- UID
- 9910
注册时间2006-3-22
阅读权限20
最后登录1970-1-1
以武会友
 
该用户从未签到
|
【破文标题】申请加入PYG第三篇破文
【破文作者】Fantasy
【作者邮箱】[email protected]
【破解工具】peid0.94, OD1.1
【破解平台】winxp sp2
【软件名称】Critical Seeker
【软件大小】2940KB
【原版下载】http://www.ptshare.com/critical-seeker.html
------------------------------------------------------------------------
【软件简介】
一个找茬的游戏
------------------------------------------------------------------------
【破解声明】仅供学习和交流,没有其他目的。本人菜鸟一个,失误之处敬请诸位大侠赐教!
------------------------------------------------------------------------
【破解过程】
首先peid 查壳显示ASPack 2.12 -> Alexey Solodovnikov,用aspdie脱
OD载入,运行程序,输入信息:
用户名:fantasy
注册码:123451234512345(一定要15位,分析后发现)
字符插件查找错误提示:the registeration key endtered is wrong.
a message has been sent to our group. we reserve the right to investigate or prosecute.
please respect the property right.
双击来到
---------------------------------------------------------------------------------------------------
004F3A6C /. 55 push ebp ;在这下断
004F3A6D |. 8BEC mov ebp, esp
004F3A6F |. 6A 00 push 0
004F3A71 |. 6A 00 push 0
004F3A73 |. 53 push ebx
004F3A74 |. 8BD8 mov ebx, eax
004F3A76 |. 33C0 xor eax, eax
004F3A78 |. 55 push ebp
004F3A79 |. 68 F33A4F00 push 004F3AF3
004F3A7E |. 64:FF30 push dword ptr fs:[eax]
004F3A81 |. 64:8920 mov fs:[eax], esp
004F3A84 |. 8D55 FC lea edx, [ebp-4]
004F3A87 |. 8B83 04030000 mov eax, [ebx+304]
004F3A8D |. E8 7A5CF5FF call 0044970C
004F3A92 |. 8B45 FC mov eax, [ebp-4]
004F3A95 |. 50 push eax
004F3A96 |. 8D55 F8 lea edx, [ebp-8]
004F3A99 |. 8B83 00030000 mov eax, [ebx+300]
004F3A9F |. E8 685CF5FF call 0044970C
004F3AA4 |. 8B55 F8 mov edx, [ebp-8]
004F3AA7 |. A1 18C64F00 mov eax, [4FC618]
004F3AAC |. 8B00 mov eax, [eax]
004F3AAE |. 59 pop ecx
004F3AAF |. E8 4C460000 call 004F8100 ;关键call
004F3AB4 |. 84C0 test al, al
004F3AB6 |. 74 16 je short 004F3ACE ;关键跳转
004F3AB8 |. B8 083B4F00 mov eax, 004F3B08 ; thank you for purchasing this software!
004F3ABD |. E8 FA1AF4FF call 004355BC
004F3AC2 |. C783 4C020000>mov dword ptr [ebx+24C], 1
004F3ACC |. EB 0A jmp short 004F3AD8
004F3ACE |> B8 383B4F00 mov eax, 004F3B38 ; the registeration key endtered is wrong. a message has been sent to our group. we reserve the right to investigate or prosecute. please respect the property right.
------------------------------------------------------------------------------------------------------------------------
关键call 004F8100 跟进 来到
004F8100 /$ 53 push ebx
004F8101 |. 56 push esi
004F8102 |. 57 push edi
004F8103 |. 55 push ebp
004F8104 |. 51 push ecx
004F8105 |. 8BF9 mov edi, ecx
004F8107 |. 8BF2 mov esi, edx
004F8109 |. 8BD8 mov ebx, eax
004F810B |. 8BCF mov ecx, edi
004F810D |. 8BD6 mov edx, esi
004F810F |. 8B83 84030000 mov eax, [ebx+384]
004F8115 |. 8B28 mov ebp, [eax]
004F8117 |. FF55 34 call [ebp+34] ; 关键call 要进
004F811A |. 84C0 test al, al
004F811C |. 74 2D je short 004F814B
004F811E |. 8BD6 mov edx, esi
004F8120 |. 8B83 84030000 mov eax, [ebx+384]
004F8126 |. E8 A903FDFF call 004C84D4
004F812B |. 8BD7 mov edx, edi
004F812D |. 8B83 84030000 mov eax, [ebx+384]
004F8133 |. E8 7C04FDFF call 004C85B4
004F8138 |. C60424 01 mov byte ptr [esp], 1
004F813C |. 33D2 xor edx, edx
004F813E |. 8B83 88030000 mov eax, [ebx+388]
004F8144 |. E8 E314F5FF call 0044962C
004F8149 |. EB 04 jmp short 004F814F
004F814B |> C60424 00 mov byte ptr [esp], 0
004F814F |> 8A0424 mov al, [esp]
004F8152 |. 5A pop edx
004F8153 |. 5D pop ebp
004F8154 |. 5F pop edi
004F8155 |. 5E pop esi
004F8156 |. 5B pop ebx
004F8157 \. C3 retn
------------------------------------------------------------------------------------------------------
跟入上面的call [ebp+34] 来到
004C7CF8 /. 55 push ebp
004C7CF9 |. 8BEC mov ebp, esp
004C7CFB |. 6A 00 push 0
004C7CFD |. 6A 00 push 0
004C7CFF |. 6A 00 push 0
004C7D01 |. 6A 00 push 0
004C7D03 |. 6A 00 push 0
004C7D05 |. 53 push ebx
004C7D06 |. 894D F8 mov [ebp-8], ecx ; 把假码放到[ebp-8]
004C7D09 |. 8955 FC mov [ebp-4], edx ; 把用户名放到[ebp-4]
004C7D0C |. 8BD8 mov ebx, eax
004C7D0E |. 8B45 FC mov eax, [ebp-4]
004C7D11 |. E8 B6D4F3FF call 004051CC
004C7D16 |. 8B45 F8 mov eax, [ebp-8]
004C7D19 |. E8 AED4F3FF call 004051CC
004C7D1E |. 33C0 xor eax, eax
004C7D20 |. 55 push ebp
004C7D21 |. 68 8F7D4C00 push 004C7D8F
004C7D26 |. 64:FF30 push dword ptr fs:[eax]
004C7D29 |. 64:8920 mov fs:[eax], esp
004C7D2C |. 837D FC 00 cmp dword ptr [ebp-4], 0 ; 用户名与0比较
004C7D30 |. 74 0D je short 004C7D3F ; 用户名没有就跳
004C7D32 |. 8B45 F8 mov eax, [ebp-8] ; 把假码放到eax中
004C7D35 |. E8 A2D2F3FF call 00404FDC ; 计算注册吗的位数,放到eax中
004C7D3A |. 83F8 0F cmp eax, 0F ; eax与0f 也就是15 比较
004C7D3D |. 74 04 je short 004C7D43 ; 相等就跳(为什么注册吗要15位就是这)
004C7D3F |> 33DB xor ebx, ebx
004C7D41 |. EB 31 jmp short 004C7D74
004C7D43 |> 8D4D F4 lea ecx, [ebp-C]
004C7D46 |. 8B55 FC mov edx, [ebp-4]
004C7D49 |. 8BC3 mov eax, ebx
004C7D4B |. 8B18 mov ebx, [eax]
004C7D4D |. FF53 30 call [ebx+30] ;注册吗算法call
004C7D50 |. 8D55 EC lea edx, [ebp-14]
004C7D53 |. 8B45 F4 mov eax, [ebp-C]
004C7D56 |. E8 A1FEFFFF call 004C7BFC ;eax中存有真注册码
004C7D5B |. 8D55 F0 lea edx, [ebp-10]
004C7D5E |. 8B45 F8 mov eax, [ebp-8]
004C7D61 |. E8 96FEFFFF call 004C7BFC
004C7D66 |. 8B45 EC mov eax, [ebp-14]
004C7D69 |. 8B55 F0 mov edx, [ebp-10]
004C7D6C |. E8 B7D3F3FF call 00405128
004C7D71 |. 0F94C3 sete bl
004C7D74 |> 33C0 xor eax, eax
004C7D76 |. 5A pop edx
004C7D77 |. 59 pop ecx
004C7D78 |. 59 pop ecx
004C7D79 |. 64:8910 mov fs:[eax], edx
004C7D7C |. 68 967D4C00 push 004C7D96
004C7D81 |> 8D45 EC lea eax, [ebp-14]
004C7D84 |. BA 05000000 mov edx, 5
004C7D89 |. E8 B2CFF3FF call 00404D40
004C7D8E \. C3 retn
【破解总结】
用户名:fantasy
注册吗:YxA743hmvj26ARw |
|
IP卡
发表于 2006-4-4 11:26:54
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2006-4-4 11:55:21
楼主