qq-msg 3.0 破解记录
破解记录:1.bp rtcMsgbox
破解了三个功能限制
a.记录保存文件夹选择的修改.
b.导出限制
c.打印限制
2.万能断点法.破解已注册、获取图片、获取文字!
00406FE8 .816C24 04 FFF>sub dword ptr , 0FFFF
00406FF0 .E9 6BCF0000 jmp 00413F60
00406FF5 .816C24 04 FFF>sub dword ptr , 0FFFF
00406FFD .E9 6EE00000 jmp 00415070
00407002 .816C24 04 F70>sub dword ptr , 0F7
0040700A .E9 41E50000 jmp 00415550
0040700F .816C24 04 B30>sub dword ptr , 0B3
00407017 .E9 64E60000 jmp 00415680
0040701C .816C24 04 B30>sub dword ptr , 0B3
00407024 .E9 A71B0100 jmp 00418BD0
00407029 .816C24 04 B30>sub dword ptr , 0B3
00407031 .E9 EA480100 jmp 0041B920
略去一部分.
部分断点.
00416075 qq-msg_3 已禁止 call dword ptr [<&MSVBVM60.__vbaB
00416097 qq-msg_3 已禁止 je 0041613B 破解1 已注册
0041C891 qq-msg_3 已禁止 je 0041CAD3 破解3 万能断点,这里获取图片记录
00420CED qq-msg_3 已禁止 je 00420EA7 破解2 万能断点,这里获取文字记录
0就是通過這樣一步一步破解,完畢
00439153 qq-msg_3 已禁止 je 00439318 密码验证
0043AFDB qq-msg_3 已禁止 jnz 0043B06B 破解四
77E4FBBC USER32 始终 rep movs dword ptr es:, dwo
万能断点的使用详细说明。(还可通过直接查找,二进制字符串816C24下段)
首先运行程序,运行限制的地方,下断,再运行,断下后,alt+f9返回,往上找比较,或着断首看来自那里。
万能断点+,之后如下:
00438E10 > \55 push ebp //跳转来自 00403412
00438E11 .8BEC mov ebp, esp
00438E13 .83EC 18 sub esp, 18
00438E16 .68 06274000 push <jmp.&MSVBVM60.__vbaExceptHandle>;SE 处理程序安装
略去一大堆...
00438FFE .68 C8954000 push 004095C8 ; /szKey = "setupmm"
00439003 .68 74804000 push 00408074 ; |Section = "clongxue"
00439008 .68 74804000 push 00408074 ; |AppName = "clongxue"
0043900D .FF15 C0114000 call dword ptr [<&MSVBVM60.#689>] ; \rtcGetSetting
00439013 .8BD0 mov edx, eax
00439015 .8D4D DC lea ecx, dword ptr
00439018 .FF15 F4114000 call dword ptr [<&MSVBVM60.__vbaStrMo>;MSVBVM60.__vbaStrMove
略去一大堆...
00439086 .51 push ecx
00439087 .FF15 68104000 call dword ptr [<&MSVBVM60.__vbaHresultCheckObj>] ;MSVBVM60.__vbaHresultCheckObj
0043908D .8985 9CFEFFFF mov dword ptr , eax
00439093 .EB 0A jmp short 0043909F
00439095 >C785 9CFEFFFF 00000000 mov dword ptr , 0
0043909F >8B55 D8 mov edx, dword ptr ;获取到密码
004390A2 .8995 A0FEFFFF mov dword ptr , edx
004390A8 .C745 D8 00000000 mov dword ptr , 0
004390AF .8B85 A0FEFFFF mov eax, dword ptr
004390B5 .8945 CC mov dword ptr , eax
004390B8 .C745 C4 08000000 mov dword ptr , 8
004390BF .8D4D C4 lea ecx, dword ptr
004390C2 .51 push ecx
004390C3 .8D55 B4 lea edx, dword ptr
004390C6 .52 push edx
004390C7 .FF15 9C104000 call dword ptr [<&MSVBVM60.#520>] ;MSVBVM60.rtcTrimVar
004390CD .8D45 B4 lea eax, dword ptr
004390D0 .50 push eax
004390D1 .8D4D A4 lea ecx, dword ptr
004390D4 .51 push ecx
004390D5 .FF15 50104000 call dword ptr [<&MSVBVM60.#518>] ;MSVBVM60.rtcLowerCaseVar
004390DB .8D55 DC lea edx, dword ptr
004390DE .8995 FCFEFFFF mov dword ptr , edx
004390E4 .C785 F4FEFFFF 08400000 mov dword ptr , 4008
004390EE .8D85 F4FEFFFF lea eax, dword ptr
004390F4 .50 push eax
004390F5 .8D4D 94 lea ecx, dword ptr
004390F8 .51 push ecx
004390F9 .FF15 9C104000 call dword ptr [<&MSVBVM60.#520>] ;MSVBVM60.rtcTrimVar
004390FF .8D55 94 lea edx, dword ptr
00439102 .52 push edx
00439103 .8D45 84 lea eax, dword ptr
00439106 .50 push eax
00439107 .FF15 50104000 call dword ptr [<&MSVBVM60.#518>] ;MSVBVM60.rtcLowerCaseVar
0043910D .8D4D A4 lea ecx, dword ptr
00439110 .51 push ecx ; /var18
00439111 .8D55 84 lea edx, dword ptr ; |
00439114 .52 push edx ; |var28
00439115 .FF15 CC104000 call dword ptr [<&MSVBVM60.__vbaVarTstEq>] ; \__vbaVarTstEq
0043911B .66:8985 B8FEFFFF mov word ptr , ax
00439122 .8D4D D4 lea ecx, dword ptr
00439125 .FF15 18124000 call dword ptr [<&MSVBVM60.__vbaFreeObj>] ;MSVBVM60.__vbaFreeObj
0043912B .8D45 84 lea eax, dword ptr
0043912E .50 push eax
0043912F .8D4D A4 lea ecx, dword ptr
00439132 .51 push ecx
00439133 .8D55 94 lea edx, dword ptr
00439136 .52 push edx
00439137 .8D45 B4 lea eax, dword ptr
0043913A .50 push eax
0043913B .8D4D C4 lea ecx, dword ptr
0043913E .51 push ecx
0043913F .6A 05 push 5
00439141 .FF15 30104000 call dword ptr [<&MSVBVM60.__vbaFreeVarList>] ;MSVBVM60.__vbaFreeVarList
00439147 .83C4 18 add esp, 18
0043914A .0FBF95 B8FEFFFF movsx edx, word ptr
00439151 .85D2 test edx, edx
00439153 .0F84 BF010000 je 00439318 ;密码验证处
00439159 .C745 FC 06000000 mov dword ptr , 6
00439160 .833D 10014400 00 cmp dword ptr , 0
00439167 .75 1C jnz short 00439185
00439169 .68 10014400 push 00440110
0043916E .68 CC2F4000 push 00402FCC
00439173 .FF15 80114000 call dword ptr [<&MSVBVM60.__vbaNew2>] ;MSVBVM60.__vbaNew2
00439179 .C785 98FEFFFF 10014400 mov dword ptr , 00440110
来到00403412这里,
004033F0 .816C24 04 53000000 sub dword ptr , 53
004033F8 E9 135A0300 jmp 00438E10 ;确定之后登陆程序 与nag调换一下
004033FD .816C24 04 4F000000 sub dword ptr , 4F
00403405 .E9 46600300 jmp 00439450
0040340A .816C24 04 57000000 sub dword ptr , 57
00403412 E9 A9600300 jmp 004394C0 ;加载nag
00403417 816C24 04 57000000 sub dword ptr , 57
0040341F .E9 2C6F0300 jmp 0043A350
00403424 .816C24 04 4B000000 sub dword ptr , 4B
0040342C .E9 8F6F0300 jmp 0043A3C0 ;获取密码输入程序
00403431 .816C24 04 47000000 sub dword ptr , 47
00403439 .E9 22700300 jmp 0043A460 ;
------------------------------------------------------------------------------------------------------------------------
密码验证处
------------------------------------------------------------------------------------------------------------------------
00415680 > \55 push ebp
00415681 .8BEC mov ebp, esp
00415683 .83EC 18 sub esp, 18
00415686 .68 06274000 push <jmp.&MSVBVM60.__vbaExceptHandle>;SE 处理程序安装
0041568B .64:A1 00000000 mov eax, dword ptr fs:
....略去一大堆...
00415FE5 .68 B07B4000 push 00407BB0 ; /szKey = "zcmm"
00415FEA .68 74804000 push 00408074 ; |Section = "clongxue"
00415FEF .68 74804000 push 00408074 ; |AppName = "clongxue"
00415FF4 .FF15 C0114000 call dword ptr [<&MSVBVM60.#689>] ; \rtcGetSetting
00415FFA .8BD0 mov edx, eax
00415FFC .8D4D 90 lea ecx, dword ptr
00415FFF .FF15 F4114000 call dword ptr [<&MSVBVM60.__vbaStrMo>;MSVBVM60.__vbaStrMove
00416005 .C745 FC 19000000 mov dword ptr , 19
0041600C .C785 30FEFFFF F0794000 mov dword ptr , 004079F0 ;UNICODE "xue"
00416016 .C785 28FEFFFF 08000000 mov dword ptr , 8
00416020 .6A 01 push 1
00416022 .8B55 90 mov edx, dword ptr
00416025 .52 push edx
00416026 .68 1C814000 push 0040811C ;UNICODE "leiw3-mbodr-9ewto-nmbio"
0041602B .6A 00 push 0
0041602D .FF15 84114000 call dword ptr [<&MSVBVM60.__vbaInStr>;MSVBVM60.__vbaInStr
00416033 .8985 20FEFFFF mov dword ptr , eax
00416039 .C785 18FEFFFF 03000000 mov dword ptr , 3
00416043 .6A 01 push 1
00416045 .8D45 98 lea eax, dword ptr
00416048 .50 push eax
00416049 .8D8D 28FEFFFF lea ecx, dword ptr
0041604F .51 push ecx
00416050 .6A 00 push 0
00416052 .8D95 FCFEFFFF lea edx, dword ptr
00416058 .52 push edx
00416059 .FF15 5C114000 call dword ptr [<&MSVBVM60.__vbaInStr>;MSVBVM60.__vbaInStrVar
0041605F .50 push eax
00416060 .8D85 18FEFFFF lea eax, dword ptr
00416066 .50 push eax
00416067 .8D8D ECFEFFFF lea ecx, dword ptr
0041606D .51 push ecx
0041606E .FF15 1C114000 call dword ptr [<&MSVBVM60.__vbaVarAn>;MSVBVM60.__vbaVarAnd
00416074 .50 push eax
00416075 .FF15 A8104000 call dword ptr [<&MSVBVM60.__vbaBoolV>;MSVBVM60.__vbaBoolVarNull
0041607B .66:8985 C4FDFFFF mov word ptr , ax
00416082 .8D8D FCFEFFFF lea ecx, dword ptr
00416088 .FF15 1C104000 call dword ptr [<&MSVBVM60.__vbaFreeV>;MSVBVM60.__vbaFreeVar
0041608E .0FBF95 C4FDFFFF movsx edx, word ptr
00416095 .85D2 test edx, edx
00416097 .0F84 9E000000 je 0041613B ;爆破点--更改为已注册!!!第一处
0041609D .C745 FC 1A000000 mov dword ptr , 1A
004160A4 .833D 10004400 00 cmp dword ptr , 0
004160AB .75 1C jnz short 004160C9
004160AD .68 10004400 push 00440010
004160B2 .68 20554000 push 00405520
004160B7 .FF15 80114000 call dword ptr [<&MSVBVM60.__vbaNew2>>;MSVBVM60.__vbaNew2
004160BD .C785 28FDFFFF 10004400 mov dword ptr , 00440010
004160C7 .EB 0A jmp short 004160D3
004160C9 >C785 28FDFFFF 10004400 mov dword ptr , 00440010
004160D3 >8B85 28FDFFFF mov eax, dword ptr
004160D9 .8B08 mov ecx, dword ptr
004160DB .898D C4FDFFFF mov dword ptr , ecx
004160E1 .68 50814000 push 00408150 ;UNICODE "qq-msg 3.0 2009("
004160E6 .8B95 C4FDFFFF mov edx, dword ptr
略去一大堆...
004188BB .8B85 C4FDFFFF mov eax, dword ptr
004188C1 .8B08 mov ecx, dword ptr
004188C3 .8B95 C4FDFFFF mov edx, dword ptr
004188C9 .52 push edx
004188CA .FF91 A4000000 call dword ptr
004188D0 .DBE2 fclex //alt+F9返回到这里.
------------------------------------------------------------------------------------------------------------------------
已注册
------------------------------------------------------------------------------------------------------------------------
http://115.com/file/anrrh4vd#qqmsg3.0.rar想玩的就自己练习吧
好文,前排学习 很好,从在G大后学习!! {:3_171:}几年前的老笔记翻吹来的 不错,学习了! 学习了 试一下 谢谢分享,感谢 。
页:
[1]