我破这个软件一个星期，也没破解，请高手指教！！

wjk7222 · 发表于 2008-2-26 20:54:18

我破这个软件一个星期，也没破解，请高手指教！！最好能写详细过程，谢谢！！

wjk7222 · 发表于 2008-2-26 20:56:16

我是刚学习破解知识的小菜鸟，请手指教

yjz1409276 · 发表于 2008-2-27 09:19:45

https://www.chinapyg.com/viewthread.php?tid=27128&highlight=
参考我的破解版。具体的过程没写。只有一个破解文件。你可以跟一下看看是怎么回事。

nszy007 · 发表于 2008-2-27 09:50:46

首先脱壳，这个不说了。。。。
载入程序后随意输入注册码，再根据错误提示的字符串来到下面这里
0040AB8D .  6A 02             push 2
0040AB8F .  6A 00             push 0
0040AB91 .  6A 00             push 0
0040AB93 .  55                push ebp
0040AB94 .  FFD7             call edi
0040AB96 .  6A 00             push 0                         ; /pOverlapped = NULL
0040AB98 .  8D4424 18       lea eax,dword ptr ss:[esp+18]    ; |
0040AB9C .  50                push eax                         ; |pBytesWritten
0040AB9D .  68 80000000       push 80                         ; |nBytesToWrite = 80 (128.)
0040ABA2 .  8D8C24 E4000000 lea ecx,dword ptr ss:[esp+E4]    ; |
0040ABA9 .  51                push ecx                         ; |Buffer
0040ABAA .  55                push ebp                         ; |hFile
0040ABAB .  FFD6             call esi                         ; \WriteFile
0040ABAD .  55                push ebp                         ; /hObject
0040ABAE .  FF15 20E34300    call dword ptr ds:[<&kernel32.Clo>; \CloseHandle
0040ABB4 .  6A 01             push 1
0040ABB6 .  E8 41D90100       call dumped_.004284FC
0040ABBB >  68 34014400       push dumped_.00440134          ;  invalid sn number!
0040ABC0 .  E8 31330000       call dumped_.0040DEF6
0040ABC5 .  E8 83130000       call dumped_.0040BF4D

其中0040ABBB就是错误提示，它由0040A7A6跳来，
0040A782 .  8D4C24 70       lea ecx,dword ptr ss:[esp+70]
0040A786 .  51                push ecx                         ; /Arg1
0040A787 .  8D4C24 20       lea ecx,dword ptr ss:[esp+20]    ; |
0040A78B .  E8 A0E1FFFF       call dumped_.00408930          ; \dumped_.00408930
0040A790 .  8B86 6C040000    mov eax,dword ptr ds:[esi+46C]
0040A796 .  334424 78       xor eax,dword ptr ss:[esp+78]
0040A79A .  6A 00             push 0
0040A79C .  3B86 68040000    cmp eax,dword ptr ds:[esi+468]
0040A7A2 .  8BCE             mov ecx,esi
0040A7A4 .  6A 00             push 0
0040A7A6 .  0F85 0F040000    jnz dumped_.0040ABBB
0040A7AC .  68 70014400       push dumped_.00440170          ;  注册成功,请重新启动软件
0040A7B1 .  E8 40370000       call dumped_.0040DEF6
0040A7B6 .  68 03010000       push 103
0040A7BB .  8D9424 5D010000 lea edx,dword ptr ss:[esp+15D]
0040A7C2 .  6A 00             push 0
0040A7C4 .  52                push edx
0040A7C5 .  E8 B6D10100       call dumped_.00427980

而0040A78B则是判断注册码的关键CALL，进入后段首下断点
重载程序，程序断下后取消断点，F8步进来到下面的地址：
00407A1D .  8D4C24 2C       lea ecx,dword ptr ss:[esp+2C]    ; |
00407A21 .  E8 0A0F0000       call dumped_.00408930          ; \dumped_.00408930
00407A26 .  8BBC24 DC000000 mov edi,dword ptr ss:[esp+DC]
00407A2D .  6A 58             push 58
00407A2F .  8D8C24 D8000000 lea ecx,dword ptr ss:[esp+D8]
00407A36 .  6A 00             push 0
00407A38 .  51                push ecx
00407A39 .  E8 42FF0100       call dumped_.00427980
00407A3E .  6A 7F             push 7F
00407A40 .  8D9424 AD020000 lea edx,dword ptr ss:[esp+2AD]
00407A47 .  6A 00             push 0
00407A49 .  52                push edx
00407A4A .  33EF             xor ebp,edi
00407A4C .  E8 2FFF0100       call dumped_.00427980
00407A51 .  8DBC24 B4020000 lea edi,dword ptr ss:[esp+2B4]
00407A58 .  83C4 18          add esp,18
00407A5B .  66:C78424 9C020000>mov word ptr ss:[esp+29C],63
00407A65 .  83C7 FF          add edi,-1
00407A68 >  8A47 01          mov al,byte ptr ds:[edi+1]
00407A6B .  83C7 01          add edi,1
00407A6E .  84C0             test al,al
00407A70 .^ 75 F6             jnz short dumped_.00407A68
00407A72 .  66:A1 9CF04300    mov ax,word ptr ds:[43F09C]
00407A78 .  66:8907          mov word ptr ds:[edi],ax
00407A7B .  8DBC24 9C020000 lea edi,dword ptr ss:[esp+29C]
00407A82 .  83C7 FF          add edi,-1
00407A85 >  8A47 01          mov al,byte ptr ds:[edi+1]
00407A88 .  83C7 01          add edi,1
00407A8B .  84C0             test al,al
00407A8D .^ 75 F6             jnz short dumped_.00407A85
00407A8F .  66:8B0D 98F04300 mov cx,word ptr ds:[43F098]
00407A96 .  6A 0A             push 0A                         ; /pFileSystemNameSize = 0000000A
00407A98 .  6A 00             push 0                         ; |pFileSystemNameBuffer = NULL
00407A9A .  6A 00             push 0                         ; |pFileSystemFlags = NULL
00407A9C .  6A 00             push 0                         ; |pMaxFilenameLength = NULL
00407A9E .  8D5424 24       lea edx,dword ptr ss:[esp+24]    ; |
00407AA2 .  52                push edx                         ; |pVolumeSerialNumber
00407AA3 .  6A 0C             push 0C                         ; |MaxVolumeNameSize = C (12.)
00407AA5 .  6A 00             push 0                         ; |VolumeNameBuffer = NULL
00407AA7 .  8D8424 B8020000 lea eax,dword ptr ss:[esp+2B8] ; |
00407AAE .  50                push eax                         ; |RootPathName
00407AAF .  66:890F          mov word ptr ds:[edi],cx       ; |
00407AB2 .  FF15 ACE24300    call dword ptr ds:[<&kernel32.Get>; \GetVolumeInformationA
00407AB8 .  6A 7F             push 7F
00407ABA .  8D8C24 21030000 lea ecx,dword ptr ss:[esp+321]
00407AC1 .  6A 00             push 0
00407AC3 .  51                push ecx
00407AC4 .  C68424 28030000 00 mov byte ptr ss:[esp+328],0
00407ACC .  E8 AFFE0100       call dumped_.00427980
00407AD1 .  8B4424 20       mov eax,dword ptr ss:[esp+20]
00407AD5 .  6A 10             push 10
00407AD7 .  8D9424 2C030000 lea edx,dword ptr ss:[esp+32C]
00407ADE .  52                push edx
00407ADF .  50                push eax
00407AE0 .  E8 A4320300       call dumped_.0043AD89
00407AE5 .  68 80000000       push 80
00407AEA .  8D8C24 38030000 lea ecx,dword ptr ss:[esp+338]
00407AF1 .  6A 00             push 0
00407AF3 .  51                push ecx
00407AF4 .  E8 87FE0100       call dumped_.00427980
00407AF9 .  33C0             xor eax,eax                      ; |
00407AFB .  6A 10             push 10                         ; |Arg3 = 00000010
00407AFD .  8D9424 54010000 lea edx,dword ptr ss:[esp+154] ; |
00407B04 .  52                push edx                         ; |Arg2
00407B05 .  68 17966482       push 82649617                   ; |Arg1 = 82649617
00407B0A .  898424 5C010000 mov dword ptr ss:[esp+15C],eax ; |
00407B11 .  898424 60010000 mov dword ptr ss:[esp+160],eax ; |
00407B18 .  898424 64010000 mov dword ptr ss:[esp+164],eax ; |
00407B1F .  898424 68010000 mov dword ptr ss:[esp+168],eax ; |
00407B26 .  E8 5E320300       call dumped_.0043AD89          ; \dumped_.0043AD89
00407B2B .  83C4 30          add esp,30
00407B2E .  8D4424 7C       lea eax,dword ptr ss:[esp+7C]
00407B32 .  50                push eax
00407B33 .  8D4C24 2C       lea ecx,dword ptr ss:[esp+2C]
00407B37 .  E8 54060000       call dumped_.00408190
00407B3C .  8D8424 2C010000 lea eax,dword ptr ss:[esp+12C]
00407B43 .  8D48 01          lea ecx,dword ptr ds:[eax+1]
00407B46 >  8A10             mov dl,byte ptr ds:[eax]
00407B48 .  83C0 01          add eax,1
00407B4B .  84D2             test dl,dl
00407B4D .^ 75 F7             jnz short dumped_.00407B46
00407B4F .  2BC1             sub eax,ecx
00407B51 .  50                push eax
00407B52 .  8D8C24 30010000 lea ecx,dword ptr ss:[esp+130]
00407B59 .  51                push ecx
00407B5A .  8D9424 84000000 lea edx,dword ptr ss:[esp+84]
00407B61 .  52                push edx
00407B62 .  8D4C24 34       lea ecx,dword ptr ss:[esp+34]
00407B66 .  E8 350D0000       call dumped_.004088A0
00407B6B .  8D4424 7C       lea eax,dword ptr ss:[esp+7C]
00407B6F .  50                push eax                         ; /Arg1
00407B70 .  8D4C24 2C       lea ecx,dword ptr ss:[esp+2C]    ; |
00407B74 .  E8 B70D0000       call dumped_.00408930          ; \dumped_.00408930
00407B79 .  8BBC24 88000000 mov edi,dword ptr ss:[esp+88]
00407B80 .  6A 58             push 58
00407B82 .  8D8C24 80000000 lea ecx,dword ptr ss:[esp+80]
00407B89 .  6A 00             push 0
00407B8B .  51                push ecx
00407B8C .  E8 EFFD0100       call dumped_.00427980
00407B91 .  317C24 20       xor dword ptr ss:[esp+20],edi
00407B95 .  83C4 0C          add esp,0C
00407B98 .  8BCE             mov ecx,esi
00407B9A .  E8 91D3FFFF       call dumped_.00404F30
00407B9F .  33C7             xor eax,edi
00407BA1 .  3BE8             cmp ebp,eax
00407BA3 .  C74424 14 00000000 mov dword ptr ss:[esp+14],0
00407BAB .  75 0C             jnz short dumped_.00407BB9
00407BAD .  C786 D82A0000 0100>mov dword ptr ds:[esi+2AD8],1
00407BB7 .  EB 0A             jmp short dumped_.00407BC3
00407BB9 >  C786 D82A0000 0000>mov dword ptr ds:[esi+2AD8],0
00407BC3 >  8D4C24 28       lea ecx,dword ptr ss:[esp+28]
00407BC7 .  C78424 A8030000 FF>mov dword ptr ss:[esp+3A8],-1
00407BD2 .  E8 99050000       call dumped_.00408170

其中
00407BAB .  75 0C             jnz short dumped_.00407BB9
00407BAD .  C786 D82A0000 0100>mov dword ptr ds:[esi+2AD8],1
00407BB7 .  EB 0A             jmp short dumped_.00407BC3
00407BB9 >  C786 D82A0000 0000>mov dword ptr ds:[esi+2AD8],0
00407BC3 >  8D4C24 28       lea ecx,dword ptr ss:[esp+28]
这段非常可疑，可以看到这段的目的给[ESI+2AD8]0或者1，将00407BAB NOP掉，进入即为注册版了

nszy007 · 发表于 2008-2-27 10:12:33

晕，后面还有个效验
修改后的文件下bp ExitWindowsEx断点
断下后返回到
00407825 .  50          push eax
00407826 >  C78424 500100>mov    dword ptr [esp+150], 2          ; |
00407831 .  899C24 440100>mov    dword ptr [esp+144], ebx       ; |
00407838 .  FF15 14E04300 call dword ptr [<&ADVAPI32.AdjustToke>; \AdjustTokenPrivileges
0040783E .  6A 00       push 0                               ; /Reserved = 0
00407840 .  53          push ebx                            ; |Options
00407841 .  FF15 40E54300 call dword ptr [<&user32.ExitWindowsE>; \ExitWindowsEx
00407847 .  F7D8       neg    eax
00407849 .  1BC0       sbb    eax, eax
0040784B .  F7D8       neg    eax
0040784D .  E9 1F070000 jmp    00407F71
00407852 >  6A FF       push -1                            ; /hObject = FFFFFFFF
00407854 .  FF15 20E34300 call dword ptr [<&kernel32.CloseHandl>; \CloseHandle
0040785A .  FF15 0CE34300 call dword ptr [<&kernel32.IsDebugger>; [IsDebuggerPresent
00407860 .  85C0       test eax, eax
00407862    /74 40       je    short 004078A4
00407864 .  8D4C24 14    lea    ecx, dword ptr [esp+14]
00407868 .  51          push ecx                            ; /phToken
00407869 .  6A 28       push 28                            ; |DesiredAccess = TOKEN_QUERY|TOKEN_ADJUST_PRIVILEGES
0040786B .  FF15 1CE34300 call dword ptr [<&kernel32.GetCurrent>; |[GetCurrentProcess
00407871 .  50          push eax                            ; |hProcess
00407872 .  FF15 28E04300 call dword ptr [<&ADVAPI32.OpenProces>; \OpenProcessToken
00407878 .  8D9424 300100>lea    edx, dword ptr [esp+130]
0040787F .  52          push edx                            ; /pLocalId
00407880 .  68 A8ED4300 push 0043EDA8                      ; |Privilege = "SeShutdownPrivilege"
00407885 .  6A 00       push 0                               ; |SystemName = NULL
00407887 .  FF15 2CE04300 call dword ptr [<&ADVAPI32.LookupPriv>; \LookupPrivilegeValueA
0040788D .  8B4C24 14    mov    ecx, dword ptr [esp+14]
00407891 .  6A 00       push 0
00407893 .  6A 00       push 0
00407895 .  6A 00       push 0
00407897 .  8D8424 380100>lea    eax, dword ptr [esp+138]
0040789E .  50          push eax
0040789F .  6A 00       push 0
004078A1 .  51          push ecx
004078A2 .^ EB 82       jmp    short 00407826
004078A4 >  A0 18F44300 mov    al, byte ptr [43F418]

其中00407862改jnz为jmp

F9，断下后返回到
00401D97 .  52                push edx
00401D98 .  E8 535B0200       call cracked.004278F0
00401D9D .  83C4 08          add esp,8
00401DA0 .  85C0             test eax,eax
00401DA2    74 06             je short cracked.00401DAA
00401DA4 .  6A 00             push 0
00401DA6 .  6A 02             push 2
00401DA8 .  FFD6             call esi
00401DAA >  8D4424 20       lea eax,dword ptr ss:[esp+20]

其中00401da2中的je 该jmp,完成。

[ 本帖最后由 nszy007 于 2008-2-27 10:37 编辑 ]

wjk7222 · 发表于 2008-2-27 18:56:04

感谢各位高手大哥，您们是真是太好了！！！:loveliness:

wjk7222 · 发表于 2008-2-27 19:41:52

/:L 第一次发现这么猛的软件保护，谁用破解版关闭谁的电脑/:L
我试了破解版皇族软件-QQ四国军棋2人刷分外挂V1.9.9.1，发现这个软件保护超猛，破解版下棋用到八局左右，/:L 会关闭计算机/:L ，是不是里面还有暗桩没有破呀！？我调试了很久也发现不了，各位高手大哥请指教！！谢谢！！！！！！

xuewuzhijing · 发表于 2008-3-12 09:51:57

也怨,芽薷转远鼗!!!

lfj · 发表于 2008-3-13 17:47:57

007耍梅龆?频

		自动登录	找回密码
密码			加入我们

[求助] 我破这个软件一个星期，也没破解，请高手指教！！

本帖子中包含更多资源

第一次发现这么猛的软件保护，谁用破解版关闭谁的电脑