR EAX,1
0047BF9F .79 03 JNS SHORT 0047BFA4
0047BFA1 .83D0 00 ADC EAX,0
0047BFA4 >03D0 ADD EDX,EAX
0047BFA6 .8BC3 MOV EAX,EBX
0047BFA8 .E8 07FEFAFF CALL 0042BDB4
单步走到这里,
00447813|.E8 B8A4FFFF CALL 00441CD0
00447818|.8945 F4 MOV DWORD PTR SS:,EAX
0044781B|.33D2 XOR EDX,EDX
0044781D|.55 PUSH EBP
0044781E|.68 8C794400 PUSH 0044798C
00447823|.64:FF32 PUSH DWORD PTR FS:
00447826|.64:8922 MOV DWORD PTR FS:,ESP
00447829|.8B45 FC MOV EAX,DWORD PTR SS:
0044782C|.E8 3BFEFFFF CALL 0044766C
00447831|.33D2 XOR EDX,EDX ;ntdll.KiFastSystemCallRet
00447833|.55 PUSH EBP
00447834|.68 EB784400 PUSH 004478EB
00447839|.64:FF32 PUSH DWORD PTR FS:
0044783C|.64:8922 MOV DWORD PTR FS:,ESP
0044783F|.6A 00 PUSH 0
00447841|.6A 00 PUSH 0
00447843|.68 00B00000 PUSH 0B000
00447848|.8B45 FC MOV EAX,DWORD PTR SS:
0044784B|.E8 9CAEFEFF CALL 004326EC
00447850|.50 PUSH EAX ; |hWnd
00447851|.E8 3AF5FBFF CALL <JMP.&user32.SendMessageA> ; \SendMessageA
00447856|.8B45 FC MOV EAX,DWORD PTR SS:
00447859|.33D2 XOR EDX,EDX
0044785B|.8990 34020000 MOV DWORD PTR DS:,EDX
00447861|>8B03 /MOV EAX,DWORD PTR DS:
00447863|.E8 BC2D0000 |CALL 0044A624
00447868|.8B03 |MOV EAX,DWORD PTR DS:
0044786A|.80B8 8C000000>|CMP BYTE PTR DS:,0
00447871 74 0F |JE SHORT 00447882
00447873|.8B45 FC |MOV EAX,DWORD PTR SS:
00447876|.C780 34020000>|MOV DWORD PTR DS:,2
00447880|.EB 14 |JMP SHORT 00447896
00447882|>8B45 FC |MOV EAX,DWORD PTR SS:
00447885|.83B8 34020000>|CMP DWORD PTR DS:,0
0044788C 74 08 |JE SHORT 00447896
0044788E|.8B45 FC |MOV EAX,DWORD PTR SS:
00447891 E8 26FDFFFF |CALL 004475BC
00447896|>8B45 FC |MOV EAX,DWORD PTR SS:
00447899|.8B80 34020000 |MOV EAX,DWORD PTR DS:
0044789F|.85C0 |TEST EAX,EAX
004478A1 ^ 74 BE JE SHORT 00447861
004478A3 8945 F8 MOV DWORD PTR SS:,EAX F4到这里弹出NAG,继续单步走出CALL
004478A6|.6A 00 PUSH 0
004478A8|.6A 00 PUSH 0
004478AA|.68 01B00000 PUSH 0B001
004478AF|.8B45 FC MOV EAX,DWORD PTR SS:
004478B2|.E8 35AEFEFF CALL 004326EC
004478B7|.50 PUSH EAX ; |hWnd
004478B8|.E8 D3F4FBFF CALL <JMP.&user32.SendMessageA> ; \SendMessageA
004478BD|.8B45 FC MOV EAX,DWORD PTR SS:
004478C0|.E8 27AEFEFF CALL 004326EC
004478C5|.8BD8 MOV EBX,EAX
004478C7|.E8 2CF2FBFF CALL <JMP.&user32.GetActiveWindow> ; [GetActiveWindow
004478CC|.3BD8 CMP EBX,EAX
004478CE|.74 05 JE SHORT 004478D5
004478D0|.33C0 XOR EAX,EAX
004478D2|.8945 E4 MOV DWORD PTR SS:,EAX
004478D5|>33C0 XOR EAX,EAX
004478D7|.5A POP EDX
004478D8|.59 POP ECX
004478D9|.59 POP ECX
004478DA|.64:8910 MOV DWORD PTR FS:,EDX
004478DD|.68 F2784400 PUSH 004478F2
004478E2|>8B45 FC MOV EAX,DWORD PTR SS:
004478E5|.E8 7AFDFFFF CALL 00447664
004478EA\.C3 RETN
然后来到:
00486CAB /74 1F JE SHORT 00486CCC 此就是去掉每日一贴的关键跳了
00486CAD . |A1 FCA94800 MOV EAX,DWORD PTR DS:
00486CB2 . |8B00 MOV EAX,DWORD PTR DS:
00486CB4 . |8B10 MOV EDX,DWORD PTR DS:
00486CB6 . |FF92 D8000000 CALL DWORD PTR DS:
00486CBC . |A1 C0BD4900 MOV EAX,DWORD PTR DS:
00486CC1 . |E8 26BAFAFF CALL 004326EC
00486CC6 . |50 PUSH EAX ; /hWnd
00486CC7 . |E8 F400F8FF CALL <JMP.&user32.SetForegroundWindow> ; \SetForegroundWindow
00486CCC > \C3 RETN
00486CCD 8D40 00 LEA EAX,DWORD PTR DS:
00486CD0 .55 PUSH EBP
4.在未注册版本中您只能玩2个等级.
下MessageBoxA断点,断下后返回到单步走
0044A9E5|.57 PUSH EDI ; |Title
0044A9E6|.56 PUSH ESI ; |Text
0044A9E7|.8B45 FC MOV EAX,DWORD PTR SS: ; |
0044A9EA|.8B40 24 MOV EAX,DWORD PTR DS: ; |
0044A9ED|.50 PUSH EAX ; |hOwner
0044A9EE|.E8 15C3FBFF CALL <JMP.&user32.MessageBoxA> ; \MessageBoxA
0044A9F3|.8945 F8 MOV DWORD PTR SS:,EAX
0044A9F6|.33C0 XOR EAX,EAX
0044A9F8|.5A POP EDX
0044A9F9|.59 POP ECX
0044A9FA|.59 POP ECX
0044A9FB|.64:8910 MOV DWORD PTR FS:,EDX
0044A9FE|.68 5CAA4400 PUSH 0044AA5C
0044AA03|>8B45 EC MOV EAX,DWORD PTR SS:
0044AA06|.3B45 E8 CMP EAX,DWORD PTR SS:
0044AA09|.74 38 JE SHORT 0044AA43
0044AA0B|.6A 1D PUSH 1D
0044AA0D|.6A 00 PUSH 0
0044AA0F|.6A 00 PUSH 0
0044AA11|.8B4D BC MOV ECX,DWORD PTR SS:
0044AA14|.8B55 B4 MOV EDX,DWORD PTR SS:
0044AA17|.2BCA SUB ECX,EDX
0044AA19|.D1F9 SAR ECX,1
来到这里
00478000/.55 PUSH EBP
00478001|.8BEC MOV EBP,ESP
00478003|.6A 00 PUSH 0
00478005|.6A 00 PUSH 0
00478007|.53 PUSH EBX
00478008|.8BD8 MOV EBX,EAX
0047800A|.33C0 XOR EAX,EAX
0047800C|.55 PUSH EBP
0047800D|.68 D5804700 PUSH 004780D5
00478012|.64:FF30 PUSH DWORD PTR FS:
00478015|.64:8920 MOV DWORD PTR FS:,ESP
00478018|.B8 10270000 MOV EAX,2710
0047801D|.E8 02ABF8FF CALL 00402B24
00478022|.8B15 04A94800 MOV EDX,DWORD PTR DS: ;nag.00498CF4
00478028|.8902 MOV DWORD PTR DS:,EAX
0047802A|.A1 04A94800 MOV EAX,DWORD PTR DS:
0047802F|.8B00 MOV EAX,DWORD PTR DS:
00478031|.8B15 D4A64800 MOV EDX,DWORD PTR DS: ;nag.0049AC78
00478037|.8B12 MOV EDX,DWORD PTR DS:
00478039|.8A0402 MOV AL,BYTE PTR DS:
0047803C|.8B15 04A94800 MOV EDX,DWORD PTR DS: ;nag.00498CF4
00478042|.8B12 MOV EDX,DWORD PTR DS:
00478044|.8B0D 3CA74800 MOV ECX,DWORD PTR DS: ;nag.0049AC7C
0047804A|.8B09 MOV ECX,DWORD PTR DS:
0047804C|.3A0411 CMP AL,BYTE PTR DS:
0047804F 75 69 JNZ SHORT 004780BA JMP跳过提示只能玩二个等级
00478051|.8B83 D0020000 MOV EAX,DWORD PTR DS:
00478057|.8B80 00020000 MOV EAX,DWORD PTR DS:
0047805D|.40 INC EAX
0047805E|.83F8 02 CMP EAX,2
00478061|.7E 57 JLE SHORT 004780BA
00478063|.6A 00 PUSH 0
00478065|.8D4D FC LEA ECX,DWORD PTR SS:
00478068|.A1 60AA4800 MOV EAX,DWORD PTR DS:
0047806D|.8B00 MOV EAX,DWORD PTR DS:
0047806F|.BA EC804700 MOV EDX,004780EC ;ASCII "r12"
00478074|.E8 7B75F9FF CALL 0040F5F4
00478079|.8B45 FC MOV EAX,DWORD PTR SS:
0047807C|.E8 5FBEF8FF CALL 00403EE0
00478081|.50 PUSH EAX
00478082|.8D4D F8 LEA ECX,DWORD PTR SS:
00478085|.A1 60AA4800 MOV EAX,DWORD PTR DS:
0047808A|.8B00 MOV EAX,DWORD PTR DS:
0047808C|.BA F8804700 MOV EDX,004780F8 ;ASCII "m11"
00478091|.E8 5E75F9FF CALL 0040F5F4
00478096|.8B45 F8 MOV EAX,DWORD PTR SS:
00478099|.E8 42BEF8FF CALL 00403EE0
0047809E|.8BD0 MOV EDX,EAX
004780A0|.A1 74AA4800 MOV EAX,DWORD PTR DS:
004780A5|.8B00 MOV EAX,DWORD PTR DS:
004780A7|.59 POP ECX
004780A8|.E8 6328FDFF CALL 0044A910
004780AD|.33D2 XOR EDX,EDX
004780AF|.8B83 D0020000 MOV EAX,DWORD PTR DS:
004780B5|.E8 72A9FDFF CALL 00452A2C
004780BA|>33C0 XOR EAX,EAX
004780BC|.5A POP EDX
004780BD|.59 POP ECX
004780BE|.59 POP ECX
004780BF|.64:8910 MOV DWORD PTR FS:,EDX
004780C2|.68 DC804700 PUSH 004780DC
004780C7|>8D45 F8 LEA EAX,DWORD PTR SS:
004780CA|.BA 02000000 MOV EDX,2
004780CF|.E8 ECB9F8FF CALL 00403AC0
004780D4\.C3 RETN
下MessageBoxA断点,断下后返回到单步走
0044A9E5|.57 PUSH EDI ; |Title
0044A9E6|.56 PUSH ESI ; |Text
0044A9E7|.8B45 FC MOV EAX,DWORD PTR SS: ; |
0044A9EA|.8B40 24 MOV EAX,DWORD PTR DS: ; |
0044A9ED|.50 PUSH EAX ; |hOwner
0044A9EE|.E8 15C3FBFF CALL <JMP.&user32.MessageBoxA> ; \MessageBoxA
0044A9F3|.8945 F8 MOV DWORD PTR SS:,EAX
0044A9F6|.33C0 XOR EAX,EAX
0044A9F8|.5A POP EDX
0044A9F9|.59 POP ECX
0044A9FA|.59 POP ECX
0044A9FB|.64:8910 MOV DWORD PTR FS:,EDX
0044A9FE|.68 5CAA4400 PUSH 0044AA5C
0044AA03|>8B45 EC MOV EAX,DWORD PTR SS:
0044AA06|.3B45 E8 CMP EAX,DWORD PTR SS:
0044AA09|.74 38 JE SHORT 0044AA43
0044AA0B|.6A 1D PUSH 1D
0044AA0D|.6A 00 PUSH 0
0044AA0F|.6A 00 PUSH 0
0044AA11|.8B4D BC MOV ECX,DWORD PTR SS:
0044AA14|.8B55 B4 MOV EDX,DWORD PTR SS:
0044AA17|.2BCA SUB ECX,EDX
0044AA19|.D1F9 SAR ECX,1
00477DC8/$55 PUSH EBP
00477DC9|.8BEC MOV EBP,ESP
00477DCB|.33C9 XOR ECX,ECX
00477DCD|.51 PUSH ECX
00477DCE|.51 PUSH ECX
00477DCF|.51 PUSH ECX
00477DD0|.51 PUSH ECX
00477DD1|.53 PUSH EBX
00477DD2|.8BD8 MOV EBX,EAX
00477DD4|.33C0 XOR EAX,EAX
00477DD6|.55 PUSH EBP
00477DD7|.68 9F7F4700 PUSH 00477F9F
00477DDC|.64:FF30 PUSH DWORD PTR FS:
00477DDF|.64:8920 MOV DWORD PTR FS:,ESP
00477DE2|.A1 04A94800 MOV EAX,DWORD PTR DS:
00477DE7|.C700 F2030000 MOV DWORD PTR DS:,3F2
00477DED|.A1 04A94800 MOV EAX,DWORD PTR DS:
00477DF2|.8B00 MOV EAX,DWORD PTR DS:
00477DF4|.8B15 D4A64800 MOV EDX,DWORD PTR DS: ;nag.0049AC78
00477DFA|.8B12 MOV EDX,DWORD PTR DS:
00477DFC|.8A0402 MOV AL,BYTE PTR DS:
00477DFF|.8B15 04A94800 MOV EDX,DWORD PTR DS: ;nag.00498CF4
00477E05|.8B12 MOV EDX,DWORD PTR DS:
00477E07|.8B0D 3CA74800 MOV ECX,DWORD PTR DS: ;nag.0049AC7C
00477E0D|.8B09 MOV ECX,DWORD PTR DS:
00477E0F|.3A0411 CMP AL,BYTE PTR DS:
00477E12 EB 69 JMP SHORT 00477E7D 继续跳过弹出的提示框,后继续单步走。
00477E14|.8B83 D0020000 MOV EAX,DWORD PTR DS:
00477E1A|.8B80 00020000 MOV EAX,DWORD PTR DS:
00477E20|.40 INC EAX
00477E21|.83F8 02 CMP EAX,2
00477E24|.7E 57 JLE SHORT 00477E7D
00477E26|.6A 00 PUSH 0
00477E28|.8D4D FC LEA ECX,DWORD PTR SS:
00477E2B|.A1 60AA4800 MOV EAX,DWORD PTR DS:
00477E30|.8B00 MOV EAX,DWORD PTR DS:
00477E32|.BA B47F4700 MOV EDX,00477FB4 ;ASCII "r12"
00477E37|.E8 B877F9FF CALL 0040F5F4
00477E3C|.8B45 FC MOV EAX,DWORD PTR SS:
00477E3F|.E8 9CC0F8FF CALL 00403EE0
00477E44|.50 PUSH EAX
00477E45|.8D4D F8 LEA ECX,DWORD PTR SS:
00477E48|.A1 60AA4800 MOV EAX,DWORD PTR DS:
00477E4D|.8B00 MOV EAX,DWORD PTR DS:
00477E4F|.BA C07F4700 MOV EDX,00477FC0 ;ASCII "m11"
00477E54|.E8 9B77F9FF CALL 0040F5F4
00477E59|.8B45 F8 MOV EAX,DWORD PTR SS:
00477E5C|.E8 7FC0F8FF CALL 00403EE0
00477E61|.8BD0 MOV EDX,EAX
00477E63|.A1 74AA4800 MOV EAX,DWORD PTR DS:
00477E68|.8B00 MOV EAX,DWORD PTR DS:
00477E6A|.59 POP ECX
00477E6B|.E8 A02AFDFF CALL 0044A910
00477E70|.33D2 XOR EDX,EDX
00477E72|.8B83 D0020000 MOV EAX,DWORD PTR DS:
00477E78|.E8 AFABFDFF CALL 00452A2C
00477E7D|>A1 04A94800 MOV EAX,DWORD PTR DS:
00477E82|.8B00 MOV EAX,DWORD PTR DS:
00477E84|.8B15 D4A64800 MOV EDX,DWORD PTR DS: ;nag.0049AC78
00477E8A|.8B12 MOV EDX,DWORD PTR DS:
00477E8C|.8A0402 MOV AL,BYTE PTR DS:
00477E8F|.8B15 04A94800 MOV EDX,DWORD PTR DS: ;nag.00498CF4
00477E95|.8B12 MOV EDX,DWORD PTR DS:
00477E97|.8B0D 3CA74800 MOV ECX,DWORD PTR DS: ;nag.0049AC7C
00477E9D|.8B09 MOV ECX,DWORD PTR DS:
00477E9F|.3A0411 CMP AL,BYTE PTR DS:
00477EA2 EB 6C JMP SHORT 00477F10
00477EA4|.8B83 EC020000 MOV EAX,DWORD PTR DS:
00477EAA|.8B10 MOV EDX,DWORD PTR DS:
00477EAC|.FF92 B4000000 CALL DWORD PTR DS:
00477EB2|.84C0 TEST AL,AL
00477EB4|.74 5A JE SHORT 00477F10
00477EB6|.6A 00 PUSH 0
00477EB8|.8D4D F4 LEA ECX,DWORD PTR SS:
00477EBB|.A1 60AA4800 MOV EAX,DWORD PTR DS:
00477EC0|.8B00 MOV EAX,DWORD PTR DS:
00477EC2|.BA B47F4700 MOV EDX,00477FB4 ;ASCII "r12"
00477EC7|.E8 2877F9FF CALL 0040F5F4
00477ECC|.8B45 F4 MOV EAX,DWORD PTR SS:
00477ECF|.E8 0CC0F8FF CALL 00403EE0
00477ED4|.50 PUSH EAX
00477ED5|.8D4D F0 LEA ECX,DWORD PTR SS:
00477ED8|.A1 60AA4800 MOV EAX,DWORD PTR DS:
00477EDD|.8B00 MOV EAX,DWORD PTR DS:
00477EDF|.BA CC7F4700 MOV EDX,00477FCC ;ASCII "m10"
00477EE4|.E8 0B77F9FF CALL 0040F5F4
00477EE9|.8B45 F0 MOV EAX,DWORD PTR SS:
00477EEC|.E8 EFBFF8FF CALL 00403EE0
00477EF1|.8BD0 MOV EDX,EAX
00477EF3|.A1 74AA4800 MOV EAX,DWORD PTR DS:
00477EF8|.8B00 MOV EAX,DWORD PTR DS:
00477EFA|.59 POP ECX
00477EFB|.E8 102AFDFF CALL 0044A910
00477F00|.33D2 XOR EDX,EDX
00477F02|.8B83 EC020000 MOV EAX,DWORD PTR DS:
00477F08|.8B08 MOV ECX,DWORD PTR DS:
00477F0A|.FF91 B8000000 CALL DWORD PTR DS:
00477F10|>8B83 D0020000 MOV EAX,DWORD PTR DS:
00477F16|.8B80 00020000 MOV EAX,DWORD PTR DS:
00477F1C|.40 INC EAX
00477F1D|.8B15 D8AA4800 MOV EDX,DWORD PTR DS: ;nag.00498CE0
00477F23|.8902 MOV DWORD PTR DS:,EAX
00477F25|.8B83 D4020000 MOV EAX,DWORD PTR DS:
00477F2B|.8A80 00020000 MOV AL,BYTE PTR DS:
00477F31|.8B15 E0A74800 MOV EDX,DWORD PTR DS: ;nag.00498BE4
00477F37|.8802 MOV BYTE PTR DS:,AL
00477F39|.8B83 DC020000 MOV EAX,DWORD PTR DS:
00477F3F|.E8 20F8FFFF CALL 00477764
00477F44|.8B15 88A94800 MOV EDX,DWORD PTR DS: ;nag.00498CD8
00477F4A|.8902 MOV DWORD PTR DS:,EAX
00477F4C|.8B83 EC020000 MOV EAX,DWORD PTR DS:
00477F52|.8B10 MOV EDX,DWORD PTR DS:
00477F54|.FF92 B4000000 CALL DWORD PTR DS:
00477F5A|.8B15 00A94800 MOV EDX,DWORD PTR DS: ;nag.0049968D
00477F60|.8802 MOV BYTE PTR DS:,AL
00477F62|.8B83 F4020000 MOV EAX,DWORD PTR DS:
00477F68|.8B10 MOV EDX,DWORD PTR DS:
00477F6A|.FF92 B4000000 CALL DWORD PTR DS:
00477F70|.8B15 C4A94800 MOV EDX,DWORD PTR DS: ;nag.00499697
00477F76|.8802 MOV BYTE PTR DS:,AL
00477F78|.E8 0F980000 CALL 0048178C 这个CALL关键CALL进去
00477F7D|.8BC3 MOV EAX,EBX
00477F7F|.E8 30F5FCFF CALL 004474B4
00477F84|.33C0 XOR EAX,EAX
00477F86|.5A POP EDX
00477F87|.59 POP ECX
00477F88|.59 POP ECX
00477F89|.64:8910 MOV DWORD PTR FS:,EDX
00477F8C|.68 A67F4700 PUSH 00477FA6
00477F91|>8D45 F0 LEA EAX,DWORD PTR SS:
00477F94|.BA 04000000 MOV EDX,4
00477F99|.E8 22BBF8FF CALL 00403AC0
00477F9E\.C3 RETN
0048178C/$51 PUSH ECX
0048178D|.E8 02F3FFFF CALL 00480A94
00481792|.A1 50AC4800 MOV EAX,DWORD PTR DS:
00481797|.8B00 MOV EAX,DWORD PTR DS:
00481799|.E8 4227F8FF CALL 00403EE0
0048179E|.E8 D1EDFFFF CALL 00480574
004817A3|.B8 E8030000 MOV EAX,3E8
004817A8|.E8 7713F8FF CALL 00402B24
004817AD|.C1E0 02 SHL EAX,2
004817B0|.8B15 04A94800 MOV EDX,DWORD PTR DS: ;nag1.00498CF4
004817B6|.8902 MOV DWORD PTR DS:,EAX
004817B8|.A1 04A94800 MOV EAX,DWORD PTR DS:
004817BD|.8B00 MOV EAX,DWORD PTR DS:
004817BF|.8B15 D4A64800 MOV EDX,DWORD PTR DS: ;nag1.0049AC78
004817C5|.8B12 MOV EDX,DWORD PTR DS:
004817C7|.8A0402 MOV AL,BYTE PTR DS:
004817CA|.8B15 04A94800 MOV EDX,DWORD PTR DS: ;nag1.00498CF4
004817D0|.8B12 MOV EDX,DWORD PTR DS:
004817D2|.8B0D 3CA74800 MOV ECX,DWORD PTR DS: ;nag1.0049AC7C
004817D8|.8B09 MOV ECX,DWORD PTR DS:
004817DA|.3A0411 CMP AL,BYTE PTR DS:
004817DD|.75 25 JNZ SHORT 00481804 去等级限制 的关键跳
004817DF|.A1 D8AA4800 MOV EAX,DWORD PTR DS:
004817E4|.8338 02 CMP DWORD PTR DS:,2
004817E7|.7E 0B JLE SHORT 004817F4
004817E9|.A1 D8AA4800 MOV EAX,DWORD PTR DS:
004817EE|.C700 01000000 MOV DWORD PTR DS:,1
004817F4|>A1 00A94800 MOV EAX,DWORD PTR DS:
004817F9|.C600 00 MOV BYTE PTR DS:,0
004817FC|.A1 18A84800 MOV EAX,DWORD PTR DS:
00481801|.C600 00 MOV BYTE PTR DS:,0
00481804|>A1 D8AA4800 MOV EAX,DWORD PTR DS:
00481809|.8B00 MOV EAX,DWORD PTR DS:
0048180B|.8B15 70A94800 MOV EDX,DWORD PTR DS: ;nag1.00498CC4
00481811|.8902 MOV DWORD PTR DS:,EAX
00481813|.A1 70AB4800 MOV EAX,DWORD PTR DS:
00481818|.C600 00 MOV BYTE PTR DS:,0
0048181B|.A1 94A94800 MOV EAX,DWORD PTR DS:
00481820|.C600 01 MOV BYTE PTR DS:,1
00481823|.A1 C0BD4900 MOV EAX,DWORD PTR DS:
00481828|.8B80 6C030000 MOV EAX,DWORD PTR DS:
0048182E|.33D2 XOR EDX,EDX
00481830|.E8 43B3FBFF CALL 0043CB78
00481835|.A1 40AB4800 MOV EAX,DWORD PTR DS:
0048183A|.C600 01 MOV BYTE PTR DS:,1
0048183D|.A1 B8A74800 MOV EAX,DWORD PTR DS:
00481842|.C600 00 MOV BYTE PTR DS:,0
00481845|.A1 5CAC4800 MOV EAX,DWORD PTR DS:
0048184A|.C600 00 MOV BYTE PTR DS:,0
0048184D|.E8 9A200000 CALL 004838EC
00481852|.A1 70A94800 MOV EAX,DWORD PTR DS:
00481857|.8B00 MOV EAX,DWORD PTR DS:
00481859|.8B15 A4A64800 MOV EDX,DWORD PTR DS: ;nag1.0048961C
0048185F|.8B4482 FC MOV EAX,DWORD PTR DS:
00481863|.E8 78FCFFFF CALL 004814E0
00481868|.E8 E3FCFFFF CALL 00481550
0048186D|.A1 A8A74800 MOV EAX,DWORD PTR DS:
00481872|.33D2 XOR EDX,EDX
00481874|.8910 MOV DWORD PTR DS:,EDX
00481876|.A1 5CAC4800 MOV EAX,DWORD PTR DS:
0048187B|.8038 00 CMP BYTE PTR DS:,0
0048187E|.74 10 JE SHORT 00481890
00481880|.A1 C0BD4900 MOV EAX,DWORD PTR DS:
00481885|.8B80 6C030000 MOV EAX,DWORD PTR DS:
0048188B|.8B10 MOV EDX,DWORD PTR DS:
0048188D|.FF52 40 CALL DWORD PTR DS:
00481890|>A1 9CA94800 MOV EAX,DWORD PTR DS:
00481895|.C700 6F12833A MOV DWORD PTR DS:,3A83126F
0048189B|.A1 88A94800 MOV EAX,DWORD PTR DS:
004818A0|.8B00 MOV EAX,DWORD PTR DS:
004818A2|.8B15 88A94800 MOV EDX,DWORD PTR DS: ;nag1.00498CD8
004818A8|.F72A IMUL DWORD PTR DS:
004818AA|.8D0440 LEA EAX,DWORD PTR DS:
004818AD|.890424 MOV DWORD PTR SS:,EAX
004818B0|.DB0424 FILD DWORD PTR SS:
004818B3|.83C4 FC ADD ESP,-4
004818B6|.D91C24 FSTP DWORD PTR SS: ; /Arg1
004818B9|.9B WAIT ; |
004818BA|.33C0 XOR EAX,EAX ; |
004818BC|.E8 A7D8FFFF CALL 0047F168 ; \nag1.0047F168
004818C1|.A1 58A84800 MOV EAX,DWORD PTR DS:
004818C6|.33D2 XOR EDX,EDX
004818C8|.8910 MOV DWORD PTR DS:,EDX
004818CA|.6A 00 PUSH 0 ; /Arg1 = 00000000
004818CC|.B8 01000000 MOV EAX,1 ; |
004818D1|.E8 92D8FFFF CALL 0047F168 ; \nag1.0047F168
004818D6|.6A 00 PUSH 0 ; /Arg1 = 00000000
004818D8|.B8 02000000 MOV EAX,2 ; |
004818DD|.E8 86D8FFFF CALL 0047F168 ; \nag1.0047F168
004818E2|.A1 C0BD4900 MOV EAX,DWORD PTR DS:
004818E7|.8B80 DC020000 MOV EAX,DWORD PTR DS:
004818ED|.B2 01 MOV DL,1
004818EF|.E8 0C04FDFF CALL 00451D00
004818F4|.5A POP EDX
004818F5\.C3 RETN
5.此项功能只在注册版本中可用!
去除点击TIPS弹出对话框,此项功能只在注册版本中可用!
下MessageBoxA断点,断下后返回到
0044A9E5|.57 PUSH EDI ; |Title
0044A9E6|.56 PUSH ESI ; |Text
0044A9E7|.8B45 FC MOV EAX,DWORD PTR SS: ; |
0044A9EA|.8B40 24 MOV EAX,DWORD PTR DS: ; |
0044A9ED|.50 PUSH EAX ; |hOwner
0044A9EE|.E8 15C3FBFF CALL <JMP.&user32.MessageBoxA> ; \MessageBoxA
0044A9F3|.8945 F8 MOV DWORD PTR SS:,EAX
0044A9F6|.33C0 XOR EAX,EAX
0044A9F8|.5A POP EDX
0044A9F9|.59 POP ECX
0044A9FA|.59 POP ECX
0044A9FB|.64:8910 MOV DWORD PTR FS:,EDX
0044A9FE|.68 5CAA4400 PUSH 0044AA5C
0044AA03|>8B45 EC MOV EAX,DWORD PTR SS:
0044AA06|.3B45 E8 CMP EAX,DWORD PTR SS:
0044AA09|.74 38 JE SHORT 0044AA43
0044AA0B|.6A 1D PUSH 1D
0044AA0D|.6A 00 PUSH 0
0044AA0F|.6A 00 PUSH 0
0044AA11|.8B4D BC MOV ECX,DWORD PTR SS:
单步走
00486CD0 .55 PUSH EBP
00486CD1 .8BEC MOV EBP,ESP
00486CD3 .6A 00 PUSH 0
00486CD5 .6A 00 PUSH 0
00486CD7 .53 PUSH EBX
00486CD8 .8BD8 MOV EBX,EAX
00486CDA .33C0 XOR EAX,EAX
00486CDC .55 PUSH EBP
00486CDD .68 AB6D4800 PUSH 00486DAB
00486CE2 .64:FF30 PUSH DWORD PTR FS:
00486CE5 .64:8920 MOV DWORD PTR FS:,ESP
00486CE8 .A1 D4A64800 MOV EAX,DWORD PTR DS:
00486CED .8B00 MOV EAX,DWORD PTR DS:
00486CEF .8A40 64 MOV AL,BYTE PTR DS:
00486CF2 .8B15 3CA74800 MOV EDX,DWORD PTR DS: ;NONAGaa.0049AC7C
00486CF8 .8B12 MOV EDX,DWORD PTR DS:
00486CFA .3A42 64 CMP AL,BYTE PTR DS:
00486CFD .75 54 JNZ SHORT 00486D53 JMP跳过提示注册版功能
00486CFF .6A 00 PUSH 0
00486D01 .8D4D FC LEA ECX,DWORD PTR SS:
00486D04 .A1 60AA4800 MOV EAX,DWORD PTR DS:
00486D09 .8B00 MOV EAX,DWORD PTR DS:
00486D0B .BA C06D4800 MOV EDX,00486DC0 ;ASCII "r12"
00486D10 .E8 DF88F8FF CALL 0040F5F4
00486D15 .8B45 FC MOV EAX,DWORD PTR SS:
00486D18 .E8 C3D1F7FF CALL 00403EE0
00486D1D .50 PUSH EAX
00486D1E .8D4D F8 LEA ECX,DWORD PTR SS:
00486D21 .A1 60AA4800 MOV EAX,DWORD PTR DS:
其实最简单的方法是:我们从语言文件可是M10:此项功能只在注册版本中可用!
所以 我们可以利用查找字符串,从中跳过所有提示:此项功能只在注册版本中可用!的跳转
0047C00B|.8B83 E0020000 MOV EAX,DWORD PTR DS:
0047C011|.8B10 MOV EDX,DWORD PTR DS:
0047C013|.FF92 B4000000 CALL DWORD PTR DS:
0047C019|.84C0 TEST AL,AL
0047C01B|.75 5A JNZ SHORT 0047C077 改成JMP
0047C01D|.6A 00 PUSH 0
0047C01F|.8D4D FC LEA ECX,DWORD PTR SS:
0047C022|.A1 60AA4800 MOV EAX,DWORD PTR DS:
0047C027|.8B00 MOV EAX,DWORD PTR DS:
0047C029|.BA A8C04700 MOV EDX,0047C0A8 ;r12
0047C02E|.E8 C135F9FF CALL 0040F5F4
0047C033|.8B45 FC MOV EAX,DWORD PTR SS:
0047C036|.E8 A57EF8FF CALL 00403EE0
0047C03B|.50 PUSH EAX
0047C03C|.8D4D F8 LEA ECX,DWORD PTR SS:
0047C03F|.A1 60AA4800 MOV EAX,DWORD PTR DS:
0047C044|.8B00 MOV EAX,DWORD PTR DS:
0047C046|.BA B4C04700 MOV EDX,0047C0B4 ;m10
0047C04B|.E8 A435F9FF CALL 0040F5F4
0047C050|.8B45 F8 MOV EAX,DWORD PTR SS:
0047C053|.E8 887EF8FF CALL 00403EE0
0047C058|.8BD0 MOV EDX,EAX
0047C05A|.A1 74AA4800 MOV EAX,DWORD PTR DS:
0047C05F|.8B00 MOV EAX,DWORD PTR DS:
0047C061|.59 POP ECX
0047C062|.E8 A9E8FCFF CALL 0044A910
0047C067|.B2 01 MOV DL,1
0047C069|.8B83 E0020000 MOV EAX,DWORD PTR DS:
0047C06F|.8B08 MOV ECX,DWORD PTR DS:
0047C071|.FF91 B8000000 CALL DWORD PTR DS:
0047C077|>33C0 XOR EAX,EAX
0047C079|.5A POP EDX
0047C07A|.59 POP ECX
0047C07B|.59 POP ECX
0047C07C|.64:8910 MOV DWORD PTR FS:,EDX
0047C07F|.68 99C04700 PUSH 0047C099
0047C084|>8D45 F8 LEA EAX,DWORD PTR SS:
0047C087|.BA 02000000 MOV EDX,2
0047C08C|.E8 2F7AF8FF CALL 00403AC0
0047C091\.C3 RETN
00477EB4|. /74 5A JE SHORT 00477F10 JMP
00477EB6|. |6A 00 PUSH 0
00477EB8|. |8D4D F4 LEA ECX,DWORD PTR SS:
00477EBB|. |A1 60AA4800 MOV EAX,DWORD PTR DS:
00477EC0|. |8B00 MOV EAX,DWORD PTR DS:
00477EC2|. |BA B47F4700 MOV EDX,00477FB4 ;r12
00477EC7|. |E8 2877F9FF CALL 0040F5F4
00477ECC|. |8B45 F4 MOV EAX,DWORD PTR SS:
00477ECF|. |E8 0CC0F8FF CALL 00403EE0
00477ED4|. |50 PUSH EAX
00477ED5|. |8D4D F0 LEA ECX,DWORD PTR SS:
00477ED8|. |A1 60AA4800 MOV EAX,DWORD PTR DS:
00477EDD|. |8B00 MOV EAX,DWORD PTR DS:
00477EDF|. |BA CC7F4700 MOV EDX,00477FCC ;m10
00477EE4|. |E8 0B77F9FF CALL 0040F5F4
00477EE9|. |8B45 F0 MOV EAX,DWORD PTR SS:
00477EEC|. |E8 EFBFF8FF CALL 00403EE0
00477EF1|. |8BD0 MOV EDX,EAX
00477EF3|. |A1 74AA4800 MOV EAX,DWORD PTR DS:
00477EF8|. |8B00 MOV EAX,DWORD PTR DS:
00477EFA|. |59 POP ECX
00477EFB|. |E8 102AFDFF CALL 0044A910
00477F00|. |33D2 XOR EDX,EDX
00477F02|. |8B83 EC020000 MOV EAX,DWORD PTR DS:
00477F08|. |8B08 MOV ECX,DWORD PTR DS:
00477F0A|. |FF91 B8000000 CALL DWORD PTR DS:
00477F10|> \8B83 D0020000 MOV EAX,DWORD PTR DS:
00477F16|.8B80 00020000 MOV EAX,DWORD PTR DS:
00477F1C|.40 INC EAX
00477F1D|.8B15 D8AA4800 MOV EDX,DWORD PTR DS: ;CrazyTet.00498CE0
00477F23|.8902 MOV DWORD PTR DS:,EAX
00477F25|.8B83 D4020000 MOV EAX,DWORD PTR DS:
00477F2B|.8A80 00020000 MOV AL,BYTE PTR DS:
00477F31|.8B15 E0A74800 MOV EDX,DWORD PTR DS: ;CrazyTet.00498BE4
00477F37|.8802 MOV BYTE PTR DS:,AL
00477F39|.8B83 DC020000 MOV EAX,DWORD PTR DS:
00477F3F|.E8 20F8FFFF CALL 00477764
00477F44|.8B15 88A94800 MOV EDX,DWORD PTR DS: ;CrazyTet.00498CD8
6. 在未注册版本中您只能选择前10张脸.
0047C39C 8B15 04A94800 MOV EDX,DWORD PTR DS: ; 等级限制.00498CF4
0047C3A2 8902 MOV DWORD PTR DS:,EAX
0047C3A4 A1 04A94800 MOV EAX,DWORD PTR DS:
0047C3A9 8B00 MOV EAX,DWORD PTR DS:
0047C3AB 8B15 D4A64800 MOV EDX,DWORD PTR DS: ; 等级限制.0049AC78
0047C3B1 8B12 MOV EDX,DWORD PTR DS:
0047C3B3 8A0402 MOV AL,BYTE PTR DS:
0047C3B6 8B15 04A94800 MOV EDX,DWORD PTR DS: ; 等级限制.00498CF4
0047C3BC 8B12 MOV EDX,DWORD PTR DS:
0047C3BE 8B0D 3CA74800 MOV ECX,DWORD PTR DS: ; 等级限制.0049AC7C
0047C3C4 8B09 MOV ECX,DWORD PTR DS:
0047C3C6 3A0411 CMP AL,BYTE PTR DS:
0047C3C9 75 6B JNZ SHORT 0047C436 JMP
0047C3CB 8B83 E0020000 MOV EAX,DWORD PTR DS:
0047C3D1 83B8 F4010000 0>CMP DWORD PTR DS:,0A
0047C3D8 7E 5C JLE SHORT 0047C436
0047C3DA 6A 00 PUSH 0
0047C3DC 8D4D FC LEA ECX,DWORD PTR SS:
0047C3DF A1 60AA4800 MOV EAX,DWORD PTR DS:
0047C3E4 8B00 MOV EAX,DWORD PTR DS:
0047C3E6 BA 90C44700 MOV EDX,0047C490 ; ASCII "r12"
0047C3EB E8 0432F9FF CALL 0040F5F4
0047C3F0 8B45 FC MOV EAX,DWORD PTR SS:
0047C3F3 E8 E87AF8FF CALL 00403EE0
0047C3F8 50 PUSH EAX
0047C3F9 8D4D F8 LEA ECX,DWORD PTR SS:
0047C3FC A1 60AA4800 MOV EAX,DWORD PTR DS:
0047C401 8B00 MOV EAX,DWORD PTR DS:
0047C403 BA 9CC44700 MOV EDX,0047C49C ; ASCII "m12"
0047C408 E8 E731F9FF CALL 0040F5F4
0047C40D 8B45 F8 MOV EAX,DWORD PTR SS:
0047C410 E8 CB7AF8FF CALL 00403EE0
0047C415 8BD0 MOV EDX,EAX
0047C417 A1 74AA4800 MOV EAX,DWORD PTR DS:
0047C41C 8B00 MOV EAX,DWORD PTR DS:
0047C41E 59 POP ECX
0047C41F E8 ECE4FCFF CALL 0044A910
0047C424 BA 06000000 MOV EDX,6
0047C429 8B83 E0020000 MOV EAX,DWORD PTR DS:
7. 您只能保存游戏1次记录
HISCORE.DAT这个是记录文件
我们利用查找字符串找到
超级字符串参考, 项目 933
地址=0047C91A
反汇编=MOV ECX,0047CA58
文本字串=HiScore.dat
来到地址0047C91A
单步走出来
0047888C .53 PUSH EBX
0047888D .56 PUSH ESI
0047888E .57 PUSH EDI
0047888F .55 PUSH EBP
00478890 .51 PUSH ECX
00478891 .8BF8 MOV EDI,EAX
00478893 .E8 30400000 CALL 0047C8C8
00478898 .A1 04A94800 MOV EAX,DWORD PTR DS:
0047889D .C700 F2030000 MOV DWORD PTR DS:,3F2
004788A3 .A1 04A94800 MOV EAX,DWORD PTR DS:
004788A8 .8B00 MOV EAX,DWORD PTR DS:
004788AA .8B15 D4A64800 MOV EDX,DWORD PTR DS: ;等级限制.0049AC78
004788B0 .8B12 MOV EDX,DWORD PTR DS:
004788B2 .8A0402 MOV AL,BYTE PTR DS:
004788B5 .8B15 04A94800 MOV EDX,DWORD PTR DS: ;等级限制.00498CF4
004788BB .8B12 MOV EDX,DWORD PTR DS:
004788BD .8B0D 3CA74800 MOV ECX,DWORD PTR DS: ;等级限制.0049AC7C
004788C3 .8B09 MOV ECX,DWORD PTR DS:
004788C5 .3A0411 CMP AL,BYTE PTR DS:
004788C8 75 53 JNZ SHORT 0047891D ;
改成JMP,就去除了限制
004788CA .BD 06000000 MOV EBP,6
004788CF .A1 38A74800 MOV EAX,DWORD PTR DS:
004788D4 .05 84000000 ADD EAX,84
004788D9 .890424 MOV DWORD PTR SS:,EAX
004788DC >BE 09000000 MOV ESI,9
004788E1 .8B0424 MOV EAX,DWORD PTR SS:
004788E4 .8BD8 MOV EBX,EAX
004788E6 >56 PUSH ESI
004788E7 .57 PUSH EDI
004788E8 .BE A4894700 MOV ESI,004789A4 ;ASCII 0E,"<UNREGISTERED>"
004788ED .8BFB MOV EDI,EBX
004788EF .B9 03000000 MOV ECX,3
004788F4 .F3:A5 REP MOVSD
004788F6 .66:A5 MOVSW
004788F8 .A4 MOVSB
004788F9 .5F POP EDI
004788FA .5E POP ESI
004788FB .C743 2C 00008>MOV DWORD PTR DS:,BF800000
8. 去掉图片里面未注册水印
查找字符串UNREGISTERED
运行前:
0048380F /E9 AD000000 JMP 004838C1
运行中:
00480465|.8B12 MOV EDX,DWORD PTR DS:
00480467|.8B0D 3CA74800 MOV ECX,DWORD PTR DS: ;修改了标.0049AC7C
0048046D|.8B09 MOV ECX,DWORD PTR DS:
0048046F|.3A0411 CMP AL,BYTE PTR DS:
00480472|.0F85 AC000000 JNZ 00480524 JMP
00480478|.A1 40AC4800 MOV EAX,DWORD PTR DS:
0048047D|.8B00 MOV EAX,DWORD PTR DS:
0048047F|.E8 94B4F9FF CALL 0041B918
00480484|.8BD8 MOV EBX,EAX
00486612|.55 PUSH EBP
00486613|.68 EC6B4800 PUSH 00486BEC
00486618|.64:FF32 PUSH DWORD PTR FS:
0048661B|.64:8922 MOV DWORD PTR FS:,ESP
0048661E|.8B15 F8A94800 MOV EDX,DWORD PTR DS: ;去水印.00499696
00486624|.803A 00 CMP BYTE PTR DS:,0
00486627 75 00 JNZ SHORT 00486629 不让跳,直接修改成7500
00486629|.8B80 AC030000 MOV EAX,DWORD PTR DS:
0048662F|.33D2 XOR EDX,EDX
00486631|.E8 4265FBFF CALL 0043CB78
00486636|.E9 83050000 JMP 00486BBE
0048663B|>B8 AA0F0000 MOV EAX,0FAA
00486640|.E8 DFC4F7FF CALL 00402B24
00486645|.8B15 04A94800 MOV EDX,DWORD PTR DS: ;去水印.00498CF4
0048664B|.8902 MOV DWORD PTR DS:,EAX
0048664D|.A1 04A94800 MOV EAX,DWORD PTR DS:
00486652|.8B00 MOV EAX,DWORD PTR DS:
00486654|.8B15 D4A64800 MOV EDX,DWORD PTR DS: ;去水印.0049AC78
0048665A|.8B12 MOV EDX,DWORD PTR DS:
0048665C|.8A0402 MOV AL,BYTE PTR DS:
0048665F|.8B15 04A94800 MOV EDX,DWORD PTR DS: ;去水印.00498CF4
00486665|.8B12 MOV EDX,DWORD PTR DS:
00486667|.8B0D 3CA74800 MOV ECX,DWORD PTR DS: ;去水印.0049AC7C
0048666D|.8B09 MOV ECX,DWORD PTR DS:
0048666F|.3A0411 CMP AL,BYTE PTR DS:
00486672|.75 5B JNZ SHORT 004866CF
9. 注册信息
还是利用DEDE找到00485A9C B810270000 mov eax, $00002710
00485A9C .B8 10270000 MOV EAX,2710
00485AA1 .E8 7ED0F7FF CALL 00402B24
00485AA6 .8B15 04A94800 MOV EDX,DWORD PTR DS: ;CrazyTet.00498CF4
00485AAC .8902 MOV DWORD PTR DS:,EAX
00485AAE .A1 04A94800 MOV EAX,DWORD PTR DS:
00485AB3 .8B00 MOV EAX,DWORD PTR DS:
00485AB5 .8B15 D4A64800 MOV EDX,DWORD PTR DS: ;CrazyTet.0049AC78
00485ABB .8B12 MOV EDX,DWORD PTR DS:
00485ABD .8A0402 MOV AL,BYTE PTR DS:
00485AC0 .8B15 04A94800 MOV EDX,DWORD PTR DS: ;CrazyTet.00498CF4
00485AC6 .8B12 MOV EDX,DWORD PTR DS:
00485AC8 .8B0D 3CA74800 MOV ECX,DWORD PTR DS: ;CrazyTet.0049AC7C
00485ACE .8B09 MOV ECX,DWORD PTR DS:
00485AD0 .3A0411 CMP AL,BYTE PTR DS:
00485AD3 .74 10 JE SHORT 00485AE5 NOP掉
00485AD5 .A1 1CAC4800 MOV EAX,DWORD PTR DS:
00485ADA .8B00 MOV EAX,DWORD PTR DS:
00485ADC .8B10 MOV EDX,DWORD PTR DS:
00485ADE .FF92 D8000000 CALL DWORD PTR DS: ;CrazyTet.0044771C
00485AE4 .C3 RETN
00485AE5 >A1 D0A64800 MOV EAX,DWORD PTR DS:
00485AEA .8B00 MOV EAX,DWORD PTR DS:
00485AEC .8B10 MOV EDX,DWORD PTR DS:
00485AEE .FF92 D8000000 CALL DWORD PTR DS:
00485AF4 .C3 RETN
10. 修改标题未注册标志:
超级字符串参考, 项目 1050
地址=00481AB7
反汇编=MOV EDX,00481CE4
文本字串= (UNREGISTERED)
00481CE6 55 PUSH EBP
00481CE7 4E DEC ESI
00481CE8 52 PUSH EDX
00481CE9 45 INC EBP
00481CEA 47 INC EDI
00481CEB 49 DEC ECX
00481CEC 53 PUSH EBX
00481CED 54 PUSH ESP
00481CEE 45 INC EBP
00481CEF 52 PUSH EDX
00481CF0 45 INC EBP
00481CF1 44 INC ESP
00481CF2 2900 SUB DWORD PTR DS:,EAX
改成:by:assume
二进制复制进去
62 79 3A 20 61 73 73 75 6D 65 20 29 00 00
--------------------------------------------------------------------------------
【经验总结】
1.004874F9|.74 05 JE SHORT 00487500 ;文件名校验,74改成EB
2.00487914 74 16 JE SHORT 0048792C 此为关键跳,不跳则去除了NAG了
3.004442C1 .74 12 JE SHORT 004442D5 跳过这个CALL。就能去除了NAG
4.00486CAB /74 1F JE SHORT 00486CCC 此就是去掉每日一贴的关键跳了
5.0047804F 75 69 JNZ SHORT 004780BA JMP跳过提示只能玩二个等级
6.00477E12 EB 69 JMP SHORT 00477E7D 继续跳过弹出的提示框,后继续单步走。
7.00477EA2 /EB 6C JMP SHORT 00477F10
8.004817DD|.75 25 JNZ SHORT 00481804
9.0047C3C9 75 6B JNZ SHORT 0047C436 JMP
10.00486CFD /EB 54 JMP SHORT 00486D53
11.0047C009 /EB 6C JMP SHORT 0047C077
12.004788C8 75 53 JNZ SHORT 0047891D ; 改成JMP,就去除了限制
13.0048380F /E9 AD000000 JMP 004838C1
14.00480472|.0F85 AC000000 JNZ 00480524 JMP
15.00486627 75 00 JNZ SHORT 00486629 不让跳,直接修改成7500
16.00485AD3 .74 10 JE SHORT 00485AE5 NOP掉 或修改成7400
--------------------------------------------------------------------------------
【版权声明】: 本文为PYG第十期考题文章, 转载请注明作者并保持文章的完整, 谢谢!
2010年06月28日 PM 03:36:33
如有失误,敬请指出
一.关于脱壳
先忽略内存访问异常和int异常,来到最后一次异常后下GetModuleHandle或GetProcAddress都可以定位到
Magic Jump。
0051C571 81E3 FFFFFF7Fand ebx,7FFFFFFF
0051C577 53 push ebx
0051C578 FFB5 5AD34000push dword ptr ss:
0051C57E FF95 EABA4000call dword ptr ss: ; kernel32.GetProcAddress
0051C584 40 inc eax
0051C585 48 dec eax
0051C586 75 33 jnz short CrazyTet.0051C5BB
0051C588 58 pop eax
0051C589 F9 stc
0051C58A^ 0F82 61FDFFFFjb CrazyTet.0051C2F1
0051C590 47 inc edi
0051C591 44 inc esp
0051C3CF /0F84 30010000je CrazyTet.0051C505
0051C3D5 |80A5 E1CC4000 >and byte ptr ss:,0FF
0051C3DC |0F84 23010000je CrazyTet.0051C505 ; magic jump
0051C3E2 |89BD 6AD44000mov dword ptr ss:,edi
0051C3E8 |8B85 62D44000mov eax,dword ptr ss:
0051C3EE |40 inc eax
修改跳转后,内存断点就可以到OEP了。
00487420 55 push ebp //OEP
00487421 8BEC mov ebp,esp
00487423 B9 08000000 mov ecx,8
00487428 6A 00 push 0
0048742A 6A 00 push 0
0048742C 49 dec ecx
===================================================
二、关于破解
脱壳后有个文件名的校验,下ExitProcess断点可以定位到。
功能方面的限制我分了两类:一个是关于话框的,一个是关于功能限制的。
1.关于功能限制的有:
游戏参数设置(好几处验证)、标题栏和背景的显示未注册字样、菜单栏的注册按钮。发现功能验证的
特征很相似,所以可以用特征码来定位所有的这些地方。
例如这个是菜单注册的提示
00485AA1 .E8 7ED0F7FF call 00402B24
00485AA6 .8B15 04A94800 mov edx, dword ptr ds: ;CrazyTet.00498CF4
00485AAC .8902 mov dword ptr ds:, eax
00485AAE .A1 04A94800 mov eax, dword ptr ds:
00485AB3 .8B00 mov eax, dword ptr ds:
00485AB5 .8B15 D4A64800 mov edx, dword ptr ds: ;CrazyTet.0049AC78
00485ABB .8B12 mov edx, dword ptr ds:
00485ABD .8A0402 mov al, byte ptr ds:
00485AC0 .8B15 04A94800 mov edx, dword ptr ds: ;CrazyTet.00498CF4
00485AC6 .8B12 mov edx, dword ptr ds:
00485AC8 .8B0D 3CA74800 mov ecx, dword ptr ds: ;CrazyTet.0049AC7C
00485ACE .8B09 mov ecx, dword ptr ds:
00485AD0 .3A0411 cmp al, byte ptr ds:
00485AD3 .74 10 je short 00485AE5 ;菜单注册的判断
把下面这段当做特征码,二进制复制,Ctrl+B搜索,可以找到14个地方,这些地方都是功能验证的。
00485AA6 .8B15 04A94800 mov edx, dword ptr ds: ;CrazyTet.00498CF4
00485AAC .8902 mov dword ptr ds:, eax
00485AAE .A1 04A94800 mov eax, dword ptr ds:
00485AB3 .8B00 mov eax, dword ptr ds:
00485AB5 .8B15 D4A64800 mov edx, dword ptr ds: ;CrazyTet.0049AC78
00485ABB .8B12 mov edx, dword ptr ds:
00485ABD .8A0402 mov al, byte ptr ds:
00485AC0 .8B15 04A94800 mov edx, dword ptr ds: ;CrazyTet.00498CF4
00485AC6 .8B12 mov edx, dword ptr ds:
00485AC8 .8B0D 3CA74800 mov ecx, dword ptr ds: ;CrazyTet.0049AC7C
00485ACE .8B09 mov ecx, dword ptr ds:
00485AD0 .3A0411 cmp al, byte ptr ds:
二进制代码:
8B 15 04 A9 48 00 89 02 A1 04 A9 48 00 8B 00 8B 15 D4 A6 48 00 8B 12 8A 04 02 8B 15 04 A9 48 00
8B 12 8B 0D 3C A7 48 00 8B 09 3A 04 11
2.关于对话框的有:
启动时的未注册提示、启动时的TIPS、关闭时的小NAG。这类窗口可以用ShowWindow或F12暂停来定位。
2.1开始的注册提示框
F12断到这里
00486C58 .803D 64A64800>cmp byte ptr ds:, 0 ;硬件断点找开始赋值的地方
00486C5F .74 16 je short 00486C77
00486C61 .C605 64A64800>mov byte ptr ds:, 0
00486C68 .A1 14AA4800 mov eax, dword ptr ds:
00486C6D .8B00 mov eax, dword ptr ds:
00486C6F .8B10 mov edx, dword ptr ds:
00486C71 .FF92 D8000000 call dword ptr ds:
00486C77 >C3 retn
0048791B .E8 FCC3F7FF call 00403D1C
00487920 .2D B4000000 sub eax, 0B4
00487925 .74 0D je short 00487934
00487927 .83E8 02 sub eax, 2
0048792A .74 08 je short 00487934
0048792C .A1 70AC4800 mov eax, dword ptr ds:
00487931 C600 00 mov byte ptr ds:, 1 ;这个地方要赋值0
F12断下来下面有个SetForegroundWindow,是现实TIP的。
2.2开始的tip提示
00486CAB . /74 1F je short 00486CCC
00486CAD . |A1 FCA94800 mov eax, dword ptr ds:
00486CB2 . |8B00 mov eax, dword ptr ds:
00486CB4 . |8B10 mov edx, dword ptr ds:
00486CB6 . |FF92 D8000000 call dword ptr ds: ;开始的TIP提示
00486CBC . |A1 C0BD4900 mov eax, dword ptr ds:
00486CC1 . |E8 26BAFAFF call 004326EC
00486CC6 . |50 push eax ; /hWnd
00486CC7 . |E8 F400F8FF call <jmp.&user32.SetForegroundWindow> ; \SetForegroundWindow
00486CCC > \C3 retn
其实是这个SetForegroundWindow提醒了我,三个窗口(主窗口TForm1、注册窗口TRegForm、还有Tip的串口)切换,
要设置三个窗口的顺序的。
2.3 F12搞定退出的nag
004442B9 .66:83B8 7A020>cmp word ptr ds:, 0
004442C1 74 12 je short 004442D5
004442C3 .8BCA mov ecx, edx
004442C5 .8BD8 mov ebx, eax
004442C7 .8BD0 mov edx, eax
004442C9 .8B83 7C020000 mov eax, dword ptr ds:
004442CF .FF93 78020000 call dword ptr ds: ;退出的nag
004442D5 >5B pop ebx
004442D6 .C3 retn
NAG:
00487914|. /74 16 je short 0048792C ;可疑
00487916|. |A1 3CBF4900 mov eax, dword ptr
0048791B|. |E8 FCC3F7FF call 00403D1C
00487920|. |2D B4000000 sub eax, 0B4
00487925|. |74 0D je short 00487934
00487927|. |83E8 02 sub eax, 2
0048792A|. |74 08 je short 00487934
0048792C|> \A1 70AC4800 mov eax, dword ptr
00487931 C600 01 mov byte ptr , 1 ;Nag的全局变量
00487934|>8B0D ECAB4800 mov ecx, dword ptr ;CrazyTet.0049BDC0
TIP:
1
00486C85 8D40 00 lea eax, dword ptr
00486C88 .8B15 14AA4800 mov edx, dword ptr ;CrazyTet.0048C1F8
00486C8E .8B12 mov edx, dword ptr
00486C90 .807A 47 00 cmp byte ptr , 0
00486C94 75 36 jnz short 00486CCC
00486C96 .33D2 xor edx, edx
00486C98 .8B80 B8030000 mov eax, dword ptr
00486C9E .E8 5DB0FCFF call 00451D00
00486CA3 .A1 F8AA4800 mov eax, dword ptr
00486CA8 .8038 00 cmp byte ptr , 0
00486CAB 74 1F je short 00486CCC ;Tip对话框
00486CAD .A1 FCA94800 mov eax, dword ptr
00486CB2 .8B00 mov eax, dword ptr
00486CB4 .8B10 mov edx, dword ptr
00486CB6 .FF92 D8000000 call dword ptr
2
0047C006|.3A42 64 cmp al, byte ptr
0047C009 75 6C jnz short 0047C077
0047C00B|.8B83 E0020000 mov eax, dword ptr
菜单里的取消tip:
00486CE8 .A1 D4A64800 mov eax, dword ptr
00486CED .8B00 mov eax, dword ptr
00486CEF .8A40 64 mov al, byte ptr
00486CF2 .8B15 3CA74800 mov edx, dword ptr ;CrazyTet.0049AC7C
00486CF8 .8B12 mov edx, dword ptr
00486CFA .3A42 64 cmp al, byte ptr
00486CFD 75 54 jnz short 00486D53 ;菜单里的取消tip
00486CFF .6A 00 push 0
00486D01 .8D4D FC lea ecx, dword ptr
选难度级:
0047804A|.8B09 mov ecx, dword ptr
0047804C|.3A0411 cmp al, byte ptr
0047804F 75 69 jnz short 004780BA ;选难度级
00478051|.8B83 D0020000 mov eax, dword ptr
00478057|.8B80 00020000 mov eax, dword ptr
0047805D|.40 inc eax
0047805E|.83F8 02 cmp eax, 2
00478061|.7E 57 jle short 004780BA
00478063|.6A 00 push 0
00478065|.8D4D FC lea ecx, dword ptr
00478068|.A1 60AA4800 mov eax, dword ptr
确定按钮:
1.
00477E0F|.3A0411 cmp al, byte ptr
00477E12 75 69 jnz short 00477E7D ;确定按钮
00477E14|.8B83 D0020000 mov eax, dword ptr
00477E1A|.8B80 00020000 mov eax, dword ptr
00477E20|.40 inc eax
00477E21|.83F8 02 cmp eax, 2
00477E24|.7E 57 jle short 00477E7D
00477E26|.6A 00 push 0
2
00477E97|.8B0D 3CA74800 mov ecx, dword ptr ;CrazyTet.0049AC7C
00477E9D|.8B09 mov ecx, dword ptr
00477E9F|.3A0411 cmp al, byte ptr
00477EA2 EB 6C jmp short 00477F10
00477EA4|.8B83 EC020000 mov eax, dword ptr
未注册:
0048046F|.3A0411 cmp al, byte ptr
00480472 0F85 AC000000 jnz 00480524 ;unregister
00480478|.A1 40AC4800 mov eax, dword ptr
消一行:
0047F5E3|.3A0411 cmp al, byte ptr
0047F5E6 0F85 AC000000 jnz 0047F698
0047F5EC|.A1 A0A74800 mov eax, dword ptr
0047F5F1|.8B00 mov eax, dword ptr
启动unregistered水印:
0048380C|.3A0411 cmp al, byte ptr
0048380F|.0F85 AC000000 jnz 004838C1
标题unregistered:
00481AAD .3A0411 cmp al, byte ptr
00481AB0 .75 14 jnz short 00481AC6 ;标题unregistered
00481AB2 .A1 CCA74800 mov eax, dword ptr
文件名校验:
004874E8|.A1 74A94800 mov eax, dword ptr
004874ED|.8B00 mov eax, dword ptr ;文件名校验?
004874EF|.BA 587A4800 mov edx, 00487A58 ;ASCII "CRAZYTET.EXE"
004874F4|.E8 33C9F7FF call 00403E2C
004874F9|.74 05 je short 00487500 ;文件名不对就退出
训练模式:
00478146|.8B09 mov ecx, dword ptr
00478148|.3A0411 cmp al, byte ptr
0047814B|.75 6C jnz short 004781B9
开始按钮:
004817D8|.8B09 mov ecx, dword ptr
004817DA|.3A0411 cmp al, byte ptr
004817DD|.75 25 jnz short 00481804
004817DF|.A1 D8AA4800 mov eax, dword ptr
004817E4|.8338 02 cmp dword ptr , 2
004817E7|.7E 0B jle short 004817F4
004817E9|.A1 D8AA4800 mov eax, dword ptr
启动菜单:
00480E8F|.8B09 mov ecx, dword ptr
00480E91|.3A0411 cmp al, byte ptr
00480E94|.75 05 jnz short 00480E9B
00480E96|.E8 A5FCFFFF call 00480B40
00480E9B|>A1 04A94800 mov eax, dword ptr
00480EA0|.8B00 mov eax, dword ptr
00480EA2|.8B15 D4A64800 mov edx, dword ptr ;CrazyTet.0049AC78
00480EA8|.8B12 mov edx, dword ptr
00480EAA|.8A0402 mov al, byte ptr
00480EAD|.8B15 04A94800 mov edx, dword ptr ;CrazyTet.00498CF4
00480EB3|.8B12 mov edx, dword ptr
00480EB5|.8B0D 3CA74800 mov ecx, dword ptr ;CrazyTet.0049AC7C
00480EBB|.8B09 mov ecx, dword ptr
00480EBD|.3A0411 cmp al, byte ptr
00480EC0|.74 05 je short 00480EC7
00480EC2|.E8 79FCFFFF call 00480B40
已注册:
00485ACE .8B09 mov ecx, dword ptr
00485AD0 .3A0411 cmp al, byte ptr
00485AD3 .74 10 je short 00485AE5
退出NAg:
004442C1 . /74 12 je short 004442D5
004442C3 . |8BCA mov ecx, edx
004442C5 . |8BD8 mov ebx, eax
004442C7 . |8BD0 mov edx, eax
004442C9 . |8B83 7C020000 mov eax, dword ptr
004442CF . |FF93 78020000 call dword ptr
004442D5 > \5B pop ebx
菜单里tip的对号:
1
0047E3F0|.A1 F8AA4800 mov eax, dword ptr
0047E3F5|.0F9400 sete byte ptr
2
00481C4F .8B09 mov ecx, dword ptr
00481C51 .3A5401 01 cmp dl, byte ptr ;(initial cpu selection)
00481C55 75 08 jnz short 00481C5F
00481C57 .A1 F8AA4800 mov eax, dword ptr
00481C5C .C600 01 mov byte ptr , 1
00481C5F >8B15 F8AA4800 mov edx, dword ptr ;CrazyTet.0049AE18
保存游戏记录:
1
0047C3C4|.8B09 mov ecx, dword ptr
0047C3C6|.3A0411 cmp al, byte ptr
0047C3C9|.75 6B jnz short 0047C436
0047C3CB|.8B83 E0020000 mov eax, dword ptr
0047C3D1|.83B8 F4010000>cmp dword ptr , 0A
2
0047C7AC .8B09 mov ecx, dword ptr
0047C7AE .3A0411 cmp al, byte ptr
0047C7B1 .75 13 jnz short 0047C7C6
3
004788BD .8B0D 3CA74800 mov ecx, dword ptr ;CrazyTet.0049AC7C
004788C3 .8B09 mov ecx, dword ptr
004788C5 .3A0411 cmp al, byte ptr
004788C8 .75 53 jnz short 0047891D
game quick load:
0048666D|.8B09 mov ecx, dword ptr
0048666F|.3A0411 cmp al, byte ptr
00486672|.75 5B jnz short 004866CF
未知:
1
00478E90|.3A0411 cmp al, byte ptr
00478E93|.75 6E jnz short 00478F03
00478E95|.8B83 EC020000 mov eax, dword ptr
2
0048208E|.3A0411 cmp al, byte ptr
00482091|.0F85 9E000000 jnz 00482135
00482097|.A1 70A94800 mov eax, dword ptr 第二组 manbug 最后一课分析
软件:Crazy Tetris
首先查壳tElock 0.98b2 -> tE!的壳,由于水平有限,在网上下脱壳脚本脱壳并修复之。
另存为文件名之后,程序不能启动,下ExitProcess断点,通过查看堆栈会来到004874EF|.BA 587A4800 mov edx, <dword_487A58> ;ASCII "CRAZYTET.EXE"
004874F4|.E8 33C9F7FF call <System::__linkproc__ LStrCmp(vo>
004874F9 74 05 je short <loc_487500>
004874FB E8 64C4F7FF call <System::__linkproc__ Halt0(void>
00487500 >|>33C0 xor eax, eax ;loc_487500这里,说明对程序文件名进行了比较,如果改了文件名之后就运行不了,可以直接将004874F9 74 05 je short <loc_487500>
004874FB E8 64C4F7FF call <System::__linkproc__ Halt0(void>这两段NOP掉,如果不改名的话就不用NOP了
进入正题,直接用OD载入脱壳了的文件,F9运行,会提示未注册,不用管,直接点取消,弹出Tip of the Day窗口,当我们点Show Tips on Start-up时会弹出信息窗口提示此功能只能在注册版本中可用,这就是突破口了,我们暂停OD,查看调用堆栈,会看到最后一行为
调用堆栈: 主线程, 条目 19
地址=0012F410
堆栈=0047C067
函数过程 / 参数=? <CRAZYTET.Forms::TApplication::MessageBox(char *,char *,int)>
调用来自=CRAZYTET.TTipsForm@CheckBox1Click+86
结构=0012F40C
双击来到代码处0047C062 >|.E8 A9E8FCFF call <Forms::TApplication::MessageBox>;forms.TApplication.MessageBox(TApplication;PChar;PChar;Longint):Integer;
0047C067|.B2 01 mov dl, 1
0047C069 >|.8B83 E0020000 mov eax, dword ptr ;CheckBox1:TCheckBox
0047C06F|.8B08 mov ecx, dword ptr
0047C071|.FF91 B8000000 call near dword ptr 向上查找看有没有判断跳转之类的东西,在上面不远处我们会看到0047BFF4|.A1 D4A64800 mov eax, dword ptr [<off_48A6D4>]
0047BFF9|.8B00 mov eax, dword ptr
0047BFFB|.8A40 64 mov al, byte ptr
0047BFFE|.8B15 3CA74800 mov edx, dword ptr [<off_48A73C>] ;<CRAZYTET.unk_49AC7C>
0047C004|.8B12 mov edx, dword ptr
0047C006|.3A42 64 cmp al, byte ptr
0047C009|.75 6C jnz short <loc_47C077>
0047C00B >|.8B83 E0020000 mov eax, dword ptr ;CheckBox1:TCheckBox
0047C011|.8B10 mov edx, dword ptr
0047C013|.FF92 B4000000 call near dword ptr
0047C019|.84C0 test al, al
0047C01B|.75 5A jnz short <loc_47C077>
0047C01D|.6A 00 push 0
0047C01F|.8D4D FC lea ecx, 有两个JNZ跳转都是指向同一处,试着从47BFF4开始分析,好像是比较两个内存的值不等则跳过那个提示,可以在0047C009|.75 6C jnz short <loc_47C077>处下断后F9继续运行,再次点击Show Tips on Start-up,会断下来,我们看到jnz不会跳转我们改标志位让其跳转后F9运行,发现没有那个未注册的提示了,说明改对了,
右键0047BFF4|.A1 D4A64800 mov eax, dword ptr [<off_48A6D4>]查找参考立地址常量,会发现有很多处直接访问该地址。一一点击进去查看,会发现大多都是暗桩了,怎么办?整理一下思路,程序在开始一定有判断注册和未注册的地方,只要找到这个地方,就不需要一一去修改暗桩了,要不然累死了。
我们通过下面两行0047BFF4|.A1 D4A64800 mov eax, dword ptr [<off_48A6D4>]
0047BFFE|.8B15 3CA74800 mov edx, dword ptr [<off_48A73C>] 查找参考地址常量,将所有找出来的地方都下断点,然后OD重新运行程序
跳过两处断点过我们会来到这里004875DE >|> /B8 02000000 /mov eax, 2 ;loc_4875DE
004875E3|. |E8 3CB5F7FF |call <System::__linkproc__ RandInt(void)>
004875E8|. |83F8 01 |cmp eax, 1
004875EB|. |0F94C2 |sete dl
004875EE|. |8B0D D4A64800 |mov ecx, dword ptr [<off_48A6D4>] ;<CRAZYTET.unk_49AC78>
004875F4|. |8B09 |mov ecx, dword ptr
004875F6|. |881419 |mov byte ptr , dl
004875F9|. |48 |dec eax
004875FA|. |0F94C0 |sete al
004875FD|. |8B15 3CA74800 |mov edx, dword ptr [<off_48A73C>] ;<CRAZYTET.unk_49AC7C>
00487603|. |8B12 |mov edx, dword ptr
00487605|. |88041A |mov byte ptr , al
00487608|. |43 |inc ebx
00487609|. |81FB 11270000 |cmp ebx, 2711
0048760F|.^\75 CD \jnz short <loc_4875DE>这里就是给[]和[]所指向的内存地址随机的填入0或1,同步填入的,继续F9我们来到00480D7C > A1 D4A64800 /mov eax, dword ptr [<off_48A6D4>] ;loc_480D7C
00480D81 8B00 |mov eax, dword ptr
00480D83 8A0430 |mov al, byte ptr
00480D86 8B15 3CA74800 |mov edx, dword ptr [<off_48A73C>] ;<CRAZYTET.unk_49AC7C>
00480D8C 8B12 |mov edx, dword ptr
00480D8E 880432 |mov byte ptr , al
00480D91 46 |inc esi
00480D92 81FE 11270000 |cmp esi, 2711
00480D98 ^ 75 E2 \jnz short <loc_480D7C>会发现其实这就是将先前[]所指的内容复制到[]中,感觉不是多此一举么,我们向上看看会发现是个跳转过来的00480D54 /75 24 jnz short <loc_480D7A>
00480D56|. |33F6 xor esi, esi
00480D58 >|> |A1 D4A64800 /mov eax, dword ptr [<off_48A6D4>] ;loc_480D58
00480D5D|. |8B00 |mov eax, dword ptr
00480D5F|. |8A0430 |mov al, byte ptr
00480D62|. |34 01 |xor al, 1
00480D64|. |8B15 3CA74800 |mov edx, dword ptr [<off_48A73C>] ;<CRAZYTET.unk_49AC7C>
00480D6A|. |8B12 |mov edx, dword ptr
00480D6C|. |880432 |mov byte ptr , al
00480D6F|. |46 |inc esi
00480D70|. |81FE 11270000 |cmp esi, 2711
00480D76|.^|75 E0 \jnz short <loc_480D58>
00480D78|. |EB 20 jmp short <loc_480D9A>
00480D7A >|> \33F6 xor esi, esi ;loc_480D7A分析一下,上面这段会看到这段是将[]所指的内容求反后送给[]中,难道这就是我们所要的东西??
直接将00480D54 /75 24 jnz short <loc_480D7A>这句NOP掉,再试试,会发现已经注册了,但是开始启动时还是会弹出一个提示窗口提示未注册,说明还有一处桩,记得NISY大说过可以下
bp ShowWindow断点,下好断点后,用OD重新运行,注意堆栈处,经过多次分析当堆栈窗口为0012E79C 0044727A/CALL 到 ShowWindow 来自 CRAZYTET.00447275
0012E7A0 006A0364|hWnd = 006A0364 ('Crazy Tetris',class='TForm3',parent=006103FE)当class='TForm3'时说明是那个提示窗口,取消ShowWindow断点后,按Alt+F9来到程序领空
经过无数次F8后我们会来到一处循环,Nisy的讲课里面提到过的00447861|> /8B03 /mov eax, dword ptr
00447863|. |E8 BC2D0000 |call 0044A624
00447868|. |8B03 |mov eax, dword ptr
0044786A|. |80B8 8C000000>|cmp byte ptr , 0
00447871|. |74 0F |je short 00447882
00447873|. |8B45 FC |mov eax,
00447876|. |C780 34020000>|mov dword ptr , 2
00447880|. |EB 14 |jmp short 00447896
00447882|> |8B45 FC |mov eax,
00447885|. |83B8 34020000>|cmp dword ptr , 0
0044788C|. |74 08 |je short 00447896
0044788E|. |8B45 FC |mov eax,
00447891|. |E8 26FDFFFF |call 004475BC
00447896|> |8B45 FC |mov eax,
00447899|. |8B80 34020000 |mov eax, dword ptr
0044789F|. |85C0 |test eax, eax
004478A1|.^\74 BE \je short 00447861我们在004478A3|.8945 F8 mov , eax下断点,F9直接运行,直接关闭那个 提示窗口,OD会断下来,还是F8单步,我们看这段函数返回到哪,还是N次F8后我们来到00486C58 .803D 64A64800>cmp byte ptr , 0
00486C5F .74 16 je short 00486C77
00486C61 .C605 64A64800>mov byte ptr , 0
00486C68 .A1 14AA4800 mov eax, dword ptr
00486C6D .8B00 mov eax, dword ptr
00486C6F .8B10 mov edx, dword ptr
00486C71 .FF92 D8000000 call near dword ptr
00486C77 >C3 retn我们看看上面有个比较,有个跳转,这就是关键地方了哦,可以直接改je为jne但这方法不是很可靠,00486C58 .803D 64A64800>cmp byte ptr , 0
00486C5F .74 16 je short 00486C77我们注意一下,应该是个全局变量,我们在48a664所指的数据区下硬件访问断点,看是谁访问了这个值,重新运行程序
在下面会发生硬件断点异常0048792C|> \A1 70AC4800 mov eax, dword ptr
00487931|.C600 01 mov byte ptr , 1
00487934|>8B0D ECAB4800 mov ecx, dword ptr ;CRAZYTET.0049BDC0可以看到,这是程序初始的时候给处付值了,我们只需将 mov byte ptr , 1改为mov byte ptr , 0即可了
到处破解完成
总结一下一共改了三处,实际上是两处,第一处是对文件名判断的修改
1.004874F9|. /74 05 je short <loc_487500>
004874FB|. |E8 64C4F7FF call <System::__linkproc__ Halt0(void)>将这两句NOP掉,实际可改文件名字
2.00480D54 /75 24 jnz short <loc_480D7A>将上面nop 掉,实现内存块内容不一样
3.00487931|.C600 01 mov byte ptr , 1将上面改为 改为mov byte ptr , 0
就可以了 回复 1# Nisy
学习了,我什么都不会 回复 7# manbug
学习了,强悍! 【文章标题】: Crazy Tetris考题破文
【文章作者】: sun50
【作者邮箱】: [email protected]
【软件名称】: Crazy Tetris
【加壳方式】: tElock 0.98b2 -> tE!
破解说明:
当时的纪录没了,这是后来重新做的
查壳是tElock的壳,不会脱,直接到看雪下了个脱壳机,脱了壳,发现文件名更改后,程序不能启动,下ExitProcess断点,
找到
004874EF BA 587A4800 MOV EDX,00487A58 ASCII "CRAZYTET.EXE"
004874F4 E8 33C9F7FF CALL 00403E2C
004874F9 74 05 JE SHORT 00487500 //改成jmp即可改名启动
004874FB E8 64C4F7FF CALL 00403964
启动有个注册Nag,用F12暂停法,定位到
00486C58 803D 64A64800 0>CMP BYTE PTR DS:,0
00486C5F 74 16 JE SHORT 00486C77 //改成jmp即可跳过nag
00486C61 C605 64A64800 0>MOV BYTE PTR DS:,0
00486C68 A1 14AA4800 MOV EAX,DWORD PTR DS:
00486C6D 8B00 MOV EAX,DWORD PTR DS:
00486C6F 8B10 MOV EDX,DWORD PTR DS:
00486C71 FF92 D8000000 CALL DWORD PTR DS:
00486C77 C3 RETN
软件功能限制
经过分析,发现软件判断注册的代码都差不多,用UltraEdit直接替换
FF92B400000084C075
FF92B400000084C0EB
8B093A041175
8B093A0411EB
8B123A426475
8B123A4264EB
8338000F849F000000
83380090e99F000000
3A04110F85AC000000
3A041190e9AC000000
0047C013 FF92 B4000000 CALL DWORD PTR DS:
0047C019 84C0 TEST AL,AL
0047C01B 75 5A JNZ SHORT 0047C077
0047804A 8B09 MOV ECX,DWORD PTR DS:
0047804C 3A0411 CMP AL,BYTE PTR DS:
0047804F 75 69 JNZ SHORT 004780BA
00478146 8B09 MOV ECX,DWORD PTR DS:
00478148 3A0411 CMP AL,BYTE PTR DS:
0047814B 75 6C JNZ SHORT 004781B9
00477E0D 8B09 MOV ECX,DWORD PTR DS:
00477E0F 3A0411 CMP AL,BYTE PTR DS:
00477E12 75 69 JNZ SHORT 00477E7D
00486CF8 8B12 MOV EDX,DWORD PTR DS:
00486CFA 3A42 64 CMP AL,BYTE PTR DS:
00486CFD 75 54 JNZ SHORT 00486D53
004798B5 837D FC 00 CMP DWORD PTR SS:,0
004798B9 0F84 CF010000 JE 00479A8E
004846E7 8338 00 CMP DWORD PTR DS:,0
004846EA 0F84 9F000000 JE 0048478F
0048380C 3A0411 CMP AL,BYTE PTR DS:
0048380F 0F85 AC000000 JNZ 004838C1
功能限制大多解除了,只是关闭程序的时候出错了
找到关键改下
004475DF FF92 D0000000 CALL DWORD PTR DS:
004475E5 84C0 TEST AL,AL
004475E7 74 26 JE SHORT 0044760F //改成JMP SHORT 00447631
由于水平有限,还有很多没有分析出来。失误之处敬请诸位大侠赐教!
页:
[1]
2