高人来指点一下!!!!!

langlirong · 发表于 2008-3-11 12:27:18

原帖由 puti67 于 2008-3-10 19:33 发表
追码成功，是明码比较的！关键处是在使用题库的时候才会出现。

能不能明示
谢谢！

puti67 · 发表于 2008-3-11 16:02:17

00526C9C $  55          push ebp          //这里下断，慢慢跟
00526C9D .  8BEC       mov    ebp, esp
00526C9F .  51          push ecx
00526CA0 .  B9 0F000000 mov    ecx, 0F
00526CA5 >  6A 00       push 0
00526CA7 .  6A 00       push 0
00526CA9 .  49          dec    ecx
00526CAA .^ 75 F9       jnz    short 00526CA5
00526CAC .  51          push ecx
00526CAD .  874D FC    xchg dword ptr [ebp-4], ecx
00526CB0 .  53          push ebx
00526CB1 .  56          push esi
00526CB2 .  57          push edi
00526CB3 .  894D F4    mov    dword ptr [ebp-C], ecx
00526CB6 .  8955 F8    mov    dword ptr [ebp-8], edx
00526CB9 .  8945 FC    mov    dword ptr [ebp-4], eax
00526CBC .  33C0       xor    eax, eax
00526CBE .  55          push ebp
00526CBF .  68 EE705200 push 005270EE
00526CC4 .  64:FF30    push dword ptr fs:[eax]
00526CC7 .  64:8920    mov    dword ptr fs:[eax], esp
00526CCA .  33C0       xor    eax, eax
00526CCC .  55          push ebp
00526CCD .  68 CC705200 push 005270CC
00526CD2 .  64:FF30    push dword ptr fs:[eax]
00526CD5 .  64:8920    mov    dword ptr fs:[eax], esp
00526CD8 .  33C0       xor    eax, eax
00526CDA .  8945 F0    mov    dword ptr [ebp-10], eax
00526CDD .  33C0       xor    eax, eax
00526CDF .  55          push ebp
00526CE0 .  68 846D5200 push 00526D84
00526CE5 .  64:FF30    push dword ptr fs:[eax]
00526CE8 .  64:8920    mov    dword ptr fs:[eax], esp
00526CEB .  FF75 F8    push dword ptr [ebp-8]
00526CEE .  8D4D E0    lea    ecx, dword ptr [ebp-20]
00526CF1 .  8B15 38E25900 mov    edx, dword ptr [59E238]       ;  dumped_1.0059D8E8
00526CF7 .  66:8B12    mov    dx, word ptr [edx]
00526CFA .  A1 24E15900 mov    eax, dword ptr [59E124]
00526CFF .  8B00       mov    eax, dword ptr [eax]
00526D01 .  E8 768AFEFF call 0050F77C
00526D06 .  FF75 E0    push dword ptr [ebp-20]
00526D09 .  8D45 DC    lea    eax, dword ptr [ebp-24]
00526D0C .  E8 CBC5FEFF call 005132DC
00526D11 .  FF75 DC    push dword ptr [ebp-24]
00526D14 .  8D45 E8    lea    eax, dword ptr [ebp-18]
00526D17 .  BA 03000000 mov    edx, 3
00526D1C .  E8 77E7EDFF call 00405498
00526D21 .  6A 00       push 0
00526D23 .  8D45 D8    lea    eax, dword ptr [ebp-28]
00526D26 .  50          push eax
00526D27 .  8D4D D4    lea    ecx, dword ptr [ebp-2C]
00526D2A .  8B15 38E25900 mov    edx, dword ptr [59E238]       ;  dumped_1.0059D8E8
00526D30 .  66:8B12    mov    dx, word ptr [edx]
00526D33 .  A1 24E15900 mov    eax, dword ptr [59E124]
00526D38 .  8B00       mov    eax, dword ptr [eax]
00526D3A .  E8 3D8AFEFF call 0050F77C
00526D3F .  8D45 D4    lea    eax, dword ptr [ebp-2C]
00526D42 .  50          push eax
00526D43 .  8D45 D0    lea    eax, dword ptr [ebp-30]
00526D46 .  E8 39DDFEFF call 00514A84
00526D4B .  8B55 D0    mov    edx, dword ptr [ebp-30]
00526D4E .  58          pop    eax
00526D4F .  E8 8CE6EDFF call 004053E0
00526D54 .  8B55 D4    mov    edx, dword ptr [ebp-2C]
00526D57 .  33C9       xor    ecx, ecx
00526D59 .  8B45 E8    mov    eax, dword ptr [ebp-18]
00526D5C .  E8 9776FEFF call 0050E3F8
00526D61 .  8B55 D8    mov    edx, dword ptr [ebp-28]
00526D64 .  8D45 E8    lea    eax, dword ptr [ebp-18]
00526D67 .  E8 28E4EDFF call 00405194
00526D6C .  8B55 E8    mov    edx, dword ptr [ebp-18]
00526D6F .  8B45 FC    mov    eax, dword ptr [ebp-4]
00526D72 .  8B08       mov    ecx, dword ptr [eax]
00526D74 .  FF51 04    call dword ptr [ecx+4]
00526D77 .  8945 F0    mov    dword ptr [ebp-10], eax
00526D7A .  33C0       xor    eax, eax
00526D7C .  5A          pop    edx
00526D7D .  59          pop    ecx
00526D7E .  59          pop    ecx
00526D7F .  64:8910    mov    dword ptr fs:[eax], edx
00526D82 .  EB 7D       jmp    short 00526E01
00526D84 .^ E9 33D9EDFF jmp    004046BC
00526D89 .  8D55 E4    lea    edx, dword ptr [ebp-1C]
00526D8C .  8B45 F8    mov    eax, dword ptr [ebp-8]
00526D8F .  E8 00A1FFFF call 00520E94
00526D94 .  837D E4 00 cmp    dword ptr [ebp-1C], 0
00526D98 .  75 28       jnz    short 00526DC2
00526D9A .  8D4D CC    lea    ecx, dword ptr [ebp-34]
00526D9D .  8B15 38E25900 mov    edx, dword ptr [59E238]       ;  dumped_1.0059D8E8
00526DA3 .  66:8B12    mov    dx, word ptr [edx]
00526DA6 .  A1 24E15900 mov    eax, dword ptr [59E124]
00526DAB .  8B00       mov    eax, dword ptr [eax]
00526DAD .  E8 CA89FEFF call 0050F77C
00526DB2 .  8B4D CC    mov    ecx, dword ptr [ebp-34]
00526DB5 .  8D45 E8    lea    eax, dword ptr [ebp-18]
00526DB8 .  8B55 F8    mov    edx, dword ptr [ebp-8]
00526DBB .  E8 64E6EDFF call 00405424
00526DC0 .  EB 2C       jmp    short 00526DEE
00526DC2 >  6A 00       push 0
00526DC4 .  8D45 E8    lea    eax, dword ptr [ebp-18]
00526DC7 .  50          push eax
00526DC8 .  8D4D C8    lea    ecx, dword ptr [ebp-38]
00526DCB .  8B15 38E25900 mov    edx, dword ptr [59E238]       ;  dumped_1.0059D8E8
00526DD1 .  66:8B12    mov    dx, word ptr [edx]
00526DD4 .  A1 24E15900 mov    eax, dword ptr [59E124]
00526DD9 .  8B00       mov    eax, dword ptr [eax]
00526DDB .  E8 9C89FEFF call 0050F77C
00526DE0 .  8B4D C8    mov    ecx, dword ptr [ebp-38]
00526DE3 .  8B55 E4    mov    edx, dword ptr [ebp-1C]
00526DE6 .  8B45 F8    mov    eax, dword ptr [ebp-8]
00526DE9 .  E8 0A76FEFF call 0050E3F8
00526DEE >  8B55 E8    mov    edx, dword ptr [ebp-18]
00526DF1 .  8B45 FC    mov    eax, dword ptr [ebp-4]
00526DF4 .  8B08       mov    ecx, dword ptr [eax]
00526DF6 .  FF51 04    call dword ptr [ecx+4]
00526DF9 .  8945 F0    mov    dword ptr [ebp-10], eax
00526DFC .  E8 E7DCEDFF call 00404AE8
00526E01 >  8B45 F0    mov    eax, dword ptr [ebp-10]
00526E04 .  8B10       mov    edx, dword ptr [eax]
00526E06 .  FF92 4C010000 call dword ptr [edx+14C]
00526E0C .  8945 EC    mov    dword ptr [ebp-14], eax
00526E0F .  837D EC 00 cmp    dword ptr [ebp-14], 0
00526E13    0F8E 97020000 jle    005270B0
00526E19 .  8B45 EC    mov    eax, dword ptr [ebp-14]
00526E1C .  50          push eax
00526E1D .  8B45 F4    mov    eax, dword ptr [ebp-C]
00526E20 .  B9 01000000 mov    ecx, 1
00526E25 .  8B15 D4D25000 mov    edx, dword ptr [50D2D4]       ;  dumped_1.0050D2D8
00526E2B .  E8 ECF8EDFF call 0040671C
00526E30 .  83C4 04    add    esp, 4
00526E33 .  8B45 F0    mov    eax, dword ptr [ebp-10]
00526E36 .  E8 5125FDFF call 004F938C
00526E3B .  8B7D EC    mov    edi, dword ptr [ebp-14]
00526E3E .  4F          dec    edi
00526E3F .  85FF       test edi, edi
00526E41    0F8C 69020000 jl    005270B0
00526E47 .  47          inc    edi
00526E48 .  33DB       xor    ebx, ebx
00526E4A >  BA 04715200 mov    edx, 00527104                   ;  alltestid
00526E4F .  8B45 F0    mov    eax, dword ptr [ebp-10]
00526E52 .  E8 B910FDFF call 004F7F10
00526E57 .  8B10       mov    edx, dword ptr [eax]
00526E59 .  FF52 58    call dword ptr [edx+58]
00526E5C .  8BF3       mov    esi, ebx
00526E5E .  C1E6 03    shl    esi, 3
00526E61 .  2BF3       sub    esi, ebx
00526E63 .  8B55 F4    mov    edx, dword ptr [ebp-C]
00526E66 .  8B12       mov    edx, dword ptr [edx]
00526E68 .  8904F2       mov    dword ptr [edx+esi*8], eax
00526E6B .  BA 18715200 mov    edx, 00527118                   ;  alltest_eplid
00526E70 .  8B45 F0    mov    eax, dword ptr [ebp-10]
00526E73 .  E8 9810FDFF call 004F7F10
00526E78 .  8B10       mov    edx, dword ptr [eax]
00526E7A .  FF52 58    call dword ptr [edx+58]
00526E7D .  8B55 F4    mov    edx, dword ptr [ebp-C]
00526E80 .  8B12       mov    edx, dword ptr [edx]
00526E82 .  8944F2 04    mov    dword ptr [edx+esi*8+4], eax
00526E86 .  BA 30715200 mov    edx, 00527130                   ;  alltest_imgid
00526E8B .  8B45 F0    mov    eax, dword ptr [ebp-10]
00526E8E .  E8 7D10FDFF call 004F7F10
00526E93 .  8B10       mov    edx, dword ptr [eax]
00526E95 .  FF52 58    call dword ptr [edx+58]
00526E98 .  8B55 F4    mov    edx, dword ptr [ebp-C]
00526E9B .  8B12       mov    edx, dword ptr [edx]
00526E9D .  8944F2 08    mov    dword ptr [edx+esi*8+8], eax
00526EA1 .  BA 48715200 mov    edx, 00527148                   ;  atestid
00526EA6 .  8B45 F0    mov    eax, dword ptr [ebp-10]
00526EA9 .  E8 6210FDFF call 004F7F10
00526EAE .  8B10       mov    edx, dword ptr [eax]
00526EB0 .  FF52 58    call dword ptr [edx+58]
00526EB3 .  8B55 F4    mov    edx, dword ptr [ebp-C]
00526EB6 .  8B12       mov    edx, dword ptr [edx]
00526EB8 .  8944F2 0C    mov    dword ptr [edx+esi*8+C], eax
00526EBC .  BA 58715200 mov    edx, 00527158                   ;  maintitle
00526EC1 .  8B45 F0    mov    eax, dword ptr [ebp-10]
00526EC4 .  E8 4710FDFF call 004F7F10
00526EC9 .  8D55 C0    lea    edx, dword ptr [ebp-40]
00526ECC .  8B08       mov    ecx, dword ptr [eax]
00526ECE .  FF51 60    call dword ptr [ecx+60]
00526ED1 .  8B45 C0    mov    eax, dword ptr [ebp-40]
00526ED4 .  8D55 C4    lea    edx, dword ptr [ebp-3C]
00526ED7 .  E8 5C4BEEFF call 0040BA38
00526EDC .  8B55 C4    mov    edx, dword ptr [ebp-3C]
00526EDF .  8B45 F4    mov    eax, dword ptr [ebp-C]
00526EE2 .  8B00       mov    eax, dword ptr [eax]
00526EE4 .  8D44F0 10    lea    eax, dword ptr [eax+esi*8+10]
00526EE8 .  E8 63E2EDFF call 00405150
00526EED .  BA 6C715200 mov    edx, 0052716C                   ;  a
00526EF2 .  8B45 F0    mov    eax, dword ptr [ebp-10]
00526EF5 .  E8 1610FDFF call 004F7F10
00526EFA .  8D55 B8    lea    edx, dword ptr [ebp-48]
00526EFD .  8B08       mov    ecx, dword ptr [eax]
00526EFF .  FF51 60    call dword ptr [ecx+60]
00526F02 .  8B45 B8    mov    eax, dword ptr [ebp-48]
00526F05 .  8D55 BC    lea    edx, dword ptr [ebp-44]
00526F08 .  E8 2B4BEEFF call 0040BA38
00526F0D .  8B55 BC    mov    edx, dword ptr [ebp-44]
00526F10 .  8B45 F4    mov    eax, dword ptr [ebp-C]
00526F13 .  8B00       mov    eax, dword ptr [eax]
00526F15 .  8D44F0 14    lea    eax, dword ptr [eax+esi*8+14]

[ 本帖最后由 puti67 于 2008-3-11 16:06 编辑 ]

langlirong · 发表于 2008-3-11 17:50:53

原帖由 puti67 于 2008-3-11 16:02 发表
00526C9C $  55          push ebp          //这里下断，慢慢跟
00526C9D .  8BEC       mov    ebp, esp
00526C9F .  51          push ecx
00526CA0 .  B9 0F000000 mov    ecx, 0F ...

果然如此！
谢谢！

sswater · 发表于 2008-3-12 09:06:59

原帖由 puti67 于 2008-3-11 16:02 发表
00526C9C $  55          push ebp          //这里下断，慢慢跟
00526C9D .  8BEC       mov    ebp, esp
00526C9F .  51          push ecx
00526CA0 .  B9 0F000000 mov    ecx, 0F ...

puti67 应该把过程描述一下，怎么找到这的，呵呵，授人以鱼，不如授之以渔。

puti67 · 发表于 2008-3-12 14:02:27

破解重在过程而不在于结果，有时候是很需要灵感的！呵呵

[ 本帖最后由 puti67 于 2008-3-12 14:03 编辑 ]

langlirong · 发表于 2008-3-12 16:24:37

原帖由 puti67 于 2008-3-12 14:02 发表
破解重在过程而不在于结果，有时候是很需要灵感的！呵呵

非常正确！

ws027302 · 发表于 2008-3-15 22:04:28

楼上老大能不能指点下修改方法啊,小弟研究了很长时间,结果找到了它的注册码,可就是找不到修改的方法,没办法,谁让咱是菜鸟.
根据老大的提示,应该是在这一段吧
005AE931    8B7D E4    MOV EDI,DWORD PTR SS:[EBP-1C] 到这里未注册的EDI的值变为1,注册过的由1变为64
005AE934    4F          DEC EDI
005AE935    85FF       TEST EDI,EDI
005AE937    0F8C 88020000 JL 1.005AEBC5
005AE93D .  47          INC EDI
005AE93E .  33DB       XOR EBX,EBX
005AE940 >  BA 28EC5A00 MOV EDX,1.005AEC28                      ;  AllTestID
005AE945 .  8B45 E8    MOV EAX,DWORD PTR SS:[EBP-18]
005AE948 .  E8 DB6BF4FF CALL 1.004F5528
005AE94D .  8B10       MOV EDX,DWORD PTR DS:[EAX]
005AE94F .  FF52 58    CALL DWORD PTR DS:[EDX+58]
005AE952 .  6BF3 4D    IMUL ESI,EBX,4D
005AE955 .  8B55 EC    MOV EDX,DWORD PTR SS:[EBP-14]
005AE958 .  8B12       MOV EDX,DWORD PTR DS:[EDX]
005AE95A .  8904B2       MOV DWORD PTR DS:[EDX+ESI*4],EAX
005AE95D .  BA 40EC5A00 MOV EDX,1.005AEC40                      ;  AllTest_EplID
...............................................................
...............................................................
005AEB89 .  E8 5ABDE5FF CALL 1.0040A8E8
005AEB8E .  8B95 74FFFFFF MOV EDX,DWORD PTR SS:[EBP-8C]
005AEB94 .  8B45 EC    MOV EAX,DWORD PTR SS:[EBP-14]
005AEB97 .  8B00       MOV EAX,DWORD PTR DS:[EAX]
005AEB99 .  8D84B0 300100>LEA EAX,DWORD PTR DS:[EAX+ESI*4+130]
005AEBA0 .  E8 B36BE5FF CALL 1.00405758
005AEBA5 .  8B55 E4    MOV EDX,DWORD PTR SS:[EBP-1C]
005AEBA8 .  4A          DEC EDX
005AEBA9 .  B9 1CED5A00 MOV ECX,1.005AED1C                      ;  正在生成单选题...
005AEBAE .  8BC3       MOV EAX,EBX
005AEBB0 .  E8 8F05FFFF CALL 1.0059F144
005AEBB5 .  8B45 E8    MOV EAX,DWORD PTR SS:[EBP-18]
005AEBB8 .  E8 BF80F4FF CALL 1.004F6C7C
005AEBBD .  43          INC EBX
005AEBBE .  4F          DEC EDI
005AEBBF .^ 0F85 7BFDFFFF JNZ 1.005AE940                            这里注册的循环
希望老大能指教,谢过了!!!!!!

nszy007 · 发表于 2008-3-16 17:31:29

找到注册码直接注册了，还修改什么？

ws027302 · 发表于 2008-3-16 20:36:19

多学习一点破解方法总是好的

ws027302 · 发表于 2008-4-13 11:48:03

实践证明偶也能找找爆破方法,只不过是时间问题........

		自动登录	找回密码
密码			加入我们

[讨论] 高人来指点一下!!!!!