发个VC++软件，一直不能完美~各位有空看看

言申言舌 · 发表于 2008-7-27 00:32:54

好像暗桩很多，特别在样版结构设计里~早期一个版的风球帮破的文件也是不能保存文件
最近小飘帮看的这个程序也是保存出错了~
有空的同学帮看看学习下哟，这样的等程序我们学习课程里也没讲到过，看到就知道啦！我发上一些破解内容，先发小飘的吧
思路：一个一个解除；
方法：万能断点。
首先：
1、工艺设计系统和款式设计系统：（pattern.dll）他们都在同一个地方验证。搞定一个就解决了。

OD 载入 F9运行，输入注册码。下万能断点。

断在：

77D3352D F3:A5          rep movs dword ptr es:[edi],dword ptr ds>
77D3352F 8BC8          mov ecx,eax
77D33531 83E1 03       and ecx,3
77D33534 F3:A4          rep movs byte ptr es:[edi],byte ptr ds:[>
77D33536 E8 E3FBFFFF    call USER32.77D3311E
77D3353B 5F             pop edi
77D3353C 5E             pop esi
77D3353D 8BC3          mov eax,ebx
77D3353F 5B             pop ebx
77D33540 5D             pop ebp
77D33541 C2 1000       retn 10

取消断点,F8多次返回到

10001469  |.  8945 88    mov dword ptr ss:[ebp-78],eax
1000146C  |.  837D 88 01 cmp dword ptr ss:[ebp-78],1

段首下断：

100013C4 >/$  55          push ebp
100013C5  |.  8BEC       mov ebp,esp
100013C7  |.  6A FF       push -1
100013C9  |.  68 133C0110 push pattern.10013C13                   ;  SE handler installation
100013CE  |.  64:A1 0000000>mov eax,dword ptr fs:[0]
100013D4  |.  50          push eax
100013D5  |.  64:8925 00000>mov dword ptr fs:[0],esp
100013DC  |.  81EC 9C000000 sub esp,9C
100013E2  |.  898D 68FFFFFF mov dword ptr ss:[ebp-98],ecx
100013E8  |.  8D4D 84    lea ecx,dword ptr ss:[ebp-7C]
100013EB  |.  E8 D0010000 call pattern.100015C0
100013F0  |.  C745 FC 00000>mov dword ptr ss:[ebp-4],0
100013F7  |.  8D4D 80    lea ecx,dword ptr ss:[ebp-80]
100013FA  |.  E8 897B0000 call pattern.10008F88
100013FF  |.  51          push ecx
10001400  |.  8BCC       mov ecx,esp
10001402  |.  89A5 7CFFFFFF mov dword ptr ss:[ebp-84],esp
10001408  |.  68 88B50110 push pattern.1001B588
1000140D  |.  E8 4EF30000 call pattern.10010760
10001412  |.  8985 64FFFFFF mov dword ptr ss:[ebp-9C],eax          ; |
10001418  |.  8D4D 80    lea ecx,dword ptr ss:[ebp-80]          ; |
1000141B  |.  E8 DE7B0000 call pattern.10008FFE                   ; \pattern.10008FFE
10001420  |.  8985 60FFFFFF mov dword ptr ss:[ebp-A0],eax
10001426  |.  83BD 60FFFFFF>cmp dword ptr ss:[ebp-A0],0
1000142D  |.  74 24       je short pattern.10001453             ;  重启验证的地方，跳了就完蛋了,等于0就没有注册。NOP就可爆破
1000142F  |.  C785 78FFFFFF>mov dword ptr ss:[ebp-88],1
10001439  |.  C745 FC FFFFF>mov dword ptr ss:[ebp-4],-1
10001440  |.  8D4D 84    lea ecx,dword ptr ss:[ebp-7C]
10001443  |.  E8 EEF20000 call pattern.10010736
10001448  |.  8B85 78FFFFFF mov eax,dword ptr ss:[ebp-88]
1000144E  |.  E9 C3000000 jmp pattern.10001516
10001453  |>  6A 00       push 0                                  ; /Arg1 = 00000000
10001455  |.  8D4D 8C    lea ecx,dword ptr ss:[ebp-74]          ; |
10001458  |.  E8 C3FCFFFF call pattern.10001120                   ; \pattern.10001120
1000145D  |.  C645 FC 01 mov byte ptr ss:[ebp-4],1
10001461  |.  8D4D 8C    lea ecx,dword ptr ss:[ebp-74]
10001464  |.  E8 A9C00000 call pattern.1000D512                   ;  弹出注册框
10001469  |.  8945 88    mov dword ptr ss:[ebp-78],eax
1000146C  |.  837D 88 01 cmp dword ptr ss:[ebp-78],1
10001470  |.  75 79       jnz short pattern.100014EB
10001472  |.  8D4D EC    lea ecx,dword ptr ss:[ebp-14]
10001475  |.  E8 66010000 call pattern.100015E0
1000147A  |.  50          push eax                               ;  假码
1000147B  |.  E8 D00F0000 call pattern.10002450
10001480  |.  83C4 04    add esp,4                               ;  假码
10001483  |.  85C0       test eax,eax
10001485  |.  74 64       je short pattern.100014EB
10001487  |.  8D4D EC    lea ecx,dword ptr ss:[ebp-14]
1000148A  |.  E8 5AAA0000 call pattern.1000BEE9
1000148F  |.  51          push ecx
10001490  |.  8BCC       mov ecx,esp
10001492  |.  89A5 74FFFFFF mov dword ptr ss:[ebp-8C],esp
10001498  |.  8D45 EC    lea eax,dword ptr ss:[ebp-14]
1000149B  |.  50          push eax
1000149C  |.  E8 28F00000 call pattern.100104C9
100014A1  |.  8985 5CFFFFFF mov dword ptr ss:[ebp-A4],eax          ; |
100014A7  |.  8D4D 80    lea ecx,dword ptr ss:[ebp-80]          ; |
100014AA  |.  E8 4F7B0000 call pattern.10008FFE                   ; \pattern.10008FFE
100014AF  |.  8985 58FFFFFF mov dword ptr ss:[ebp-A8],eax
100014B5  |.  83BD 58FFFFFF>cmp dword ptr ss:[ebp-A8],0
100014BC  |.  74 2D       je short pattern.100014EB             ;  如果这里不跳的话，就可以进入进行设计
100014BE  |.  C785 70FFFFFF>mov dword ptr ss:[ebp-90],1
100014C8  |.  C645 FC 00 mov byte ptr ss:[ebp-4],0
100014CC  |.  8D4D 8C    lea ecx,dword ptr ss:[ebp-74]
100014CF  |.  E8 8C000000 call pattern.10001560
100014D4  |.  C745 FC FFFFF>mov dword ptr ss:[ebp-4],-1
100014DB  |.  8D4D 84    lea ecx,dword ptr ss:[ebp-7C]
100014DE  |.  E8 53F20000 call pattern.10010736
100014E3  |.  8B85 70FFFFFF mov eax,dword ptr ss:[ebp-90]
100014E9  |.  EB 2B       jmp short pattern.10001516
100014EB  |>  C785 6CFFFFFF>mov dword ptr ss:[ebp-94],0
100014F5  |.  C645 FC 00 mov byte ptr ss:[ebp-4],0
100014F9  |.  8D4D 8C    lea ecx,dword ptr ss:[ebp-74]
100014FC  |.  E8 5F000000 call pattern.10001560
10001501  |.  C745 FC FFFFF>mov dword ptr ss:[ebp-4],-1
10001508  |.  8D4D 84    lea ecx,dword ptr ss:[ebp-7C]
1000150B  |.  E8 26F20000 call pattern.10010736
10001510  |.  8B85 6CFFFFFF mov eax,dword ptr ss:[ebp-94]
10001516  |>  8B4D F4    mov ecx,dword ptr ss:[ebp-C]
10001519  |.  64:890D 00000>mov dword ptr fs:[0],ecx
10001520  |.  8BE5       mov esp,ebp
10001522  |.  5D          pop ebp
10001523  \.  C3          retn

2、排料系统：

方法和上一个一样：万能断点.

断在：
77D3352D F3:A5          rep movs dword ptr es:[edi],dword ptr ds>
77D3352F 8BC8          mov ecx,eax
77D33531 83E1 03       and ecx,3
77D33534 F3:A4          rep movs byte ptr es:[edi],byte ptr ds:[>
77D33536 E8 E3FBFFFF    call USER32.77D3311E
77D3353B 5F             pop edi
77D3353C 5E             pop esi
77D3353D 8BC3          mov eax,ebx
77D3353F 5B             pop ebx
77D33540 5D             pop ebp
77D33541 C2 1000       retn 10

取消断点,F8多次
返回到这里：
00425080  /$  6A FF       push -1
00425082  |.  68 F04C5400 push 排料系统.00544CF0                      ;  SE handler installation
00425087  |.  64:A1 0000000>mov eax,dword ptr fs:[0]
0042508D  |.  50          push eax
0042508E  |.  64:8925 00000>mov dword ptr fs:[0],esp
00425095  |.  83EC 70    sub esp,70
00425098  |.  A1 A8565800 mov eax,dword ptr ds:[5856A8]
0042509D  |.  57          push edi
0042509E  |.  894424 04    mov dword ptr ss:[esp+4],eax
004250A2  |.  8D4C24 08    lea ecx,dword ptr ss:[esp+8]
004250A6  |.  C74424 7C 000>mov dword ptr ss:[esp+7C],0
004250AE  |.  E8 C5FA0E00 call 排料系统.00514B78
004250B3  |.  51          push ecx
004250B4  |.  8BCC       mov ecx,esp
004250B6  |.  896424 10    mov dword ptr ss:[esp+10],esp
004250BA  |.  68 48805800 push 排料系统.00588048
004250BF  |.  E8 A5DE0F00 call 排料系统.00522F69
004250C4  |.  8D4C24 0C    lea ecx,dword ptr ss:[esp+C]          ; |
004250C8  |.  E8 21FB0E00 call 排料系统.00514BEE                      ; \排料系统.00514BEE
004250CD  |.  85C0       test eax,eax
004250CF  |.  74 26       je short 排料系统.004250F7                ;  重启验证的地方。关键跳，跳了就完蛋，nop
004250D1  |.  8D4C24 04    lea ecx,dword ptr ss:[esp+4]
004250D5  |.  C74424 7C FFF>mov dword ptr ss:[esp+7C],-1
004250DD  |.  E8 19DE0F00 call 排料系统.00522EFB
004250E2  |.  B8 01000000 mov eax,1                               ;  注意这里eax=1
004250E7  |.  8B4C24 74    mov ecx,dword ptr ss:[esp+74]
004250EB  |.  64:890D 00000>mov dword ptr fs:[0],ecx
004250F2  |.  5F          pop edi
004250F3  |.  83C4 7C    add esp,7C
004250F6  |.  C3          retn
004250F7  |>  6A 00       push 0
004250F9  |.  8D4C24 14    lea ecx,dword ptr ss:[esp+14]
004250FD  |.  E8 FEFDFFFF call 排料系统.00424F00
00425102  |.  8D4C24 10    lea ecx,dword ptr ss:[esp+10]
00425106  |.  C64424 7C 01  mov byte ptr ss:[esp+7C],1
0042510B  |.  E8 7C9A0F00 call 排料系统.0051EB8C                      ;  弹出注册框
00425110  |.  83F8 01    cmp eax,1
00425113  |.  0F85 87000000 jnz 排料系统.004251A0
00425119  |.  8B7C24 70    mov edi,dword ptr ss:[esp+70]
0042511D  |.  83C9 FF    or ecx,FFFFFFFF
00425120  |.  33C0       xor eax,eax
00425122  |.  F2:AE       repne scas byte ptr es:[edi]
00425124  |.  F7D1       not ecx
00425126  |.  49          dec ecx
00425127  |.  74 77       je short 排料系统.004251A0
00425129  |.  8D4C24 70    lea ecx,dword ptr ss:[esp+70]
0042512D  |.  E8 4F640F00 call 排料系统.0051B581
00425132  |.  51          push ecx
00425133  |.  8D5424 74    lea edx,dword ptr ss:[esp+74]
00425137  |.  8BCC       mov ecx,esp
00425139  |.  896424 10    mov dword ptr ss:[esp+10],esp
0042513D  |.  52          push edx
0042513E  |.  E8 2DDB0F00 call 排料系统.00522C70
00425143  |.  8D4C24 0C    lea ecx,dword ptr ss:[esp+C]          ;
00425147  |.  E8 A2FA0E00 call 排料系统.00514BEE                   ; \排料系统.00514BEE
0042514C  |.  85C0       test eax,eax
0042514E  |.  74 50       je short 排料系统.004251A0          ;  这里不跳的话就注册成功
00425150  |.  8D4C24 70    lea ecx,dword ptr ss:[esp+70]
00425154  |.  C64424 7C 03  mov byte ptr ss:[esp+7C],3
00425159  |.  E8 9DDD0F00 call 排料系统.00522EFB
0042515E  |.  8D4C24 6C    lea ecx,dword ptr ss:[esp+6C]
00425162  |.  C64424 7C 02  mov byte ptr ss:[esp+7C],2
00425167  |.  E8 8FDD0F00 call 排料系统.00522EFB
0042516C  |.  8D4C24 10    lea ecx,dword ptr ss:[esp+10]
00425170  |.  C64424 7C 00  mov byte ptr ss:[esp+7C],0
00425175  |.  E8 04960F00 call 排料系统.0051E77E
0042517A  |.  8D4C24 04    lea ecx,dword ptr ss:[esp+4]
0042517E  |.  C74424 7C FFF>mov dword ptr ss:[esp+7C],-1
00425186  |.  E8 70DD0F00 call 排料系统.00522EFB
0042518B  |.  B8 01000000 mov eax,1                               ;  注意这里，eax=1
00425190  |.  8B4C24 74    mov ecx,dword ptr ss:[esp+74]
00425194  |.  64:890D 00000>mov dword ptr fs:[0],ecx
0042519B  |.  5F          pop edi
0042519C  |.  83C4 7C    add esp,7C
0042519F  |.  C3          retn
004251A0  |>  8D4C24 70    lea ecx,dword ptr ss:[esp+70]
004251A4  |.  C64424 7C 05  mov byte ptr ss:[esp+7C],5
004251A9  |.  E8 4DDD0F00 call 排料系统.00522EFB
004251AE  |.  8D4C24 6C    lea ecx,dword ptr ss:[esp+6C]
004251B2  |.  C64424 7C 04  mov byte ptr ss:[esp+7C],4
004251B7  |.  E8 3FDD0F00 call 排料系统.00522EFB
004251BC  |.  8D4C24 10    lea ecx,dword ptr ss:[esp+10]
004251C0  |.  C64424 7C 00  mov byte ptr ss:[esp+7C],0
004251C5  |.  E8 B4950F00 call 排料系统.0051E77E
004251CA  |.  8D4C24 04    lea ecx,dword ptr ss:[esp+4]
004251CE  |.  C74424 7C FFF>mov dword ptr ss:[esp+7C],-1
004251D6  |.  E8 20DD0F00 call 排料系统.00522EFB
004251DB  |.  8B4C24 74    mov ecx,dword ptr ss:[esp+74]
004251DF  |.  33C0       xor eax,eax
004251E1  |.  64:890D 00000>mov dword ptr fs:[0],ecx
004251E8  |.  5F          pop edi
004251E9  |.  83C4 7C    add esp,7C
004251EC  \.  C3          retn

3、数据解读（datatrans.dll）：
它和工艺设计系统：（pattern.dll）验证在同一段。虽然是不同的DLL，但是在同一段，我不知道然如何解释。
万能断点：F8多次返回到：
10001469 8945 88       mov dword ptr ss:[ebp-78],eax
1000146C 837D 88 01    cmp dword ptr ss:[ebp-78],1

段首：
100013C4 >  55             push ebp
100013C5 8BEC          mov ebp,esp
100013C7 6A FF          push -1
100013C9 68 133C0110    push datatran.10013C13
100013CE 64:A1 00000000  mov eax,dword ptr fs:[0]
100013D4 50             push eax
100013D5 64:8925 0000000>mov dword ptr fs:[0],esp
100013DC 81EC 9C000000 sub esp,9C
100013E2 898D 68FFFFFF mov dword ptr ss:[ebp-98],ecx
100013E8 8D4D 84       lea ecx,dword ptr ss:[ebp-7C]
100013EB E8 D0010000    call datatran.100015C0
100013F0 C745 FC 0000000>mov dword ptr ss:[ebp-4],0
100013F7 8D4D 80       lea ecx,dword ptr ss:[ebp-80]
100013FA E8 897B0000    call datatran.10008F88
100013FF 51             push ecx
10001400 8BCC          mov ecx,esp
10001402 89A5 7CFFFFFF mov dword ptr ss:[ebp-84],esp
10001408 68 88B50110    push datatran.1001B588
1000140D E8 4EF30000    call datatran.10010760
10001412 8985 64FFFFFF mov dword ptr ss:[ebp-9C],eax
10001418 8D4D 80       lea ecx,dword ptr ss:[ebp-80]
1000141B E8 DE7B0000    call datatran.10008FFE
10001420 8985 60FFFFFF mov dword ptr ss:[ebp-A0],eax
10001426 83BD 60FFFFFF 0>cmp dword ptr ss:[ebp-A0],0
1000142D 74 24          je short datatran.10001453             ; 重启验证的地方，改为NOP
1000142F C785 78FFFFFF 0>mov dword ptr ss:[ebp-88],1
10001439 C745 FC FFFFFFF>mov dword ptr ss:[ebp-4],-1
10001440 8D4D 84       lea ecx,dword ptr ss:[ebp-7C]
10001443 E8 EEF20000    call datatran.10010736
10001448 8B85 78FFFFFF mov eax,dword ptr ss:[ebp-88]
1000144E E9 C3000000    jmp datatran.10001516
10001453 6A 00          push 0
10001455 8D4D 8C       lea ecx,dword ptr ss:[ebp-74]
10001458 E8 C3FCFFFF    call datatran.10001120
1000145D C645 FC 01    mov byte ptr ss:[ebp-4],1
10001461 8D4D 8C       lea ecx,dword ptr ss:[ebp-74]
10001464 E8 A9C00000    call datatran.1000D512                ; 弹出注册框
10001469 8945 88       mov dword ptr ss:[ebp-78],eax
1000146C 837D 88 01    cmp dword ptr ss:[ebp-78],1
10001470 75 79          jnz short datatran.100014EB
10001472 8D4D EC       lea ecx,dword ptr ss:[ebp-14]
10001475 E8 66010000    call datatran.100015E0
1000147A 50             push eax
1000147B E8 D00F0000    call datatran.10002450
10001480 83C4 04       add esp,4
10001483 85C0          test eax,eax
10001485 74 64          je short datatran.100014EB
10001487 8D4D EC       lea ecx,dword ptr ss:[ebp-14]          ; 假码
1000148A E8 5AAA0000    call datatran.1000BEE9
1000148F 51             push ecx
10001490 8BCC          mov ecx,esp
10001492 89A5 74FFFFFF mov dword ptr ss:[ebp-8C],esp
10001498 8D45 EC       lea eax,dword ptr ss:[ebp-14]
1000149B 50             push eax
1000149C E8 28F00000    call datatran.100104C9
100014A1 8985 5CFFFFFF mov dword ptr ss:[ebp-A4],eax
100014A7 8D4D 80       lea ecx,dword ptr ss:[ebp-80]
100014AA E8 4F7B0000    call datatran.10008FFE
100014AF 8985 58FFFFFF mov dword ptr ss:[ebp-A8],eax
100014B5 83BD 58FFFFFF 0>cmp dword ptr ss:[ebp-A8],0
100014BC 74 2D          je short datatran.100014EB             ; 这里如果不跳的话也就注册成功
100014BE C785 70FFFFFF 0>mov dword ptr ss:[ebp-90],1
100014C8 C645 FC 00    mov byte ptr ss:[ebp-4],0
100014CC 8D4D 8C       lea ecx,dword ptr ss:[ebp-74]
100014CF E8 8C000000    call datatran.10001560
100014D4 C745 FC FFFFFFF>mov dword ptr ss:[ebp-4],-1
100014DB 8D4D 84       lea ecx,dword ptr ss:[ebp-7C]
100014DE E8 53F20000    call datatran.10010736
100014E3 8B85 70FFFFFF mov eax,dword ptr ss:[ebp-90]
100014E9 EB 2B          jmp short datatran.10001516
100014EB C785 6CFFFFFF 0>mov dword ptr ss:[ebp-94],0
100014F5 C645 FC 00    mov byte ptr ss:[ebp-4],0
100014F9 8D4D 8C       lea ecx,dword ptr ss:[ebp-74]
100014FC E8 5F000000    call datatran.10001560
10001501 C745 FC FFFFFFF>mov dword ptr ss:[ebp-4],-1
10001508 8D4D 84       lea ecx,dword ptr ss:[ebp-7C]
1000150B E8 26F20000    call datatran.10010736
10001510 8B85 6CFFFFFF mov eax,dword ptr ss:[ebp-94]
10001516 8B4D F4       mov ecx,dword ptr ss:[ebp-C]
10001519 64:890D 0000000>mov dword ptr fs:[0],ecx
10001520 8BE5          mov esp,ebp
10001522 5D             pop ebp
10001523 C3             retn

4、样片结构设计：万能断点。
F8多次返回到：
004DFBDE  |.  F2:AE       repne scas byte ptr es:[edi]
004DFBE0  |.  F7D1       not ecx
004DFBE2  |.  49          dec ecx
004DFBE3  |.  0F84 86000000 je 样片结构.004DFC6F

段首：

004DFB30  /$  6A FF       push -1
004DFB32  |.  68 F0BD5300 push 样片结构.0053BDF0                      ;  SE handler installation
004DFB37  |.  64:A1 0000000>mov eax,dword ptr fs:[0]
004DFB3D  |.  50          push eax
004DFB3E  |.  64:8925 00000>mov dword ptr fs:[0],esp
004DFB45  |.  83EC 74    sub esp,74
004DFB48  |.  A1 50D65600 mov eax,dword ptr ds:[56D650]
004DFB4D  |.  57          push edi
004DFB4E  |.  894424 04    mov dword ptr ss:[esp+4],eax
004DFB52  |.  8D4C24 08    lea ecx,dword ptr ss:[esp+8]
004DFB56  |.  C78424 800000>mov dword ptr ss:[esp+80],0
004DFB61  |.  E8 62F20100 call 样片结构.004FEDC8
004DFB66  |.  51          push ecx
004DFB67  |.  8BCC       mov ecx,esp
004DFB69  |.  896424 10    mov dword ptr ss:[esp+10],esp
004DFB6D  |.  68 10FE5600 push 样片结构.0056FE10
004DFB72  |.  E8 D4C90200 call 样片结构.0050C54B
004DFB77  |.  8D4C24 0C    lea ecx,dword ptr ss:[esp+C]          ; |
004DFB7B  |.  E8 BEF20100 call 样片结构.004FEE3E                      ; \样片结构.004FEE3E
004DFB80    85C0       test eax,eax
004DFB82    74 2C       je short 样片结构.004DFBB0       ;  重启验证的地方，NOP，但是还是建立空文档失败
004DFB84  |.  8D4C24 04    lea ecx,dword ptr ss:[esp+4]
004DFB88  |.  C78424 800000>mov dword ptr ss:[esp+80],-1
004DFB93  |.  E8 45C90200 call 样片结构.0050C4DD
004DFB98  |.  B8 01000000 mov eax,1                               ;  注意EAX=1
004DFB9D  |.  8B4C24 78    mov ecx,dword ptr ss:[esp+78]
004DFBA1  |.  64:890D 00000>mov dword ptr fs:[0],ecx
004DFBA8  |.  5F          pop edi
004DFBA9  |.  81C4 80000000 add esp,80
004DFBAF  |.  C3          retn
004DFBB0  |>  6A 00       push 0
004DFBB2  |.  8D4C24 14    lea ecx,dword ptr ss:[esp+14]
004DFBB6  |.  E8 A5FCFFFF call 样片结构.004DF860
004DFBBB  |.  8D4C24 10    lea ecx,dword ptr ss:[esp+10]
004DFBBF  |.  C68424 800000>mov byte ptr ss:[esp+80],1
004DFBC7  |.  E8 2AD50200 call 样片结构.0050D0F6
004DFBCC  |.  83F8 01    cmp eax,1
004DFBCF  |.  0F85 9A000000 jnz 样片结构.004DFC6F
004DFBD5  |.  8B7C24 70    mov edi,dword ptr ss:[esp+70]
004DFBD9  |.  83C9 FF    or ecx,FFFFFFFF
004DFBDC  |.  33C0       xor eax,eax
004DFBDE  |.  F2:AE       repne scas byte ptr es:[edi]
004DFBE0  |.  F7D1       not ecx
004DFBE2  |.  49          dec ecx
004DFBE3  |.  0F84 86000000 je 样片结构.004DFC6F
004DFBE9  |.  8D4C24 70    lea ecx,dword ptr ss:[esp+70]
004DFBED  |.  E8 F65F0200 call 样片结构.00505BE8
004DFBF2  |.  51          push ecx
004DFBF3  |.  8D5424 74    lea edx,dword ptr ss:[esp+74]
004DFBF7  |.  8BCC       mov ecx,esp
004DFBF9  |.  896424 10    mov dword ptr ss:[esp+10],esp
004DFBFD  |.  52          push edx
004DFBFE  |.  E8 4FC60200 call 样片结构.0050C252
004DFC03  |.  8D4C24 0C    lea ecx,dword ptr ss:[esp+C]          ; |
004DFC07  |.  E8 32F20100 call 样片结构.004FEE3E                      ; \样片结构.004FEE3E
004DFC0C  |.  85C0       test eax,eax
004DFC0E  |.  74 5F       je short 样片结构.004DFC6F                ;  不跳就注册成功但是建立文本失败
004DFC10  |.  8D4C24 70    lea ecx,dword ptr ss:[esp+70]
004DFC14  |.  C68424 800000>mov byte ptr ss:[esp+80],3
004DFC1C  |.  E8 BCC80200 call 样片结构.0050C4DD
004DFC21  |.  8D4C24 6C    lea ecx,dword ptr ss:[esp+6C]
004DFC25  |.  C68424 800000>mov byte ptr ss:[esp+80],2
004DFC2D  |.  E8 ABC80200 call 样片结构.0050C4DD
004DFC32  |.  8D4C24 10    lea ecx,dword ptr ss:[esp+10]
004DFC36  |.  C68424 800000>mov byte ptr ss:[esp+80],0
004DFC3E  |.  E8 A5D00200 call 样片结构.0050CCE8
004DFC43  |.  8D4C24 04    lea ecx,dword ptr ss:[esp+4]
004DFC47  |.  C78424 800000>mov dword ptr ss:[esp+80],-1
004DFC52  |.  E8 86C80200 call 样片结构.0050C4DD
004DFC57  |.  B8 01000000 mov eax,1                               ;  eax=1
004DFC5C  |.  8B4C24 78    mov ecx,dword ptr ss:[esp+78]
004DFC60  |.  64:890D 00000>mov dword ptr fs:[0],ecx
004DFC67  |.  5F          pop edi
004DFC68  |.  81C4 80000000 add esp,80
004DFC6E  |.  C3          retn
004DFC6F  |>  8D4C24 70    lea ecx,dword ptr ss:[esp+70]
004DFC73  |.  C68424 800000>mov byte ptr ss:[esp+80],5
004DFC7B  |.  E8 5DC80200 call 样片结构.0050C4DD
004DFC80  |.  8D4C24 6C    lea ecx,dword ptr ss:[esp+6C]
004DFC84  |.  C68424 800000>mov byte ptr ss:[esp+80],4
004DFC8C  |.  E8 4CC80200 call 样片结构.0050C4DD
004DFC91  |.  8D4C24 10    lea ecx,dword ptr ss:[esp+10]
004DFC95  |.  C68424 800000>mov byte ptr ss:[esp+80],0
004DFC9D  |.  E8 46D00200 call 样片结构.0050CCE8
004DFCA2  |.  8D4C24 04    lea ecx,dword ptr ss:[esp+4]
004DFCA6  |.  C78424 800000>mov dword ptr ss:[esp+80],-1
004DFCB1  |.  E8 27C80200 call 样片结构.0050C4DD
004DFCB6  |.  8B4C24 78    mov ecx,dword ptr ss:[esp+78]
004DFCBA  |.  33C0       xor eax,eax
004DFCBC  |.  64:890D 00000>mov dword ptr fs:[0],ecx
004DFCC3  |.  5F          pop edi
004DFCC4  |.  81C4 80000000 add esp,80
004DFCCA  \.  C3          retn

至于那个建立文档失败就搞不定了，不知道为什么，都是同一种验证方式，但就是建立文档失败。

破文和以前的程序在办公室，先发个我发QQ中转站的等程序吧
还有个以前风球同志做的文件，破解文件在附件~原程序就中转站地址吧
http://xianexs.mail.qq.com/cgi-b ... d1874f87f1549525197
提取码：4c630dc6

再发个进去之后的图片，那个保存图标完美的话就可以保存样片的

言申言舌 · 发表于 2008-8-5 09:46:52

以前风球兄弟的一些资料
爱科服装CAD系统学习版

人员代码：msystem
口令：hhx1976
--------------------------------------
主要破解文件为pattern.dll、排料系统、工艺设计系统（自校验）。

BP MessageBoxA

Copy code0044ED0F    52             push edx
0044ED10    E8 AB190000    call 工艺设计.004506C0                   ; 关键，跟进修改AL值=1
0044ED15    8845 CC          mov byte ptr ss:[ebp-34],al
0044ED18    C645 FC 05       mov byte ptr ss:[ebp-4],5
0044ED1C    8D4D BC          lea ecx,dword ptr ss:[ebp-44]
0044ED1F    E8 2DBB0000    call 工艺设计.0045A851
0044ED24    C645 FC 03       mov byte ptr ss:[ebp-4],3
0044ED28    8D4D C4          lea ecx,dword ptr ss:[ebp-3C]
0044ED2B    E8 21BB0000    call 工艺设计.0045A851
0044ED30    8B45 CC          mov eax,dword ptr ss:[ebp-34]
0044ED33    25 FF000000    and eax,0FF                   ///////
0044ED38    85C0             test eax,eax                   ///////
0044ED3A    74 3F          je short 工艺设计.0044ED7B    ///////这三行代码可作为查找关键

Ctrl+B 二进制代码为 E8????????8B45CC25FF00000085C074 破解关键点

工艺设计系统自校验的去除
Copy code00403D38    8D4C24 14       lea ecx,dword ptr ss:[esp+14]
00403D3C    E8 DDA00400    call 工艺设计.0044DE1E
00403D41    33ED             xor ebp,ebp
00403D43    3BC5             cmp eax,ebp
00403D45    75 29          jnz short 工艺设计.00403D70
00403D47    8D4C24 14       lea ecx,dword ptr ss:[esp+14]
00403D4B    E8 CCC90400    call <jmp.&pattern.CGetInstall::CGetInstall>
00403D50    8D4C24 14       lea ecx,dword ptr ss:[esp+14]
00403D54    E8 BDC90400    call <jmp.&pattern.CGetInstall::isOK>
00403D59    85C0             test eax,eax
00403D5B    75 13          jnz short 工艺设计.00403D70
00403D5D    8B4C24 40       mov ecx,dword ptr ss:[esp+40]
00403D61    64:890D 00000000  mov dword ptr fs:[0],ecx
00403D68    5F             pop edi
00403D69    5E             pop esi
00403D6A    5D             pop ebp
00403D6B    5B             pop ebx
00403D6C    83C4 3C          add esp,3C //查找关键
00403D6F    C3             retn
00403D70    B9 881E4A00    mov ecx,工艺设计.004A1E88
00403D75    E8 06570100    call 工艺设计.00419480
00403D7A    85C0             test eax,eax
00403D7C    75 13          jnz short 工艺设计.00403D91    //JMP
00403D7E    8B4C24 40       mov ecx,dword ptr ss:[esp+40]

关键CALL的内容均类似于
Copy code00402630    55             push ebp          //mov al,1 ret
00402631    8BEC             mov ebp,esp
00402633    8B45 0C          mov eax,dword ptr ss:[ebp+C]
00402636    50             push eax
00402637    8B4D 08          mov ecx,dword ptr ss:[ebp+8]
0040263A    E8 11000000    call 排料系统.00402650
0040263F    F7D8             neg eax
00402641    1BC0             sbb eax,eax
00402643    40             inc eax
00402644    5D             pop ebp
00402645    C2 0800          retn 8

		自动登录	找回密码
密码			加入我们

[讨论] 发个VC++软件，一直不能完美~各位有空看看

相关帖子