第十轮教学考题交流帖

Nisy · 发表于 2010-7-11 19:40:11

搞定的朋友直接贴思路及破文好了

这个程序的修改上有点麻烦大家可以交流下修补心得

本帖只贴代码成品的附件请发我邮箱

前十名提交破文的学员每人奖励 50PYB

提交破文并将程序的完成度超过80%的学员我会将其组别调整为 PYG学员

sdnyzjzx · 发表于 2010-7-11 19:43:08

本帖最后由 sdnyzjzx 于 2010-7-11 19:51 编辑

先占个位，慢慢补充，新手学习，请多指导！

破解说明：

通过对软件分析，发现以下几方面问题：
一、文件名自校验
004874F4 E8 33C9F7FF    CALL Unpack_.00403E2C / 比较文件名与原文件是否一致
004874F9 74 05          JE SHORT Unpack_.00487500 --->EB
二、输入注册码长度检查
0047998D  |.  2D B4000000 sub eax,0xB4
00479992  |.  74 22       je short Unpack_.004799B6 --->EB
三、窗口启动Nag
0486C58    803D 64A64800>cmp byte ptr ds:[0x48A664],0x0  ------>1 去Nag
四、窗口启动 Tip of the day
00486CA8 .  8038 00    cmp byte ptr ds:[eax],0x0  ------>1 去Tip of the day
五、软件功能限制
通过分析发现，在功能限制地方，指令格式基本上都是以下形式
00481A7E .  E8 A110F8FF call Unpack_3.00402B24
00481A83 .  8B15 04A94800 mov edx,dword ptr ds:[0x48A904]       ;  Unpack_3.00498CF4
00481A89 .  8902       mov dword ptr ds:[edx],eax
00481A8B .  A1 04A94800 mov eax,dword ptr ds:[0x48A904]
00481A90 .  8B00       mov eax,dword ptr ds:[eax]
00481A92 .  8B15 D4A64800 mov edx,dword ptr ds:[0x48A6D4]       ;  Unpack_3.0049AC78
00481A98 .  8B12       mov edx,dword ptr ds:[edx]
00481A9A .  8A0402       mov al,byte ptr ds:[edx+eax]
00481A9D .  8B15 04A94800 mov edx,dword ptr ds:[0x48A904]       ;  Unpack_3.00498CF4
00481AA3 .  8B12       mov edx,dword ptr ds:[edx]
00481AA5 .  8B0D 3CA74800 mov ecx,dword ptr ds:[0x48A73C]       ;  Unpack_3.0049AC7C
00481AAB .  8B09       mov ecx,dword ptr ds:[ecx]
00481AAD .  3A0411       cmp al,byte ptr ds:[ecx+edx]
00481AB0 .  74 14       je short Unpack_3.00481AC6

特征码
8B 15 04 A9 48 00 89 02 A1 04 A9 48 00 8B 00 8B 15 D4 A6 48 00 8B 12 8A 04 02 8B 15 04 A9 48 00 8B 12 8B 0D 3C A7 48 00 8B 09 3A 04 11 74 ??
用DUP搜索，改最后 74 为EB（全部）
另外再搜索 75 改 EB （一次）

==========================
脱壳步骤：
忽略所有异常都去掉
Shift +F9  11次
堆栈处 SE 0051c7f9 Ctrl +G
F2 下断
Shift +F9
F2 取消断点
tc eip<0051b000

OEP
00487420 55             PUSH EBP
00487421 8BEC          MOV EBP,ESP
00487423 B9 08000000    MOV ECX,8

关OD，另开原始主程序
Improt Rec  插件0.98#1 修复
4个无效指针 cut
打开修复后文件

cjteam · 发表于 2010-7-11 19:52:38

本帖最后由 cjteam 于 2010-7-11 19:54 编辑

二进制搜索，快速定位其他暗桩.
A1 04 A9 48 00 8B 00 8B 15 D4 A6 48 00 8B 12 8A 04 02 8B 15 04 A9 48 00 8B 12 8B 0D 3C A7 48 00
8B 09 3A 04 11
00477CCA /EB 69 jmp short 00477D35
00477D5A /EB 6C jmp short 00477DC8
00477F07 /EB 69 jmp short 00477F72
00478003 /EB 6C jmp short 00478071
00478780 /EB 53 jmp short 004787D5
00478D4B /EB 6E jmp short 00478DBB
0047E056 /E9 AD000000 jmp 0047E108
00486221 /EB 13 jmp short 00486236
00485E39 /EB 6B jmp short 00485EA6
004853DA /EB 5B jmp short 00485437
004822AF /E9 AD000000 jmp 00482361
00480B31 /E9 9F000000 jmp 00480BD5
00480548 /EB 14 jmp short 0048055E
00480275 /EB 25 jmp short 0048029C
0047F915 /EB 05 jmp short 0047F91C ; 决定是否写unregister
0047F941 /EB 05 jmp short 0047F948
0047EEE2 /E9 AD000000 jmp 0047EF94
------------------------------------------------------------
0048483B 90 nop
--------------------------------------------------------------------
00487A1C 90 nop
00487A1D 90 nop
00487A1E |. A1 38BF4900 mov eax, dword ptr [49BF38]
00487A23 |. E8 E4C2F7FF call 00403D0C
00487A28 |. 2D B4000000 sub eax, 0B4
00487A2D |. 74 0D je short 00487A3C
00487A2F |. 83E8 02 sub eax, 2
00487A32 |. 74 08 je short 00487A3C
00487A34 |> A1 70AC4800 mov eax, dword ptr [48AC70]
00487A39 C600 00 mov byte ptr [eax], 0

复制代码

脱壳直接脱壳机搞定，程序校验，没碰到，脱壳后，把脱好的文件与原文件替换就可以了，

assume · 发表于 2010-7-11 19:55:16

【文章标题】: Crazy Tetris考题破文
【文章作者】: assume
【作者邮箱】: [email protected]
【软件名称】: Crazy Tetris
【下载地址】: 自己搜索下载
【加壳方式】: tElock 0.98b2 -> tE!
【编写语言】: Borland Delphi 4.0 - 5.0
【使用工具】: OD,DEDE以及SPY4WIN
【操作平台】: XP SP3
【作者声明】: 只是感兴趣，没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】

  不会脱壳，直接用脱壳机解决了
  破解这个软件主要用到软件本身的语言文件还有DEDE以及SPY4WIN
  主要是爆破，有语言文件得知有以下几个限制：

1.文件名校验去除
004874E6  |.  8902       MOV DWORD PTR DS:[EDX],EAX
004874E8  |.  A1 74A94800 MOV EAX,DWORD PTR DS:[48A974]
004874ED  |.  8B00       MOV EAX,DWORD PTR DS:[EAX]
004874EF  |.  BA 587A4800 MOV EDX,00487A58                      ;  ASCII "CRAZYTET.EXE"
004874F4  |.  E8 33C9F7FF CALL 00403E2C
004874F9  |.  74 05       JE SHORT 00487500                      ;  文件名校验，74改成EB
004874FB  |.  E8 64C4F7FF CALL 00403964
00487500  |>  33C0       XOR EAX,EAX
00487502  |.  E8 556EFFFF CALL 0047E35C

2.运行前后的NAG

运行前
方法一：
利用SPY4WIN这个软件得到启动时调用的NAG的模块是TFORM3，再利用DEDE得到TDFORM3的关闭地址：00479FF8

00479FF8 .  A0 FCC14800 MOV AL,BYTE PTR DS:[48C1FC]
00479FFD .  8801       MOV BYTE PTR DS:[ECX],AL
00479FFF .  C3          RETN
0047A000 .  53          PUSH EBX

单步走
004878E7 .  8B15 04A94800 MOV EDX,DWORD PTR DS:[48A904]          ;  CrazyTet.00498CF4
004878ED .  8902       MOV DWORD PTR DS:[EDX],EAX
004878EF .  A1 04A94800 MOV EAX,DWORD PTR DS:[48A904]
004878F4 .  8B00       MOV EAX,DWORD PTR DS:[EAX]
004878F6 .  8B15 D4A64800 MOV EDX,DWORD PTR DS:[48A6D4]          ;  CrazyTet.0049AC78
004878FC .  8B12       MOV EDX,DWORD PTR DS:[EDX]
004878FE .  8A0402       MOV AL,BYTE PTR DS:[EDX+EAX]
00487901 .  8B15 04A94800 MOV EDX,DWORD PTR DS:[48A904]          ;  CrazyTet.00498CF4
00487907 .  8B12       MOV EDX,DWORD PTR DS:[EDX]
00487909 .  8B0D 3CA74800 MOV ECX,DWORD PTR DS:[48A73C]          ;  CrazyTet.0049AC7C
0048790F .  8B09       MOV ECX,DWORD PTR DS:[ECX]
00487911 .  3A0411       CMP AL,BYTE PTR DS:[ECX+EDX]
00487914    74 16       JE SHORT 0048792C 此为关键跳，不跳则去除了NAG了
00487916 .  A1 3CBF4900 MOV EAX,DWORD PTR DS:[49BF3C]
0048791B .  E8 FCC3F7FF CALL 00403D1C
00487920 .  2D B4000000 SUB EAX,0B4
00487925 .  74 0D       JE SHORT 00487934
00487927 .  83E8 02    SUB EAX,2
0048792A .  74 08       JE SHORT 00487934

运行后
利用SPY4WIN这个软件得到退出时调用的NAG的模块是TADFORM，再利用DEDE得到TADFORM的关闭地址：0047A870

0047A870 .  55          PUSH EBP
0047A871 .  8BEC       MOV EBP,ESP
0047A873 .  81C4 B0FEFFFF ADD ESP,-150
0047A879 .  53          PUSH EBX
0047A87A .  33DB       XOR EBX,EBX
0047A87C .  899D B0FEFFFF MOV DWORD PTR SS:[EBP-150],EBX
0047A882 .  33C0       XOR EAX,EAX
0047A884 .  55          PUSH EBP
0047A885 .  68 05A94700 PUSH 0047A905
0047A88A .  64:FF30    PUSH DWORD PTR FS:[EAX]
0047A88D .  64:8920    MOV DWORD PTR FS:[EAX],ESP
0047A890 .  8B15 DCA84800 MOV EDX,DWORD PTR DS:[48A8DC]          ;  CrazyTet.004996B0
0047A896 .  8B12       MOV EDX,DWORD PTR DS:[EDX]
0047A898 .  8D85 B0FEFFFF LEA EAX,DWORD PTR SS:[EBP-150]
0047A89E .  B9 1CA94700 MOV ECX,0047A91C                      ;  ASCII "tmp.bmp"
0047A8A3 .  E8 C094F8FF CALL 00403D68
0047A8A8 .  8B95 B0FEFFFF MOV EDX,DWORD PTR SS:[EBP-150]
0047A8AE .  8D85 B4FEFFFF LEA EAX,DWORD PTR SS:[EBP-14C]
0047A8B4 .  E8 21AFF8FF CALL 004057DA
0047A8B9 .  33C0       XOR EAX,EAX
0047A8BB .  55          PUSH EBP
0047A8BC .  68 E5A84700 PUSH 0047A8E5
0047A8C1 .  64:FF30    PUSH DWORD PTR FS:[EAX]
0047A8C4 .  64:8920    MOV DWORD PTR FS:[EAX],ESP
0047A8C7 .  8D85 B4FEFFFF LEA EAX,DWORD PTR SS:[EBP-14C]
0047A8CD .  E8 AEB0F8FF CALL 00405980
0047A8D2 .  E8 157FF8FF CALL 004027EC
0047A8D7 .  33C0       XOR EAX,EAX
0047A8D9 .  5A          POP EDX
一直单步走到下面

004442B8 .  53          PUSH EBX                               ;  CrazyTet.004442B8
004442B9 .  66:83B8 7A020>CMP WORD PTR DS:[EAX+27A],0
004442C1 .  74 12       JE SHORT 004442D5                   跳过这个CALL。就能去除了NAG
004442C3 .  8BCA       MOV ECX,EDX
004442C5 .  8BD8       MOV EBX,EAX
004442C7 .  8BD0       MOV EDX,EAX
004442C9 .  8B83 7C020000 MOV EAX,DWORD PTR DS:[EBX+27C]
004442CF .  FF93 78020000 CALL DWORD PTR DS:[EBX+278]
004442D5 >  5B          POP EBX
004442D6 .  C3          RETN

3.去除每日一贴NAG

利用SPY4WIN这个软件得到每日一贴调用的NAG的模块是TTipsForm，再利用DEDE得到TTipsForm的地址：0047BF5C


  0047BF5C .  53          PUSH EBX
  0047BF5D .  8BD8       MOV EBX,EAX
  0047BF5F .  A1 ECAB4800 MOV EAX,DWORD PTR DS:[48ABEC]
  0047BF64 .  8B00       MOV EAX,DWORD PTR DS:[EAX]
  0047BF66 .  8B50 30    MOV EDX,DWORD PTR DS:[EAX+30]
  0047BF69 .  A1 ECAB4800 MOV EAX,DWORD PTR DS:[48ABEC]
  0047BF6E .  8B00       MOV EAX,DWORD PTR DS:[EAX]
  0047BF70 .  8B40 38    MOV EAX,DWORD PTR DS:[EAX+38]
  0047BF73 .  2B43 38    SUB EAX,DWORD PTR DS:[EBX+38]
  0047BF76 .  D1F8       SAR EAX,1
  0047BF78 .  79 03       JNS SHORT 0047BF7D
  0047BF7A .  83D0 00    ADC EAX,0
  0047BF7D >  03D0       ADD EDX,EAX
  0047BF7F .  8BC3       MOV EAX,EBX
  0047BF81 .  E8 0EFEFAFF CALL 0042BD94
  0047BF86 .  A1 ECAB4800 MOV EAX,DWORD PTR DS:[48ABEC]
  0047BF8B .  8B00       MOV EAX,DWORD PTR DS:[EAX]
  0047BF8D .  8B50 34    MOV EDX,DWORD PTR DS:[EAX+34]
  0047BF90 .  A1 ECAB4800 MOV EAX,DWORD PTR DS:[48ABEC]
  0047BF95 .  8B00       MOV EAX,DWORD PTR DS:[EAX]
  0047BF97 .  8B40 3C    MOV EAX,DWORD PTR DS:[EAX+3C]
  0047BF9A .  2B43 3C    SUB EAX,DWORD PTR DS:[EBX+3C]
  0047BF9D .  D1F8       SAR EAX,1
  0047BF9F .  79 03       JNS SHORT 0047BFA4
  0047BFA1 .  83D0 00    ADC EAX,0
  0047BFA4 >  03D0       ADD EDX,EAX
  0047BFA6 .  8BC3       MOV EAX,EBX
  0047BFA8 .  E8 07FEFAFF CALL 0042BDB4


  单步走到这里，

  00447813  |.  E8 B8A4FFFF CALL 00441CD0
  00447818  |.  8945 F4    MOV DWORD PTR SS:[EBP-C],EAX
  0044781B  |.  33D2       XOR EDX,EDX
  0044781D  |.  55          PUSH EBP
  0044781E  |.  68 8C794400 PUSH 0044798C
  00447823  |.  64:FF32    PUSH DWORD PTR FS:[EDX]
  00447826  |.  64:8922    MOV DWORD PTR FS:[EDX],ESP
  00447829  |.  8B45 FC    MOV EAX,DWORD PTR SS:[EBP-4]
  0044782C  |.  E8 3BFEFFFF CALL 0044766C
  00447831  |.  33D2       XOR EDX,EDX                            ;  ntdll.KiFastSystemCallRet
  00447833  |.  55          PUSH EBP
  00447834  |.  68 EB784400 PUSH 004478EB
  00447839  |.  64:FF32    PUSH DWORD PTR FS:[EDX]
  0044783C  |.  64:8922    MOV DWORD PTR FS:[EDX],ESP
  0044783F  |.  6A 00       PUSH 0
  00447841  |.  6A 00       PUSH 0
  00447843  |.  68 00B00000 PUSH 0B000
  00447848  |.  8B45 FC    MOV EAX,DWORD PTR SS:[EBP-4]
  0044784B  |.  E8 9CAEFEFF CALL 004326EC
  00447850  |.  50          PUSH EAX                               ; |hWnd
  00447851  |.  E8 3AF5FBFF CALL <JMP.&user32.SendMessageA>       ; \SendMessageA
  00447856  |.  8B45 FC    MOV EAX,DWORD PTR SS:[EBP-4]
  00447859  |.  33D2       XOR EDX,EDX
  0044785B  |.  8990 34020000 MOV DWORD PTR DS:[EAX+234],EDX
  00447861  |>  8B03       /MOV EAX,DWORD PTR DS:[EBX]
  00447863  |.  E8 BC2D0000 |CALL 0044A624
  00447868  |.  8B03       |MOV EAX,DWORD PTR DS:[EBX]
  0044786A  |.  80B8 8C000000>|CMP BYTE PTR DS:[EAX+8C],0
  00447871    74 0F       |JE SHORT 00447882
  00447873  |.  8B45 FC    |MOV EAX,DWORD PTR SS:[EBP-4]
  00447876  |.  C780 34020000>|MOV DWORD PTR DS:[EAX+234],2
  00447880  |.  EB 14       |JMP SHORT 00447896
  00447882  |>  8B45 FC    |MOV EAX,DWORD PTR SS:[EBP-4]
  00447885  |.  83B8 34020000>|CMP DWORD PTR DS:[EAX+234],0
  0044788C    74 08       |JE SHORT 00447896
  0044788E  |.  8B45 FC    |MOV EAX,DWORD PTR SS:[EBP-4]
  00447891    E8 26FDFFFF |CALL 004475BC
  00447896  |>  8B45 FC    |MOV EAX,DWORD PTR SS:[EBP-4]
  00447899  |.  8B80 34020000 |MOV EAX,DWORD PTR DS:[EAX+234]
  0044789F  |.  85C0       |TEST EAX,EAX
  004478A1 ^ 74 BE       JE SHORT 00447861
  004478A3    8945 F8    MOV DWORD PTR SS:[EBP-8],EAX             F4到这里弹出NAG，继续单步走出CALL
  004478A6  |.  6A 00       PUSH 0
  004478A8  |.  6A 00       PUSH 0
  004478AA  |.  68 01B00000 PUSH 0B001
  004478AF  |.  8B45 FC    MOV EAX,DWORD PTR SS:[EBP-4]
  004478B2  |.  E8 35AEFEFF CALL 004326EC
  004478B7  |.  50          PUSH EAX                               ; |hWnd
  004478B8  |.  E8 D3F4FBFF CALL <JMP.&user32.SendMessageA>       ; \SendMessageA
  004478BD  |.  8B45 FC    MOV EAX,DWORD PTR SS:[EBP-4]
  004478C0  |.  E8 27AEFEFF CALL 004326EC
  004478C5  |.  8BD8       MOV EBX,EAX
  004478C7  |.  E8 2CF2FBFF CALL <JMP.&user32.GetActiveWindow>    ; [GetActiveWindow
  004478CC  |.  3BD8       CMP EBX,EAX
  004478CE  |.  74 05       JE SHORT 004478D5
  004478D0  |.  33C0       XOR EAX,EAX
  004478D2  |.  8945 E4    MOV DWORD PTR SS:[EBP-1C],EAX
  004478D5  |>  33C0       XOR EAX,EAX
  004478D7  |.  5A          POP EDX
  004478D8  |.  59          POP ECX
  004478D9  |.  59          POP ECX
  004478DA  |.  64:8910    MOV DWORD PTR FS:[EAX],EDX
  004478DD  |.  68 F2784400 PUSH 004478F2
  004478E2  |>  8B45 FC    MOV EAX,DWORD PTR SS:[EBP-4]
  004478E5  |.  E8 7AFDFFFF CALL 00447664
  004478EA  \.  C3          RETN



  然后来到：
  00486CAB    /74 1F       JE SHORT 00486CCC          此就是去掉每日一贴的关键跳了
  00486CAD . |A1 FCA94800 MOV EAX,DWORD PTR DS:[48A9FC]
  00486CB2 . |8B00       MOV EAX,DWORD PTR DS:[EAX]
  00486CB4 . |8B10       MOV EDX,DWORD PTR DS:[EAX]
  00486CB6 . |FF92 D8000000 CALL DWORD PTR DS:[EDX+D8]
  00486CBC . |A1 C0BD4900 MOV EAX,DWORD PTR DS:[49BDC0]
  00486CC1 . |E8 26BAFAFF CALL 004326EC
  00486CC6 . |50          PUSH EAX                               ; /hWnd
  00486CC7 . |E8 F400F8FF CALL <JMP.&user32.SetForegroundWindow> ; \SetForegroundWindow
  00486CCC > \C3          RETN
  00486CCD    8D40 00    LEA EAX,DWORD PTR DS:[EAX]
  00486CD0 .  55          PUSH EBP

  4.  在未注册版本中您只能玩2个等级.
下MessageBoxA断点，断下后返回到单步走

0044A9E5  |.  57          PUSH EDI                               ; |Title
0044A9E6  |.  56          PUSH ESI                               ; |Text
0044A9E7  |.  8B45 FC    MOV EAX,DWORD PTR SS:[EBP-4]          ; |
0044A9EA  |.  8B40 24    MOV EAX,DWORD PTR DS:[EAX+24]          ; |
0044A9ED  |.  50          PUSH EAX                               ; |hOwner
0044A9EE  |.  E8 15C3FBFF CALL <JMP.&user32.MessageBoxA>          ; \MessageBoxA
0044A9F3  |.  8945 F8    MOV DWORD PTR SS:[EBP-8],EAX
0044A9F6  |.  33C0       XOR EAX,EAX
0044A9F8  |.  5A          POP EDX
0044A9F9  |.  59          POP ECX
0044A9FA  |.  59          POP ECX
0044A9FB  |.  64:8910    MOV DWORD PTR FS:[EAX],EDX
0044A9FE  |.  68 5CAA4400 PUSH 0044AA5C
0044AA03  |>  8B45 EC    MOV EAX,DWORD PTR SS:[EBP-14]
0044AA06  |.  3B45 E8    CMP EAX,DWORD PTR SS:[EBP-18]
0044AA09  |.  74 38       JE SHORT 0044AA43
0044AA0B  |.  6A 1D       PUSH 1D
0044AA0D  |.  6A 00       PUSH 0
0044AA0F  |.  6A 00       PUSH 0
0044AA11  |.  8B4D BC    MOV ECX,DWORD PTR SS:[EBP-44]
0044AA14  |.  8B55 B4    MOV EDX,DWORD PTR SS:[EBP-4C]
0044AA17  |.  2BCA       SUB ECX,EDX
0044AA19  |.  D1F9       SAR ECX,1

来到这里

00478000  /.  55          PUSH EBP
00478001  |.  8BEC       MOV EBP,ESP
00478003  |.  6A 00       PUSH 0
00478005  |.  6A 00       PUSH 0
00478007  |.  53          PUSH EBX
00478008  |.  8BD8       MOV EBX,EAX
0047800A  |.  33C0       XOR EAX,EAX
0047800C  |.  55          PUSH EBP
0047800D  |.  68 D5804700 PUSH 004780D5
00478012  |.  64:FF30    PUSH DWORD PTR FS:[EAX]
00478015  |.  64:8920    MOV DWORD PTR FS:[EAX],ESP
00478018  |.  B8 10270000 MOV EAX,2710
0047801D  |.  E8 02ABF8FF CALL 00402B24
00478022  |.  8B15 04A94800 MOV EDX,DWORD PTR DS:[48A904]          ;  nag.00498CF4
00478028  |.  8902       MOV DWORD PTR DS:[EDX],EAX
0047802A  |.  A1 04A94800 MOV EAX,DWORD PTR DS:[48A904]
0047802F  |.  8B00       MOV EAX,DWORD PTR DS:[EAX]
00478031  |.  8B15 D4A64800 MOV EDX,DWORD PTR DS:[48A6D4]          ;  nag.0049AC78
00478037  |.  8B12       MOV EDX,DWORD PTR DS:[EDX]
00478039  |.  8A0402       MOV AL,BYTE PTR DS:[EDX+EAX]
0047803C  |.  8B15 04A94800 MOV EDX,DWORD PTR DS:[48A904]          ;  nag.00498CF4
00478042  |.  8B12       MOV EDX,DWORD PTR DS:[EDX]
00478044  |.  8B0D 3CA74800 MOV ECX,DWORD PTR DS:[48A73C]          ;  nag.0049AC7C
0047804A  |.  8B09       MOV ECX,DWORD PTR DS:[ECX]
0047804C  |.  3A0411       CMP AL,BYTE PTR DS:[ECX+EDX]
0047804F    75 69       JNZ SHORT 004780BA                JMP跳过提示只能玩二个等级

00478051  |.  8B83 D0020000 MOV EAX,DWORD PTR DS:[EBX+2D0]
00478057  |.  8B80 00020000 MOV EAX,DWORD PTR DS:[EAX+200]
0047805D  |.  40          INC EAX
0047805E  |.  83F8 02    CMP EAX,2
00478061  |.  7E 57       JLE SHORT 004780BA
00478063  |.  6A 00       PUSH 0
00478065  |.  8D4D FC    LEA ECX,DWORD PTR SS:[EBP-4]
00478068  |.  A1 60AA4800 MOV EAX,DWORD PTR DS:[48AA60]
0047806D  |.  8B00       MOV EAX,DWORD PTR DS:[EAX]
0047806F  |.  BA EC804700 MOV EDX,004780EC                      ;  ASCII "r12"
00478074  |.  E8 7B75F9FF CALL 0040F5F4
00478079  |.  8B45 FC    MOV EAX,DWORD PTR SS:[EBP-4]
0047807C  |.  E8 5FBEF8FF CALL 00403EE0
00478081  |.  50          PUSH EAX
00478082  |.  8D4D F8    LEA ECX,DWORD PTR SS:[EBP-8]
00478085  |.  A1 60AA4800 MOV EAX,DWORD PTR DS:[48AA60]
0047808A  |.  8B00       MOV EAX,DWORD PTR DS:[EAX]
0047808C  |.  BA F8804700 MOV EDX,004780F8                      ;  ASCII "m11"
00478091  |.  E8 5E75F9FF CALL 0040F5F4
00478096  |.  8B45 F8    MOV EAX,DWORD PTR SS:[EBP-8]
00478099  |.  E8 42BEF8FF CALL 00403EE0
0047809E  |.  8BD0       MOV EDX,EAX
004780A0  |.  A1 74AA4800 MOV EAX,DWORD PTR DS:[48AA74]
004780A5  |.  8B00       MOV EAX,DWORD PTR DS:[EAX]
004780A7  |.  59          POP ECX
004780A8  |.  E8 6328FDFF CALL 0044A910
004780AD  |.  33D2       XOR EDX,EDX
004780AF  |.  8B83 D0020000 MOV EAX,DWORD PTR DS:[EBX+2D0]
004780B5  |.  E8 72A9FDFF CALL 00452A2C
004780BA  |>  33C0       XOR EAX,EAX
004780BC  |.  5A          POP EDX
004780BD  |.  59          POP ECX
004780BE  |.  59          POP ECX
004780BF  |.  64:8910    MOV DWORD PTR FS:[EAX],EDX
004780C2  |.  68 DC804700 PUSH 004780DC
004780C7  |>  8D45 F8    LEA EAX,DWORD PTR SS:[EBP-8]
004780CA  |.  BA 02000000 MOV EDX,2
004780CF  |.  E8 ECB9F8FF CALL 00403AC0
004780D4  \.  C3          RETN

下MessageBoxA断点，断下后返回到单步走

0044A9E5  |.  57          PUSH EDI                               ; |Title
0044A9E6  |.  56          PUSH ESI                               ; |Text
0044A9E7  |.  8B45 FC    MOV EAX,DWORD PTR SS:[EBP-4]          ; |
0044A9EA  |.  8B40 24    MOV EAX,DWORD PTR DS:[EAX+24]          ; |
0044A9ED  |.  50          PUSH EAX                               ; |hOwner
0044A9EE  |.  E8 15C3FBFF CALL <JMP.&user32.MessageBoxA>          ; \MessageBoxA
0044A9F3  |.  8945 F8    MOV DWORD PTR SS:[EBP-8],EAX
0044A9F6  |.  33C0       XOR EAX,EAX
0044A9F8  |.  5A          POP EDX
0044A9F9  |.  59          POP ECX
0044A9FA  |.  59          POP ECX
0044A9FB  |.  64:8910    MOV DWORD PTR FS:[EAX],EDX
0044A9FE  |.  68 5CAA4400 PUSH 0044AA5C
0044AA03  |>  8B45 EC    MOV EAX,DWORD PTR SS:[EBP-14]
0044AA06  |.  3B45 E8    CMP EAX,DWORD PTR SS:[EBP-18]
0044AA09  |.  74 38       JE SHORT 0044AA43
0044AA0B  |.  6A 1D       PUSH 1D
0044AA0D  |.  6A 00       PUSH 0
0044AA0F  |.  6A 00       PUSH 0
0044AA11  |.  8B4D BC    MOV ECX,DWORD PTR SS:[EBP-44]
0044AA14  |.  8B55 B4    MOV EDX,DWORD PTR SS:[EBP-4C]
0044AA17  |.  2BCA       SUB ECX,EDX
0044AA19  |.  D1F9       SAR ECX,1

00477DC8  /$  55          PUSH EBP
00477DC9  |.  8BEC       MOV EBP,ESP
00477DCB  |.  33C9       XOR ECX,ECX
00477DCD  |.  51          PUSH ECX
00477DCE  |.  51          PUSH ECX
00477DCF  |.  51          PUSH ECX
00477DD0  |.  51          PUSH ECX
00477DD1  |.  53          PUSH EBX
00477DD2  |.  8BD8       MOV EBX,EAX
00477DD4  |.  33C0       XOR EAX,EAX
00477DD6  |.  55          PUSH EBP
00477DD7  |.  68 9F7F4700 PUSH 00477F9F
00477DDC  |.  64:FF30    PUSH DWORD PTR FS:[EAX]
00477DDF  |.  64:8920    MOV DWORD PTR FS:[EAX],ESP
00477DE2  |.  A1 04A94800 MOV EAX,DWORD PTR DS:[48A904]
00477DE7  |.  C700 F2030000 MOV DWORD PTR DS:[EAX],3F2
00477DED  |.  A1 04A94800 MOV EAX,DWORD PTR DS:[48A904]
00477DF2  |.  8B00       MOV EAX,DWORD PTR DS:[EAX]
00477DF4  |.  8B15 D4A64800 MOV EDX,DWORD PTR DS:[48A6D4]          ;  nag.0049AC78
00477DFA  |.  8B12       MOV EDX,DWORD PTR DS:[EDX]
00477DFC  |.  8A0402       MOV AL,BYTE PTR DS:[EDX+EAX]
00477DFF  |.  8B15 04A94800 MOV EDX,DWORD PTR DS:[48A904]          ;  nag.00498CF4
00477E05  |.  8B12       MOV EDX,DWORD PTR DS:[EDX]
00477E07  |.  8B0D 3CA74800 MOV ECX,DWORD PTR DS:[48A73C]          ;  nag.0049AC7C
00477E0D  |.  8B09       MOV ECX,DWORD PTR DS:[ECX]
00477E0F  |.  3A0411       CMP AL,BYTE PTR DS:[ECX+EDX]
00477E12    EB 69       JMP SHORT 00477E7D                   继续跳过弹出的提示框，后继续单步走。
00477E14  |.  8B83 D0020000 MOV EAX,DWORD PTR DS:[EBX+2D0]
00477E1A  |.  8B80 00020000 MOV EAX,DWORD PTR DS:[EAX+200]
00477E20  |.  40          INC EAX
00477E21  |.  83F8 02    CMP EAX,2
00477E24  |.  7E 57       JLE SHORT 00477E7D
00477E26  |.  6A 00       PUSH 0
00477E28  |.  8D4D FC    LEA ECX,DWORD PTR SS:[EBP-4]
00477E2B  |.  A1 60AA4800 MOV EAX,DWORD PTR DS:[48AA60]
00477E30  |.  8B00       MOV EAX,DWORD PTR DS:[EAX]
00477E32  |.  BA B47F4700 MOV EDX,00477FB4                      ;  ASCII "r12"
00477E37  |.  E8 B877F9FF CALL 0040F5F4
00477E3C  |.  8B45 FC    MOV EAX,DWORD PTR SS:[EBP-4]
00477E3F  |.  E8 9CC0F8FF CALL 00403EE0
00477E44  |.  50          PUSH EAX
00477E45  |.  8D4D F8    LEA ECX,DWORD PTR SS:[EBP-8]
00477E48  |.  A1 60AA4800 MOV EAX,DWORD PTR DS:[48AA60]
00477E4D  |.  8B00       MOV EAX,DWORD PTR DS:[EAX]
00477E4F  |.  BA C07F4700 MOV EDX,00477FC0                      ;  ASCII "m11"
00477E54  |.  E8 9B77F9FF CALL 0040F5F4
00477E59  |.  8B45 F8    MOV EAX,DWORD PTR SS:[EBP-8]
00477E5C  |.  E8 7FC0F8FF CALL 00403EE0
00477E61  |.  8BD0       MOV EDX,EAX
00477E63  |.  A1 74AA4800 MOV EAX,DWORD PTR DS:[48AA74]
00477E68  |.  8B00       MOV EAX,DWORD PTR DS:[EAX]
00477E6A  |.  59          POP ECX
00477E6B  |.  E8 A02AFDFF CALL 0044A910
00477E70  |.  33D2       XOR EDX,EDX
00477E72  |.  8B83 D0020000 MOV EAX,DWORD PTR DS:[EBX+2D0]
00477E78  |.  E8 AFABFDFF CALL 00452A2C
00477E7D  |>  A1 04A94800 MOV EAX,DWORD PTR DS:[48A904]
00477E82  |.  8B00       MOV EAX,DWORD PTR DS:[EAX]
00477E84  |.  8B15 D4A64800 MOV EDX,DWORD PTR DS:[48A6D4]          ;  nag.0049AC78
00477E8A  |.  8B12       MOV EDX,DWORD PTR DS:[EDX]
00477E8C  |.  8A0402       MOV AL,BYTE PTR DS:[EDX+EAX]
00477E8F  |.  8B15 04A94800 MOV EDX,DWORD PTR DS:[48A904]          ;  nag.00498CF4
00477E95  |.  8B12       MOV EDX,DWORD PTR DS:[EDX]
00477E97  |.  8B0D 3CA74800 MOV ECX,DWORD PTR DS:[48A73C]          ;  nag.0049AC7C
00477E9D  |.  8B09       MOV ECX,DWORD PTR DS:[ECX]
00477E9F  |.  3A0411       CMP AL,BYTE PTR DS:[ECX+EDX]
00477EA2    EB 6C       JMP SHORT 00477F10
00477EA4  |.  8B83 EC020000 MOV EAX,DWORD PTR DS:[EBX+2EC]
00477EAA  |.  8B10       MOV EDX,DWORD PTR DS:[EAX]
00477EAC  |.  FF92 B4000000 CALL DWORD PTR DS:[EDX+B4]
00477EB2  |.  84C0       TEST AL,AL
00477EB4  |.  74 5A       JE SHORT 00477F10
00477EB6  |.  6A 00       PUSH 0
00477EB8  |.  8D4D F4    LEA ECX,DWORD PTR SS:[EBP-C]
00477EBB  |.  A1 60AA4800 MOV EAX,DWORD PTR DS:[48AA60]
00477EC0  |.  8B00       MOV EAX,DWORD PTR DS:[EAX]
00477EC2  |.  BA B47F4700 MOV EDX,00477FB4                      ;  ASCII "r12"
00477EC7  |.  E8 2877F9FF CALL 0040F5F4
00477ECC  |.  8B45 F4    MOV EAX,DWORD PTR SS:[EBP-C]
00477ECF  |.  E8 0CC0F8FF CALL 00403EE0
00477ED4  |.  50          PUSH EAX
00477ED5  |.  8D4D F0    LEA ECX,DWORD PTR SS:[EBP-10]
00477ED8  |.  A1 60AA4800 MOV EAX,DWORD PTR DS:[48AA60]
00477EDD  |.  8B00       MOV EAX,DWORD PTR DS:[EAX]
00477EDF  |.  BA CC7F4700 MOV EDX,00477FCC                      ;  ASCII "m10"
00477EE4  |.  E8 0B77F9FF CALL 0040F5F4
00477EE9  |.  8B45 F0    MOV EAX,DWORD PTR SS:[EBP-10]
00477EEC  |.  E8 EFBFF8FF CALL 00403EE0
00477EF1  |.  8BD0       MOV EDX,EAX
00477EF3  |.  A1 74AA4800 MOV EAX,DWORD PTR DS:[48AA74]
00477EF8  |.  8B00       MOV EAX,DWORD PTR DS:[EAX]
00477EFA  |.  59          POP ECX
00477EFB  |.  E8 102AFDFF CALL 0044A910
00477F00  |.  33D2       XOR EDX,EDX
00477F02  |.  8B83 EC020000 MOV EAX,DWORD PTR DS:[EBX+2EC]
00477F08  |.  8B08       MOV ECX,DWORD PTR DS:[EAX]
00477F0A  |.  FF91 B8000000 CALL DWORD PTR DS:[ECX+B8]
00477F10  |>  8B83 D0020000 MOV EAX,DWORD PTR DS:[EBX+2D0]
00477F16  |.  8B80 00020000 MOV EAX,DWORD PTR DS:[EAX+200]
00477F1C  |.  40          INC EAX
00477F1D  |.  8B15 D8AA4800 MOV EDX,DWORD PTR DS:[48AAD8]          ;  nag.00498CE0
00477F23  |.  8902       MOV DWORD PTR DS:[EDX],EAX
00477F25  |.  8B83 D4020000 MOV EAX,DWORD PTR DS:[EBX+2D4]
00477F2B  |.  8A80 00020000 MOV AL,BYTE PTR DS:[EAX+200]
00477F31  |.  8B15 E0A74800 MOV EDX,DWORD PTR DS:[48A7E0]          ;  nag.00498BE4
00477F37  |.  8802       MOV BYTE PTR DS:[EDX],AL
00477F39  |.  8B83 DC020000 MOV EAX,DWORD PTR DS:[EBX+2DC]
00477F3F  |.  E8 20F8FFFF CALL 00477764
00477F44  |.  8B15 88A94800 MOV EDX,DWORD PTR DS:[48A988]          ;  nag.00498CD8
00477F4A  |.  8902       MOV DWORD PTR DS:[EDX],EAX
00477F4C  |.  8B83 EC020000 MOV EAX,DWORD PTR DS:[EBX+2EC]
00477F52  |.  8B10       MOV EDX,DWORD PTR DS:[EAX]
00477F54  |.  FF92 B4000000 CALL DWORD PTR DS:[EDX+B4]
00477F5A  |.  8B15 00A94800 MOV EDX,DWORD PTR DS:[48A900]          ;  nag.0049968D
00477F60  |.  8802       MOV BYTE PTR DS:[EDX],AL
00477F62  |.  8B83 F4020000 MOV EAX,DWORD PTR DS:[EBX+2F4]
00477F68  |.  8B10       MOV EDX,DWORD PTR DS:[EAX]
00477F6A  |.  FF92 B4000000 CALL DWORD PTR DS:[EDX+B4]
00477F70  |.  8B15 C4A94800 MOV EDX,DWORD PTR DS:[48A9C4]          ;  nag.00499697
00477F76  |.  8802       MOV BYTE PTR DS:[EDX],AL
00477F78  |.  E8 0F980000 CALL 0048178C                这个CALL关键CALL进去
00477F7D  |.  8BC3       MOV EAX,EBX
00477F7F  |.  E8 30F5FCFF CALL 004474B4
00477F84  |.  33C0       XOR EAX,EAX
00477F86  |.  5A          POP EDX
00477F87  |.  59          POP ECX
00477F88  |.  59          POP ECX
00477F89  |.  64:8910    MOV DWORD PTR FS:[EAX],EDX
00477F8C  |.  68 A67F4700 PUSH 00477FA6
00477F91  |>  8D45 F0    LEA EAX,DWORD PTR SS:[EBP-10]
00477F94  |.  BA 04000000 MOV EDX,4
00477F99  |.  E8 22BBF8FF CALL 00403AC0
00477F9E  \.  C3          RETN

0048178C  /$  51          PUSH ECX
0048178D  |.  E8 02F3FFFF CALL 00480A94
00481792  |.  A1 50AC4800 MOV EAX,DWORD PTR DS:[48AC50]
00481797  |.  8B00       MOV EAX,DWORD PTR DS:[EAX]
00481799  |.  E8 4227F8FF CALL 00403EE0
0048179E  |.  E8 D1EDFFFF CALL 00480574
004817A3  |.  B8 E8030000 MOV EAX,3E8
004817A8  |.  E8 7713F8FF CALL 00402B24
004817AD  |.  C1E0 02    SHL EAX,2
004817B0  |.  8B15 04A94800 MOV EDX,DWORD PTR DS:[48A904]          ;  nag1.00498CF4
004817B6  |.  8902       MOV DWORD PTR DS:[EDX],EAX
004817B8  |.  A1 04A94800 MOV EAX,DWORD PTR DS:[48A904]
004817BD  |.  8B00       MOV EAX,DWORD PTR DS:[EAX]
004817BF  |.  8B15 D4A64800 MOV EDX,DWORD PTR DS:[48A6D4]          ;  nag1.0049AC78
004817C5  |.  8B12       MOV EDX,DWORD PTR DS:[EDX]
004817C7  |.  8A0402       MOV AL,BYTE PTR DS:[EDX+EAX]
004817CA  |.  8B15 04A94800 MOV EDX,DWORD PTR DS:[48A904]          ;  nag1.00498CF4
004817D0  |.  8B12       MOV EDX,DWORD PTR DS:[EDX]
004817D2  |.  8B0D 3CA74800 MOV ECX,DWORD PTR DS:[48A73C]          ;  nag1.0049AC7C
004817D8  |.  8B09       MOV ECX,DWORD PTR DS:[ECX]
004817DA  |.  3A0411       CMP AL,BYTE PTR DS:[ECX+EDX]
004817DD  |.  75 25       JNZ SHORT 00481804             去等级限制的关键跳
004817DF  |.  A1 D8AA4800 MOV EAX,DWORD PTR DS:[48AAD8]
004817E4  |.  8338 02    CMP DWORD PTR DS:[EAX],2
004817E7  |.  7E 0B       JLE SHORT 004817F4
004817E9  |.  A1 D8AA4800 MOV EAX,DWORD PTR DS:[48AAD8]
004817EE  |.  C700 01000000 MOV DWORD PTR DS:[EAX],1
004817F4  |>  A1 00A94800 MOV EAX,DWORD PTR DS:[48A900]
004817F9  |.  C600 00    MOV BYTE PTR DS:[EAX],0
004817FC  |.  A1 18A84800 MOV EAX,DWORD PTR DS:[48A818]
00481801  |.  C600 00    MOV BYTE PTR DS:[EAX],0
00481804  |>  A1 D8AA4800 MOV EAX,DWORD PTR DS:[48AAD8]
00481809  |.  8B00       MOV EAX,DWORD PTR DS:[EAX]
0048180B  |.  8B15 70A94800 MOV EDX,DWORD PTR DS:[48A970]          ;  nag1.00498CC4
00481811  |.  8902       MOV DWORD PTR DS:[EDX],EAX
00481813  |.  A1 70AB4800 MOV EAX,DWORD PTR DS:[48AB70]
00481818  |.  C600 00    MOV BYTE PTR DS:[EAX],0
0048181B  |.  A1 94A94800 MOV EAX,DWORD PTR DS:[48A994]
00481820  |.  C600 01    MOV BYTE PTR DS:[EAX],1
00481823  |.  A1 C0BD4900 MOV EAX,DWORD PTR DS:[49BDC0]
00481828  |.  8B80 6C030000 MOV EAX,DWORD PTR DS:[EAX+36C]
0048182E  |.  33D2       XOR EDX,EDX
00481830  |.  E8 43B3FBFF CALL 0043CB78
00481835  |.  A1 40AB4800 MOV EAX,DWORD PTR DS:[48AB40]
0048183A  |.  C600 01    MOV BYTE PTR DS:[EAX],1
0048183D  |.  A1 B8A74800 MOV EAX,DWORD PTR DS:[48A7B8]
00481842  |.  C600 00    MOV BYTE PTR DS:[EAX],0
00481845  |.  A1 5CAC4800 MOV EAX,DWORD PTR DS:[48AC5C]
0048184A  |.  C600 00    MOV BYTE PTR DS:[EAX],0
0048184D  |.  E8 9A200000 CALL 004838EC
00481852  |.  A1 70A94800 MOV EAX,DWORD PTR DS:[48A970]
00481857  |.  8B00       MOV EAX,DWORD PTR DS:[EAX]
00481859  |.  8B15 A4A64800 MOV EDX,DWORD PTR DS:[48A6A4]          ;  nag1.0048961C
0048185F  |.  8B4482 FC    MOV EAX,DWORD PTR DS:[EDX+EAX*4-4]
00481863  |.  E8 78FCFFFF CALL 004814E0
00481868  |.  E8 E3FCFFFF CALL 00481550
0048186D  |.  A1 A8A74800 MOV EAX,DWORD PTR DS:[48A7A8]
00481872  |.  33D2       XOR EDX,EDX
00481874  |.  8910       MOV DWORD PTR DS:[EAX],EDX
00481876  |.  A1 5CAC4800 MOV EAX,DWORD PTR DS:[48AC5C]
0048187B  |.  8038 00    CMP BYTE PTR DS:[EAX],0
0048187E  |.  74 10       JE SHORT 00481890
00481880  |.  A1 C0BD4900 MOV EAX,DWORD PTR DS:[49BDC0]
00481885  |.  8B80 6C030000 MOV EAX,DWORD PTR DS:[EAX+36C]
0048188B  |.  8B10       MOV EDX,DWORD PTR DS:[EAX]
0048188D  |.  FF52 40    CALL DWORD PTR DS:[EDX+40]
00481890  |>  A1 9CA94800 MOV EAX,DWORD PTR DS:[48A99C]
00481895  |.  C700 6F12833A MOV DWORD PTR DS:[EAX],3A83126F
0048189B  |.  A1 88A94800 MOV EAX,DWORD PTR DS:[48A988]
004818A0  |.  8B00       MOV EAX,DWORD PTR DS:[EAX]
004818A2  |.  8B15 88A94800 MOV EDX,DWORD PTR DS:[48A988]          ;  nag1.00498CD8
004818A8  |.  F72A       IMUL DWORD PTR DS:[EDX]
004818AA  |.  8D0440       LEA EAX,DWORD PTR DS:[EAX+EAX*2]
004818AD  |.  890424       MOV DWORD PTR SS:[ESP],EAX
004818B0  |.  DB0424       FILD DWORD PTR SS:[ESP]
004818B3  |.  83C4 FC    ADD ESP,-4
004818B6  |.  D91C24       FSTP DWORD PTR SS:[ESP]                ; /Arg1
004818B9  |.  9B          WAIT                                  ; |
004818BA  |.  33C0       XOR EAX,EAX                            ; |
004818BC  |.  E8 A7D8FFFF CALL 0047F168                         ; \nag1.0047F168
004818C1  |.  A1 58A84800 MOV EAX,DWORD PTR DS:[48A858]
004818C6  |.  33D2       XOR EDX,EDX
004818C8  |.  8910       MOV DWORD PTR DS:[EAX],EDX
004818CA  |.  6A 00       PUSH 0                                  ; /Arg1 = 00000000
004818CC  |.  B8 01000000 MOV EAX,1                               ; |
004818D1  |.  E8 92D8FFFF CALL 0047F168                         ; \nag1.0047F168
004818D6  |.  6A 00       PUSH 0                                  ; /Arg1 = 00000000
004818D8  |.  B8 02000000 MOV EAX,2                               ; |
004818DD  |.  E8 86D8FFFF CALL 0047F168                         ; \nag1.0047F168
004818E2  |.  A1 C0BD4900 MOV EAX,DWORD PTR DS:[49BDC0]
004818E7  |.  8B80 DC020000 MOV EAX,DWORD PTR DS:[EAX+2DC]
004818ED  |.  B2 01       MOV DL,1
004818EF  |.  E8 0C04FDFF CALL 00451D00
004818F4  |.  5A          POP EDX
004818F5  \.  C3          RETN

5.此项功能只在注册版本中可用!
去除点击TIPS弹出对话框，此项功能只在注册版本中可用!
下MessageBoxA断点，断下后返回到
0044A9E5  |.  57          PUSH EDI                               ; |Title
0044A9E6  |.  56          PUSH ESI                               ; |Text
0044A9E7  |.  8B45 FC    MOV EAX,DWORD PTR SS:[EBP-4]          ; |
0044A9EA  |.  8B40 24    MOV EAX,DWORD PTR DS:[EAX+24]          ; |
0044A9ED  |.  50          PUSH EAX                               ; |hOwner
0044A9EE  |.  E8 15C3FBFF CALL <JMP.&user32.MessageBoxA>          ; \MessageBoxA
0044A9F3  |.  8945 F8    MOV DWORD PTR SS:[EBP-8],EAX
0044A9F6  |.  33C0       XOR EAX,EAX
0044A9F8  |.  5A          POP EDX
0044A9F9  |.  59          POP ECX
0044A9FA  |.  59          POP ECX
0044A9FB  |.  64:8910    MOV DWORD PTR FS:[EAX],EDX
0044A9FE  |.  68 5CAA4400 PUSH 0044AA5C
0044AA03  |>  8B45 EC    MOV EAX,DWORD PTR SS:[EBP-14]
0044AA06  |.  3B45 E8    CMP EAX,DWORD PTR SS:[EBP-18]
0044AA09  |.  74 38       JE SHORT 0044AA43
0044AA0B  |.  6A 1D       PUSH 1D
0044AA0D  |.  6A 00       PUSH 0
0044AA0F  |.  6A 00       PUSH 0
0044AA11  |.  8B4D BC    MOV ECX,DWORD PTR SS:[EBP-44]

单步走

00486CD0 .  55          PUSH EBP
00486CD1 .  8BEC       MOV EBP,ESP
00486CD3 .  6A 00       PUSH 0
00486CD5 .  6A 00       PUSH 0
00486CD7 .  53          PUSH EBX
00486CD8 .  8BD8       MOV EBX,EAX
00486CDA .  33C0       XOR EAX,EAX
00486CDC .  55          PUSH EBP
00486CDD .  68 AB6D4800 PUSH 00486DAB
00486CE2 .  64:FF30    PUSH DWORD PTR FS:[EAX]
00486CE5 .  64:8920    MOV DWORD PTR FS:[EAX],ESP
00486CE8 .  A1 D4A64800 MOV EAX,DWORD PTR DS:[48A6D4]
00486CED .  8B00       MOV EAX,DWORD PTR DS:[EAX]
00486CEF .  8A40 64    MOV AL,BYTE PTR DS:[EAX+64]
00486CF2 .  8B15 3CA74800 MOV EDX,DWORD PTR DS:[48A73C]          ;  NONAGaa.0049AC7C
00486CF8 .  8B12       MOV EDX,DWORD PTR DS:[EDX]
00486CFA .  3A42 64    CMP AL,BYTE PTR DS:[EDX+64]
00486CFD .  75 54       JNZ SHORT 00486D53                JMP  跳过提示注册版功能

00486CFF .  6A 00       PUSH 0
00486D01 .  8D4D FC    LEA ECX,DWORD PTR SS:[EBP-4]
00486D04 .  A1 60AA4800 MOV EAX,DWORD PTR DS:[48AA60]
00486D09 .  8B00       MOV EAX,DWORD PTR DS:[EAX]
00486D0B .  BA C06D4800 MOV EDX,00486DC0                      ;  ASCII "r12"
00486D10 .  E8 DF88F8FF CALL 0040F5F4
00486D15 .  8B45 FC    MOV EAX,DWORD PTR SS:[EBP-4]
00486D18 .  E8 C3D1F7FF CALL 00403EE0
00486D1D .  50          PUSH EAX
00486D1E .  8D4D F8    LEA ECX,DWORD PTR SS:[EBP-8]
00486D21 .  A1 60AA4800 MOV EAX,DWORD PTR DS:[48AA60]

其实最简单的方法是：我们从语言文件可是M10：此项功能只在注册版本中可用!
所以我们可以利用查找字符串，从中跳过所有提示：此项功能只在注册版本中可用!的跳转

0047C00B  |.  8B83 E0020000 MOV EAX,DWORD PTR DS:[EBX+2E0]
0047C011  |.  8B10       MOV EDX,DWORD PTR DS:[EAX]
0047C013  |.  FF92 B4000000 CALL DWORD PTR DS:[EDX+B4]
0047C019  |.  84C0       TEST AL,AL
0047C01B  |.  75 5A       JNZ SHORT 0047C077             改成JMP
0047C01D  |.  6A 00       PUSH 0
0047C01F  |.  8D4D FC    LEA ECX,DWORD PTR SS:[EBP-4]
0047C022  |.  A1 60AA4800 MOV EAX,DWORD PTR DS:[48AA60]
0047C027  |.  8B00       MOV EAX,DWORD PTR DS:[EAX]
0047C029  |.  BA A8C04700 MOV EDX,0047C0A8                      ;  r12
0047C02E  |.  E8 C135F9FF CALL 0040F5F4
0047C033  |.  8B45 FC    MOV EAX,DWORD PTR SS:[EBP-4]
0047C036  |.  E8 A57EF8FF CALL 00403EE0
0047C03B  |.  50          PUSH EAX
0047C03C  |.  8D4D F8    LEA ECX,DWORD PTR SS:[EBP-8]
0047C03F  |.  A1 60AA4800 MOV EAX,DWORD PTR DS:[48AA60]
0047C044  |.  8B00       MOV EAX,DWORD PTR DS:[EAX]
0047C046  |.  BA B4C04700 MOV EDX,0047C0B4                      ;  m10
0047C04B  |.  E8 A435F9FF CALL 0040F5F4
0047C050  |.  8B45 F8    MOV EAX,DWORD PTR SS:[EBP-8]
0047C053  |.  E8 887EF8FF CALL 00403EE0
0047C058  |.  8BD0       MOV EDX,EAX
0047C05A  |.  A1 74AA4800 MOV EAX,DWORD PTR DS:[48AA74]
0047C05F  |.  8B00       MOV EAX,DWORD PTR DS:[EAX]
0047C061  |.  59          POP ECX
0047C062  |.  E8 A9E8FCFF CALL 0044A910
0047C067  |.  B2 01       MOV DL,1
0047C069  |.  8B83 E0020000 MOV EAX,DWORD PTR DS:[EBX+2E0]
0047C06F  |.  8B08       MOV ECX,DWORD PTR DS:[EAX]
0047C071  |.  FF91 B8000000 CALL DWORD PTR DS:[ECX+B8]
0047C077  |>  33C0       XOR EAX,EAX
0047C079  |.  5A          POP EDX
0047C07A  |.  59          POP ECX
0047C07B  |.  59          POP ECX
0047C07C  |.  64:8910    MOV DWORD PTR FS:[EAX],EDX
0047C07F  |.  68 99C04700 PUSH 0047C099
0047C084  |>  8D45 F8    LEA EAX,DWORD PTR SS:[EBP-8]
0047C087  |.  BA 02000000 MOV EDX,2
0047C08C  |.  E8 2F7AF8FF CALL 00403AC0
0047C091  \.  C3          RETN
00477EB4  |. /74 5A       JE SHORT 00477F10                   JMP
00477EB6  |. |6A 00       PUSH 0
00477EB8  |. |8D4D F4    LEA ECX,DWORD PTR SS:[EBP-C]
00477EBB  |. |A1 60AA4800 MOV EAX,DWORD PTR DS:[48AA60]
00477EC0  |. |8B00       MOV EAX,DWORD PTR DS:[EAX]
00477EC2  |. |BA B47F4700 MOV EDX,00477FB4                      ;  r12
00477EC7  |. |E8 2877F9FF CALL 0040F5F4
00477ECC  |. |8B45 F4    MOV EAX,DWORD PTR SS:[EBP-C]
00477ECF  |. |E8 0CC0F8FF CALL 00403EE0
00477ED4  |. |50          PUSH EAX
00477ED5  |. |8D4D F0    LEA ECX,DWORD PTR SS:[EBP-10]
00477ED8  |. |A1 60AA4800 MOV EAX,DWORD PTR DS:[48AA60]
00477EDD  |. |8B00       MOV EAX,DWORD PTR DS:[EAX]
00477EDF  |. |BA CC7F4700 MOV EDX,00477FCC                      ;  m10
00477EE4  |. |E8 0B77F9FF CALL 0040F5F4
00477EE9  |. |8B45 F0    MOV EAX,DWORD PTR SS:[EBP-10]
00477EEC  |. |E8 EFBFF8FF CALL 00403EE0
00477EF1  |. |8BD0       MOV EDX,EAX
00477EF3  |. |A1 74AA4800 MOV EAX,DWORD PTR DS:[48AA74]
00477EF8  |. |8B00       MOV EAX,DWORD PTR DS:[EAX]
00477EFA  |. |59          POP ECX
00477EFB  |. |E8 102AFDFF CALL 0044A910
00477F00  |. |33D2       XOR EDX,EDX
00477F02  |. |8B83 EC020000 MOV EAX,DWORD PTR DS:[EBX+2EC]
00477F08  |. |8B08       MOV ECX,DWORD PTR DS:[EAX]
00477F0A  |. |FF91 B8000000 CALL DWORD PTR DS:[ECX+B8]
00477F10  |> \8B83 D0020000 MOV EAX,DWORD PTR DS:[EBX+2D0]
00477F16  |.  8B80 00020000 MOV EAX,DWORD PTR DS:[EAX+200]
00477F1C  |.  40          INC EAX
00477F1D  |.  8B15 D8AA4800 MOV EDX,DWORD PTR DS:[48AAD8]          ;  CrazyTet.00498CE0
00477F23  |.  8902       MOV DWORD PTR DS:[EDX],EAX
00477F25  |.  8B83 D4020000 MOV EAX,DWORD PTR DS:[EBX+2D4]
00477F2B  |.  8A80 00020000 MOV AL,BYTE PTR DS:[EAX+200]
00477F31  |.  8B15 E0A74800 MOV EDX,DWORD PTR DS:[48A7E0]          ;  CrazyTet.00498BE4
00477F37  |.  8802       MOV BYTE PTR DS:[EDX],AL
00477F39  |.  8B83 DC020000 MOV EAX,DWORD PTR DS:[EBX+2DC]
00477F3F  |.  E8 20F8FFFF CALL 00477764
00477F44  |.  8B15 88A94800 MOV EDX,DWORD PTR DS:[48A988]          ;  CrazyTet.00498CD8

6. 在未注册版本中您只能选择前10张脸.

0047C39C 8B15 04A94800 MOV EDX,DWORD PTR DS:[48A904]          ; 等级限制.00498CF4
0047C3A2 8902          MOV DWORD PTR DS:[EDX],EAX
0047C3A4 A1 04A94800    MOV EAX,DWORD PTR DS:[48A904]
0047C3A9 8B00          MOV EAX,DWORD PTR DS:[EAX]
0047C3AB 8B15 D4A64800 MOV EDX,DWORD PTR DS:[48A6D4]          ; 等级限制.0049AC78
0047C3B1 8B12          MOV EDX,DWORD PTR DS:[EDX]
0047C3B3 8A0402       MOV AL,BYTE PTR DS:[EDX+EAX]
0047C3B6 8B15 04A94800 MOV EDX,DWORD PTR DS:[48A904]          ; 等级限制.00498CF4
0047C3BC 8B12          MOV EDX,DWORD PTR DS:[EDX]
0047C3BE 8B0D 3CA74800 MOV ECX,DWORD PTR DS:[48A73C]          ; 等级限制.0049AC7C
0047C3C4 8B09          MOV ECX,DWORD PTR DS:[ECX]
0047C3C6 3A0411       CMP AL,BYTE PTR DS:[ECX+EDX]
0047C3C9 75 6B          JNZ SHORT 0047C436             JMP
0047C3CB 8B83 E0020000 MOV EAX,DWORD PTR DS:[EBX+2E0]
0047C3D1 83B8 F4010000 0>CMP DWORD PTR DS:[EAX+1F4],0A
0047C3D8 7E 5C          JLE SHORT 0047C436
0047C3DA 6A 00          PUSH 0
0047C3DC 8D4D FC       LEA ECX,DWORD PTR SS:[EBP-4]
0047C3DF A1 60AA4800    MOV EAX,DWORD PTR DS:[48AA60]
0047C3E4 8B00          MOV EAX,DWORD PTR DS:[EAX]
0047C3E6 BA 90C44700    MOV EDX,0047C490                      ; ASCII "r12"
0047C3EB E8 0432F9FF    CALL 0040F5F4
0047C3F0 8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
0047C3F3 E8 E87AF8FF    CALL 00403EE0
0047C3F8 50             PUSH EAX
0047C3F9 8D4D F8       LEA ECX,DWORD PTR SS:[EBP-8]
0047C3FC A1 60AA4800    MOV EAX,DWORD PTR DS:[48AA60]
0047C401 8B00          MOV EAX,DWORD PTR DS:[EAX]
0047C403 BA 9CC44700    MOV EDX,0047C49C                      ; ASCII "m12"
0047C408 E8 E731F9FF    CALL 0040F5F4
0047C40D 8B45 F8       MOV EAX,DWORD PTR SS:[EBP-8]
0047C410 E8 CB7AF8FF    CALL 00403EE0
0047C415 8BD0          MOV EDX,EAX
0047C417 A1 74AA4800    MOV EAX,DWORD PTR DS:[48AA74]
0047C41C 8B00          MOV EAX,DWORD PTR DS:[EAX]
0047C41E 59             POP ECX
0047C41F E8 ECE4FCFF    CALL 0044A910
0047C424 BA 06000000    MOV EDX,6
0047C429 8B83 E0020000 MOV EAX,DWORD PTR DS:[EBX+2E0]

7. 您只能保存游戏1次记录

HISCORE.DAT这个是记录文件
我们利用查找字符串找到
超级字符串参考, 项目 933
   地址=0047C91A
   反汇编=MOV ECX,0047CA58
   文本字串=HiScore.dat

来到地址0047C91A
单步走出来

0047888C .  53          PUSH EBX
0047888D .  56          PUSH ESI
0047888E .  57          PUSH EDI
0047888F .  55          PUSH EBP
00478890 .  51          PUSH ECX
00478891 .  8BF8       MOV EDI,EAX
00478893 .  E8 30400000 CALL 0047C8C8
00478898 .  A1 04A94800 MOV EAX,DWORD PTR DS:[48A904]
0047889D .  C700 F2030000 MOV DWORD PTR DS:[EAX],3F2
004788A3 .  A1 04A94800 MOV EAX,DWORD PTR DS:[48A904]
004788A8 .  8B00       MOV EAX,DWORD PTR DS:[EAX]
004788AA .  8B15 D4A64800 MOV EDX,DWORD PTR DS:[48A6D4]          ;  等级限制.0049AC78
004788B0 .  8B12       MOV EDX,DWORD PTR DS:[EDX]
004788B2 .  8A0402       MOV AL,BYTE PTR DS:[EDX+EAX]
004788B5 .  8B15 04A94800 MOV EDX,DWORD PTR DS:[48A904]          ;  等级限制.00498CF4
004788BB .  8B12       MOV EDX,DWORD PTR DS:[EDX]
004788BD .  8B0D 3CA74800 MOV ECX,DWORD PTR DS:[48A73C]          ;  等级限制.0049AC7C
004788C3 .  8B09       MOV ECX,DWORD PTR DS:[ECX]
004788C5 .  3A0411       CMP AL,BYTE PTR DS:[ECX+EDX]
004788C8    75 53       JNZ SHORT 0047891D                      ;
改成JMP，就去除了限制
004788CA .  BD 06000000 MOV EBP,6
004788CF .  A1 38A74800 MOV EAX,DWORD PTR DS:[48A738]
004788D4 .  05 84000000 ADD EAX,84
004788D9 .  890424       MOV DWORD PTR SS:[ESP],EAX
004788DC >  BE 09000000 MOV ESI,9
004788E1 .  8B0424       MOV EAX,DWORD PTR SS:[ESP]
004788E4 .  8BD8       MOV EBX,EAX
004788E6 >  56          PUSH ESI
004788E7 .  57          PUSH EDI
004788E8 .  BE A4894700 MOV ESI,004789A4                      ;  ASCII 0E,"<UNREGISTERED>"
004788ED .  8BFB       MOV EDI,EBX
004788EF .  B9 03000000 MOV ECX,3
004788F4 .  F3:A5       REP MOVSD
004788F6 .  66:A5       MOVSW
004788F8 .  A4          MOVSB
004788F9 .  5F          POP EDI
004788FA .  5E          POP ESI
004788FB .  C743 2C 00008>MOV DWORD PTR DS:[EBX+2C],BF800000

8. 去掉图片里面未注册水印
查找字符串UNREGISTERED

运行前：

0048380F    /E9 AD000000                            JMP 004838C1
运行中：
00480465  |.  8B12       MOV EDX,DWORD PTR DS:[EDX]
00480467  |.  8B0D 3CA74800 MOV ECX,DWORD PTR DS:[48A73C]          ;  修改了标.0049AC7C
0048046D  |.  8B09       MOV ECX,DWORD PTR DS:[ECX]
0048046F  |.  3A0411       CMP AL,BYTE PTR DS:[ECX+EDX]
00480472  |.  0F85 AC000000 JNZ 00480524                JMP
00480478  |.  A1 40AC4800 MOV EAX,DWORD PTR DS:[48AC40]
0048047D  |.  8B00       MOV EAX,DWORD PTR DS:[EAX]
0048047F  |.  E8 94B4F9FF CALL 0041B918
00480484  |.  8BD8       MOV EBX,EAX

00486612  |.  55          PUSH EBP
00486613  |.  68 EC6B4800 PUSH 00486BEC
00486618  |.  64:FF32    PUSH DWORD PTR FS:[EDX]
0048661B  |.  64:8922    MOV DWORD PTR FS:[EDX],ESP
0048661E  |.  8B15 F8A94800 MOV EDX,DWORD PTR DS:[48A9F8]          ;  去水印.00499696
00486624  |.  803A 00    CMP BYTE PTR DS:[EDX],0
00486627    75 00       JNZ SHORT 00486629          不让跳，直接修改成7500
00486629  |.  8B80 AC030000 MOV EAX,DWORD PTR DS:[EAX+3AC]
0048662F  |.  33D2       XOR EDX,EDX
00486631  |.  E8 4265FBFF CALL 0043CB78
00486636  |.  E9 83050000 JMP 00486BBE
0048663B  |>  B8 AA0F0000 MOV EAX,0FAA
00486640  |.  E8 DFC4F7FF CALL 00402B24
00486645  |.  8B15 04A94800 MOV EDX,DWORD PTR DS:[48A904]          ;  去水印.00498CF4
0048664B  |.  8902       MOV DWORD PTR DS:[EDX],EAX
0048664D  |.  A1 04A94800 MOV EAX,DWORD PTR DS:[48A904]
00486652  |.  8B00       MOV EAX,DWORD PTR DS:[EAX]
00486654  |.  8B15 D4A64800 MOV EDX,DWORD PTR DS:[48A6D4]          ;  去水印.0049AC78
0048665A  |.  8B12       MOV EDX,DWORD PTR DS:[EDX]
0048665C  |.  8A0402       MOV AL,BYTE PTR DS:[EDX+EAX]
0048665F  |.  8B15 04A94800 MOV EDX,DWORD PTR DS:[48A904]          ;  去水印.00498CF4
00486665  |.  8B12       MOV EDX,DWORD PTR DS:[EDX]
00486667  |.  8B0D 3CA74800 MOV ECX,DWORD PTR DS:[48A73C]          ;  去水印.0049AC7C
0048666D  |.  8B09       MOV ECX,DWORD PTR DS:[ECX]
0048666F  |.  3A0411       CMP AL,BYTE PTR DS:[ECX+EDX]
00486672  |.  75 5B       JNZ SHORT 004866CF

9. 注册信息

还是利用DEDE找到00485A9C B810270000          mov    eax, $00002710

00485A9C .  B8 10270000 MOV EAX,2710
00485AA1 .  E8 7ED0F7FF CALL 00402B24
00485AA6 .  8B15 04A94800 MOV EDX,DWORD PTR DS:[48A904]          ;  CrazyTet.00498CF4
00485AAC .  8902       MOV DWORD PTR DS:[EDX],EAX
00485AAE .  A1 04A94800 MOV EAX,DWORD PTR DS:[48A904]
00485AB3 .  8B00       MOV EAX,DWORD PTR DS:[EAX]
00485AB5 .  8B15 D4A64800 MOV EDX,DWORD PTR DS:[48A6D4]          ;  CrazyTet.0049AC78
00485ABB .  8B12       MOV EDX,DWORD PTR DS:[EDX]
00485ABD .  8A0402       MOV AL,BYTE PTR DS:[EDX+EAX]
00485AC0 .  8B15 04A94800 MOV EDX,DWORD PTR DS:[48A904]          ;  CrazyTet.00498CF4
00485AC6 .  8B12       MOV EDX,DWORD PTR DS:[EDX]
00485AC8 .  8B0D 3CA74800 MOV ECX,DWORD PTR DS:[48A73C]          ;  CrazyTet.0049AC7C
00485ACE .  8B09       MOV ECX,DWORD PTR DS:[ECX]
00485AD0 .  3A0411       CMP AL,BYTE PTR DS:[ECX+EDX]
00485AD3 .  74 10       JE SHORT 00485AE5          NOP掉
00485AD5 .  A1 1CAC4800 MOV EAX,DWORD PTR DS:[48AC1C]
00485ADA .  8B00       MOV EAX,DWORD PTR DS:[EAX]
00485ADC .  8B10       MOV EDX,DWORD PTR DS:[EAX]
00485ADE .  FF92 D8000000 CALL DWORD PTR DS:[EDX+D8]             ;  CrazyTet.0044771C
00485AE4 .  C3          RETN
00485AE5 >  A1 D0A64800 MOV EAX,DWORD PTR DS:[48A6D0]
00485AEA .  8B00       MOV EAX,DWORD PTR DS:[EAX]
00485AEC .  8B10       MOV EDX,DWORD PTR DS:[EAX]
00485AEE .  FF92 D8000000 CALL DWORD PTR DS:[EDX+D8]
00485AF4 .  C3          RETN

10. 修改标题未注册标志：

超级字符串参考, 项目 1050
   地址=00481AB7
   反汇编=MOV EDX,00481CE4
   文本字串= (UNREGISTERED)

00481CE6    55                                              PUSH EBP
00481CE7    4E                                              DEC ESI
00481CE8    52                                              PUSH EDX
00481CE9    45                                              INC EBP
00481CEA    47                                              INC EDI
00481CEB    49                                              DEC ECX
00481CEC    53                                              PUSH EBX
00481CED    54                                              PUSH ESP
00481CEE    45                                              INC EBP
00481CEF    52                                              PUSH EDX
00481CF0    45                                              INC EBP
00481CF1    44                                              INC ESP
00481CF2    2900                                           SUB DWORD PTR DS:[EAX],EAX

改成：by:assume
二进制复制进去

62 79 3A 20 61 73 73 75 6D 65 20 29 00 00


--------------------------------------------------------------------------------
【经验总结】
  1.004874F9  |.  74 05       JE SHORT 00487500                      ;  文件名校验，74改成EB

  2.00487914    74 16       JE SHORT 0048792C 此为关键跳，不跳则去除了NAG了

  3.004442C1 .  74 12       JE SHORT 004442D5                   跳过这个CALL。就能去除了NAG

  4.00486CAB    /74 1F       JE SHORT 00486CCC          此就是去掉每日一贴的关键跳了

  5.0047804F    75 69       JNZ SHORT 004780BA                JMP跳过提示只能玩二个等级

  6.00477E12    EB 69       JMP SHORT 00477E7D                   继续跳过弹出的提示框，后继续单步走。

  7.00477EA2    /EB 6C       JMP SHORT 00477F10

  8.004817DD  |.  75 25       JNZ SHORT 00481804

  9.0047C3C9 75 6B          JNZ SHORT 0047C436             JMP

  10.00486CFD    /EB 54       JMP SHORT 00486D53

  11.0047C009    /EB 6C       JMP SHORT 0047C077

  12.004788C8    75 53       JNZ SHORT 0047891D                      ; 改成JMP，就去除了限制

  13.0048380F    /E9 AD000000                            JMP 004838C1

  14.00480472  |.  0F85 AC000000 JNZ 00480524                JMP

  15.00486627    75 00       JNZ SHORT 00486629          不让跳，直接修改成7500

  16.00485AD3 .  74 10       JE SHORT 00485AE5          NOP掉或修改成7400

--------------------------------------------------------------------------------
【版权声明】: 本文为PYG第十期考题文章, 转载请注明作者并保持文章的完整, 谢谢!

                                                   2010年06月28日 PM 03:36:33

如有失误，敬请指出

yayazhi · 发表于 2010-7-11 20:57:00

一.关于脱壳
先忽略内存访问异常和int异常，来到最后一次异常后下GetModuleHandle或GetProcAddress都可以定位到
Magic Jump。
0051C571 81E3 FFFFFF7F and ebx,7FFFFFFF
0051C577 53 push ebx
0051C578 FFB5 5AD34000 push dword ptr ss:[ebp+40D35A]
0051C57E FF95 EABA4000 call dword ptr ss:[ebp+40BAEA] ; kernel32.GetProcAddress
0051C584 40 inc eax
0051C585 48 dec eax
0051C586 75 33 jnz short CrazyTet.0051C5BB
0051C588 58 pop eax
0051C589 F9 stc
0051C58A ^ 0F82 61FDFFFF jb CrazyTet.0051C2F1
0051C590 47 inc edi
0051C591 44 inc esp
0051C3CF /0F84 30010000 je CrazyTet.0051C505
0051C3D5 |80A5 E1CC4000 >and byte ptr ss:[ebp+40CCE1],0FF
0051C3DC |0F84 23010000 je CrazyTet.0051C505 ; magic jump
0051C3E2 |89BD 6AD44000 mov dword ptr ss:[ebp+40D46A],edi
0051C3E8 |8B85 62D44000 mov eax,dword ptr ss:[ebp+40D462]
0051C3EE |40 inc eax
修改跳转后，内存断点就可以到OEP了。
00487420 55 push ebp //OEP
00487421 8BEC mov ebp,esp
00487423 B9 08000000 mov ecx,8
00487428 6A 00 push 0
0048742A 6A 00 push 0
0048742C 49 dec ecx
===================================================
二、关于破解
脱壳后有个文件名的校验，下ExitProcess断点可以定位到。
功能方面的限制我分了两类：一个是关于话框的，一个是关于功能限制的。
1.关于功能限制的有：
游戏参数设置（好几处验证）、标题栏和背景的显示未注册字样、菜单栏的注册按钮。发现功能验证的
特征很相似，所以可以用特征码来定位所有的这些地方。
例如这个是菜单注册的提示
00485AA1 . E8 7ED0F7FF call 00402B24
00485AA6 . 8B15 04A94800 mov edx, dword ptr ds:[48A904] ; CrazyTet.00498CF4
00485AAC . 8902 mov dword ptr ds:[edx], eax
00485AAE . A1 04A94800 mov eax, dword ptr ds:[48A904]
00485AB3 . 8B00 mov eax, dword ptr ds:[eax]
00485AB5 . 8B15 D4A64800 mov edx, dword ptr ds:[48A6D4] ; CrazyTet.0049AC78
00485ABB . 8B12 mov edx, dword ptr ds:[edx]
00485ABD . 8A0402 mov al, byte ptr ds:[edx+eax]
00485AC0 . 8B15 04A94800 mov edx, dword ptr ds:[48A904] ; CrazyTet.00498CF4
00485AC6 . 8B12 mov edx, dword ptr ds:[edx]
00485AC8 . 8B0D 3CA74800 mov ecx, dword ptr ds:[48A73C] ; CrazyTet.0049AC7C
00485ACE . 8B09 mov ecx, dword ptr ds:[ecx]
00485AD0 . 3A0411 cmp al, byte ptr ds:[ecx+edx]
00485AD3 . 74 10 je short 00485AE5 ; 菜单注册的判断
把下面这段当做特征码，二进制复制，Ctrl+B搜索，可以找到14个地方，这些地方都是功能验证的。
00485AA6 . 8B15 04A94800 mov edx, dword ptr ds:[48A904] ; CrazyTet.00498CF4
00485AAC . 8902 mov dword ptr ds:[edx], eax
00485AAE . A1 04A94800 mov eax, dword ptr ds:[48A904]
00485AB3 . 8B00 mov eax, dword ptr ds:[eax]
00485AB5 . 8B15 D4A64800 mov edx, dword ptr ds:[48A6D4] ; CrazyTet.0049AC78
00485ABB . 8B12 mov edx, dword ptr ds:[edx]
00485ABD . 8A0402 mov al, byte ptr ds:[edx+eax]
00485AC0 . 8B15 04A94800 mov edx, dword ptr ds:[48A904] ; CrazyTet.00498CF4
00485AC6 . 8B12 mov edx, dword ptr ds:[edx]
00485AC8 . 8B0D 3CA74800 mov ecx, dword ptr ds:[48A73C] ; CrazyTet.0049AC7C
00485ACE . 8B09 mov ecx, dword ptr ds:[ecx]
00485AD0 . 3A0411 cmp al, byte ptr ds:[ecx+edx]
二进制代码：
8B 15 04 A9 48 00 89 02 A1 04 A9 48 00 8B 00 8B 15 D4 A6 48 00 8B 12 8A 04 02 8B 15 04 A9 48 00
8B 12 8B 0D 3C A7 48 00 8B 09 3A 04 11
2.关于对话框的有：
启动时的未注册提示、启动时的TIPS、关闭时的小NAG。这类窗口可以用ShowWindow或F12暂停来定位。
2.1开始的注册提示框
F12断到这里
00486C58 . 803D 64A64800>cmp byte ptr ds:[48A664], 0 ; 硬件断点找开始赋值的地方
00486C5F . 74 16 je short 00486C77
00486C61 . C605 64A64800>mov byte ptr ds:[48A664], 0
00486C68 . A1 14AA4800 mov eax, dword ptr ds:[48AA14]
00486C6D . 8B00 mov eax, dword ptr ds:[eax]
00486C6F . 8B10 mov edx, dword ptr ds:[eax]
00486C71 . FF92 D8000000 call dword ptr ds:[edx+D8]
00486C77 > C3 retn
0048791B . E8 FCC3F7FF call 00403D1C
00487920 . 2D B4000000 sub eax, 0B4
00487925 . 74 0D je short 00487934
00487927 . 83E8 02 sub eax, 2
0048792A . 74 08 je short 00487934
0048792C . A1 70AC4800 mov eax, dword ptr ds:[48AC70]
00487931 C600 00 mov byte ptr ds:[eax], 1 ; 这个地方要赋值0
F12断下来下面有个SetForegroundWindow，是现实TIP的。
2.2开始的tip提示
00486CAB . /74 1F je short 00486CCC
00486CAD . |A1 FCA94800 mov eax, dword ptr ds:[48A9FC]
00486CB2 . |8B00 mov eax, dword ptr ds:[eax]
00486CB4 . |8B10 mov edx, dword ptr ds:[eax]
00486CB6 . |FF92 D8000000 call dword ptr ds:[edx+D8] ; 开始的TIP提示
00486CBC . |A1 C0BD4900 mov eax, dword ptr ds:[49BDC0]
00486CC1 . |E8 26BAFAFF call 004326EC
00486CC6 . |50 push eax ; /hWnd
00486CC7 . |E8 F400F8FF call <jmp.&user32.SetForegroundWindow> ; \SetForegroundWindow
00486CCC > \C3 retn
其实是这个SetForegroundWindow提醒了我，三个窗口（主窗口TForm1、注册窗口TRegForm、还有Tip的串口）切换，
要设置三个窗口的顺序的。
2.3 F12搞定退出的nag
004442B9 . 66:83B8 7A020>cmp word ptr ds:[eax+27A], 0
004442C1 74 12 je short 004442D5
004442C3 . 8BCA mov ecx, edx
004442C5 . 8BD8 mov ebx, eax
004442C7 . 8BD0 mov edx, eax
004442C9 . 8B83 7C020000 mov eax, dword ptr ds:[ebx+27C]
004442CF . FF93 78020000 call dword ptr ds:[ebx+278] ; 退出的nag
004442D5 > 5B pop ebx
004442D6 . C3 retn

复制代码

zaas · 发表于 2010-7-11 21:03:02

NAG:

00487914  |. /74 16       je    short 0048792C                ;  可疑
00487916  |. |A1 3CBF4900 mov    eax, dword ptr [49BF3C]
0048791B  |. |E8 FCC3F7FF call 00403D1C
00487920  |. |2D B4000000 sub    eax, 0B4
00487925  |. |74 0D       je    short 00487934
00487927  |. |83E8 02    sub    eax, 2
0048792A  |. |74 08       je    short 00487934
0048792C  |> \A1 70AC4800 mov    eax, dword ptr [48AC70]
00487931    C600 01    mov    byte ptr [eax], 1             ;  Nag的全局变量
00487934  |>  8B0D ECAB4800 mov    ecx, dword ptr [48ABEC]       ;  CrazyTet.0049BDC0

TIP:
1
00486C85    8D40 00    lea    eax, dword ptr [eax]
00486C88 .  8B15 14AA4800 mov    edx, dword ptr [48AA14]       ;  CrazyTet.0048C1F8
00486C8E .  8B12       mov    edx, dword ptr [edx]
00486C90 .  807A 47 00 cmp    byte ptr [edx+47], 0
00486C94    75 36       jnz    short 00486CCC
00486C96 .  33D2       xor    edx, edx
00486C98 .  8B80 B8030000 mov    eax, dword ptr [eax+3B8]
00486C9E .  E8 5DB0FCFF call 00451D00
00486CA3 .  A1 F8AA4800 mov    eax, dword ptr [48AAF8]
00486CA8 .  8038 00    cmp    byte ptr [eax], 0
00486CAB    74 1F       je    short 00486CCC                ;  Tip对话框
00486CAD .  A1 FCA94800 mov    eax, dword ptr [48A9FC]
00486CB2 .  8B00       mov    eax, dword ptr [eax]
00486CB4 .  8B10       mov    edx, dword ptr [eax]
00486CB6 .  FF92 D8000000 call dword ptr [edx+D8]
2
0047C006  |.  3A42 64    cmp    al, byte ptr [edx+64]
0047C009    75 6C       jnz    short 0047C077
0047C00B  |.  8B83 E0020000 mov    eax, dword ptr [ebx+2E0]

菜单里的取消tip:
00486CE8 .  A1 D4A64800 mov    eax, dword ptr [48A6D4]
00486CED .  8B00       mov    eax, dword ptr [eax]
00486CEF .  8A40 64    mov    al, byte ptr [eax+64]
00486CF2 .  8B15 3CA74800 mov    edx, dword ptr [48A73C]       ;  CrazyTet.0049AC7C
00486CF8 .  8B12       mov    edx, dword ptr [edx]
00486CFA .  3A42 64    cmp    al, byte ptr [edx+64]
00486CFD    75 54       jnz    short 00486D53                ;  菜单里的取消tip
00486CFF .  6A 00       push 0
00486D01 .  8D4D FC    lea    ecx, dword ptr [ebp-4]

选难度级:
0047804A  |.  8B09       mov    ecx, dword ptr [ecx]
0047804C  |.  3A0411       cmp    al, byte ptr [ecx+edx]
0047804F    75 69       jnz    short 004780BA                ;  选难度级
00478051  |.  8B83 D0020000 mov    eax, dword ptr [ebx+2D0]
00478057  |.  8B80 00020000 mov    eax, dword ptr [eax+200]
0047805D  |.  40          inc    eax
0047805E  |.  83F8 02    cmp    eax, 2
00478061  |.  7E 57       jle    short 004780BA
00478063  |.  6A 00       push 0
00478065  |.  8D4D FC    lea    ecx, dword ptr [ebp-4]
00478068  |.  A1 60AA4800 mov    eax, dword ptr [48AA60]

确定按钮：
1.
00477E0F  |.  3A0411       cmp    al, byte ptr [ecx+edx]
00477E12    75 69       jnz    short 00477E7D                ;  确定按钮
00477E14  |.  8B83 D0020000 mov    eax, dword ptr [ebx+2D0]
00477E1A  |.  8B80 00020000 mov    eax, dword ptr [eax+200]
00477E20  |.  40          inc    eax
00477E21  |.  83F8 02    cmp    eax, 2
00477E24  |.  7E 57       jle    short 00477E7D
00477E26  |.  6A 00       push 0
2
00477E97  |.  8B0D 3CA74800 mov    ecx, dword ptr [48A73C]       ;  CrazyTet.0049AC7C
00477E9D  |.  8B09       mov    ecx, dword ptr [ecx]
00477E9F  |.  3A0411       cmp    al, byte ptr [ecx+edx]
00477EA2    EB 6C       jmp    short 00477F10
00477EA4  |.  8B83 EC020000 mov    eax, dword ptr [ebx+2EC]

未注册：
0048046F  |.  3A0411       cmp    al, byte ptr [ecx+edx]
00480472    0F85 AC000000 jnz    00480524                      ;  unregister
00480478  |.  A1 40AC4800 mov    eax, dword ptr [48AC40]

消一行：
0047F5E3  |.  3A0411       cmp    al, byte ptr [ecx+edx]
0047F5E6    0F85 AC000000 jnz    0047F698
0047F5EC  |.  A1 A0A74800 mov    eax, dword ptr [48A7A0]
0047F5F1  |.  8B00       mov    eax, dword ptr [eax]

启动unregistered水印：
0048380C  |.  3A0411       cmp    al, byte ptr [ecx+edx]
0048380F  |.  0F85 AC000000 jnz    004838C1

标题unregistered：
00481AAD .  3A0411       cmp    al, byte ptr [ecx+edx]
00481AB0 .  75 14       jnz    short 00481AC6                ;  标题unregistered
00481AB2 .  A1 CCA74800 mov    eax, dword ptr [48A7CC]

文件名校验：
004874E8  |.  A1 74A94800 mov    eax, dword ptr [48A974]
004874ED  |.  8B00       mov    eax, dword ptr [eax]          ;  文件名校验？
004874EF  |.  BA 587A4800 mov    edx, 00487A58                   ;  ASCII "CRAZYTET.EXE"
004874F4  |.  E8 33C9F7FF call 00403E2C
004874F9  |.  74 05       je    short 00487500                ;  文件名不对就退出

训练模式：
00478146  |.  8B09       mov    ecx, dword ptr [ecx]
00478148  |.  3A0411       cmp    al, byte ptr [ecx+edx]
0047814B  |.  75 6C       jnz    short 004781B9

开始按钮：
004817D8  |.  8B09       mov    ecx, dword ptr [ecx]
004817DA  |.  3A0411       cmp    al, byte ptr [ecx+edx]
004817DD  |.  75 25       jnz    short 00481804
004817DF  |.  A1 D8AA4800 mov    eax, dword ptr [48AAD8]
004817E4  |.  8338 02    cmp    dword ptr [eax], 2
004817E7  |.  7E 0B       jle    short 004817F4
004817E9  |.  A1 D8AA4800 mov    eax, dword ptr [48AAD8]

启动菜单：
00480E8F  |.  8B09       mov    ecx, dword ptr [ecx]
00480E91  |.  3A0411       cmp    al, byte ptr [ecx+edx]
00480E94  |.  75 05       jnz    short 00480E9B
00480E96  |.  E8 A5FCFFFF call 00480B40
00480E9B  |>  A1 04A94800 mov    eax, dword ptr [48A904]
00480EA0  |.  8B00       mov    eax, dword ptr [eax]
00480EA2  |.  8B15 D4A64800 mov    edx, dword ptr [48A6D4]       ;  CrazyTet.0049AC78
00480EA8  |.  8B12       mov    edx, dword ptr [edx]
00480EAA  |.  8A0402       mov    al, byte ptr [edx+eax]
00480EAD  |.  8B15 04A94800 mov    edx, dword ptr [48A904]       ;  CrazyTet.00498CF4
00480EB3  |.  8B12       mov    edx, dword ptr [edx]
00480EB5  |.  8B0D 3CA74800 mov    ecx, dword ptr [48A73C]       ;  CrazyTet.0049AC7C
00480EBB  |.  8B09       mov    ecx, dword ptr [ecx]
00480EBD  |.  3A0411       cmp    al, byte ptr [ecx+edx]
00480EC0  |.  74 05       je    short 00480EC7
00480EC2  |.  E8 79FCFFFF call 00480B40

已注册：
00485ACE .  8B09       mov    ecx, dword ptr [ecx]
00485AD0 .  3A0411       cmp    al, byte ptr [ecx+edx]
00485AD3 .  74 10       je    short 00485AE5

退出NAg：
004442C1 . /74 12       je    short 004442D5
004442C3 . |8BCA       mov    ecx, edx
004442C5 . |8BD8       mov    ebx, eax
004442C7 . |8BD0       mov    edx, eax
004442C9 . |8B83 7C020000 mov    eax, dword ptr [ebx+27C]
004442CF . |FF93 78020000 call dword ptr [ebx+278]
004442D5 > \5B          pop    ebx

菜单里tip的对号：
1
0047E3F0  |.  A1 F8AA4800 mov    eax, dword ptr [48AAF8]
0047E3F5  |.  0F9400       sete byte ptr [eax]
2
00481C4F .  8B09       mov    ecx, dword ptr [ecx]
00481C51 .  3A5401 01    cmp    dl, byte ptr [ecx+eax+1]       ;  (initial cpu selection)
00481C55    75 08       jnz    short 00481C5F
00481C57 .  A1 F8AA4800 mov    eax, dword ptr [48AAF8]
00481C5C .  C600 01    mov    byte ptr [eax], 1
00481C5F >  8B15 F8AA4800 mov    edx, dword ptr [48AAF8]       ;  CrazyTet.0049AE18

保存游戏记录：
1
0047C3C4  |.  8B09       mov    ecx, dword ptr [ecx]
0047C3C6  |.  3A0411       cmp    al, byte ptr [ecx+edx]
0047C3C9  |.  75 6B       jnz    short 0047C436
0047C3CB  |.  8B83 E0020000 mov    eax, dword ptr [ebx+2E0]
0047C3D1  |.  83B8 F4010000>cmp    dword ptr [eax+1F4], 0A
2
0047C7AC .  8B09       mov    ecx, dword ptr [ecx]
0047C7AE .  3A0411       cmp    al, byte ptr [ecx+edx]
0047C7B1 .  75 13       jnz    short 0047C7C6
3
004788BD .  8B0D 3CA74800 mov    ecx, dword ptr [48A73C]       ;  CrazyTet.0049AC7C
004788C3 .  8B09       mov    ecx, dword ptr [ecx]
004788C5 .  3A0411       cmp    al, byte ptr [ecx+edx]
004788C8 .  75 53       jnz    short 0047891D

game quick load：
0048666D  |.  8B09       mov    ecx, dword ptr [ecx]
0048666F  |.  3A0411       cmp    al, byte ptr [ecx+edx]
00486672  |.  75 5B       jnz    short 004866CF

未知：
1
00478E90  |.  3A0411       cmp    al, byte ptr [ecx+edx]
00478E93  |.  75 6E       jnz    short 00478F03
00478E95  |.  8B83 EC020000 mov    eax, dword ptr [ebx+2EC]
2
0048208E  |.  3A0411       cmp    al, byte ptr [ecx+edx]
00482091  |.  0F85 9E000000 jnz    00482135
00482097  |.  A1 70A94800 mov    eax, dword ptr [48A970]

manbug · 发表于 2010-7-11 21:51:48

第二组 manbug 最后一课分析
软件：Crazy Tetris

首先查壳tElock 0.98b2 -> tE!的壳，由于水平有限，在网上下脱壳脚本脱壳并修复之。
另存为文件名之后，程序不能启动，下ExitProcess断点，通过查看堆栈会来到

004874EF |. BA 587A4800 mov edx, <dword_487A58> ; ASCII "CRAZYTET.EXE"
004874F4 |. E8 33C9F7FF call <System::__linkproc__ LStrCmp(vo>
004874F9 74 05 je short <loc_487500>
004874FB E8 64C4F7FF call <System::__linkproc__ Halt0(void>
00487500 >|> 33C0 xor eax, eax ; loc_487500

复制代码

这里，说明对程序文件名进行了比较，如果改了文件名之后就运行不了，可以直接将

004874F9 74 05 je short <loc_487500>
004874FB E8 64C4F7FF call <System::__linkproc__ Halt0(void>

复制代码

这两段NOP掉，如果不改名的话就不用NOP了

进入正题，直接用OD载入脱壳了的文件，F9运行，会提示未注册，不用管，直接点取消，弹出Tip of the Day窗口，当我们点Show Tips on Start-up时会弹出信息窗口提示此功能只能在注册版本中可用，这就是突破口了，我们暂停OD，查看调用堆栈，会看到最后一行为

调用堆栈：主线程, 条目 19
地址=0012F410
堆栈=0047C067
函数过程 / 参数=? <CRAZYTET.Forms::TApplication::MessageBox(char *,char *,int)>
调用来自=CRAZYTET.TTipsForm@CheckBox1Click+86
结构=0012F40C

双击来到代码处

0047C062 >|. E8 A9E8FCFF call <Forms::TApplication::MessageBox>; forms.TApplication.MessageBox(TApplication;PChar;PChar;Longint):Integer;
0047C067 |. B2 01 mov dl, 1
0047C069 >|. 8B83 E0020000 mov eax, dword ptr [ebx+2E0] ; CheckBox1:TCheckBox
0047C06F |. 8B08 mov ecx, dword ptr [eax]
0047C071 |. FF91 B8000000 call near dword ptr [ecx+B8]

复制代码

向上查找看有没有判断跳转之类的东西，在上面不远处我们会看到

0047BFF4 |. A1 D4A64800 mov eax, dword ptr [<off_48A6D4>]
0047BFF9 |. 8B00 mov eax, dword ptr [eax]
0047BFFB |. 8A40 64 mov al, byte ptr [eax+64]
0047BFFE |. 8B15 3CA74800 mov edx, dword ptr [<off_48A73C>] ; <CRAZYTET.unk_49AC7C>
0047C004 |. 8B12 mov edx, dword ptr [edx]
0047C006 |. 3A42 64 cmp al, byte ptr [edx+64]
0047C009 |. 75 6C jnz short <loc_47C077>
0047C00B >|. 8B83 E0020000 mov eax, dword ptr [ebx+2E0] ; CheckBox1:TCheckBox
0047C011 |. 8B10 mov edx, dword ptr [eax]
0047C013 |. FF92 B4000000 call near dword ptr [edx+B4]
0047C019 |. 84C0 test al, al
0047C01B |. 75 5A jnz short <loc_47C077>
0047C01D |. 6A 00 push 0
0047C01F |. 8D4D FC lea ecx, [local.1]

复制代码

有两个JNZ跳转都是指向同一处，试着从47BFF4开始分析，好像是比较两个内存的值不等则跳过那个提示，可以在

0047C009 |. 75 6C jnz short <loc_47C077>

复制代码

处下断后F9继续运行，再次点击Show Tips on Start-up，会断下来，我们看到jnz不会跳转我们改标志位让其跳转后F9运行，发现没有那个未注册的提示了，说明改对了，
右键

0047BFF4 |. A1 D4A64800 mov eax, dword ptr [<off_48A6D4>]

复制代码

查找参考立地址常量，会发现有很多处直接访问该地址。一一点击进去查看，会发现大多都是暗桩了，怎么办？整理一下思路，程序在开始一定有判断注册和未注册的地方，只要找到这个地方，就不需要一一去修改暗桩了，要不然累死了。
我们通过下面两行

0047BFF4 |. A1 D4A64800 mov eax, dword ptr [<off_48A6D4>]
0047BFFE |. 8B15 3CA74800 mov edx, dword ptr [<off_48A73C>]

复制代码

查找参考地址常量，将所有找出来的地方都下断点，然后OD重新运行程序
跳过两处断点过我们会来到这里

004875DE >|> /B8 02000000 /mov eax, 2 ; loc_4875DE
004875E3 |. |E8 3CB5F7FF |call <System::__linkproc__ RandInt(void)>
004875E8 |. |83F8 01 |cmp eax, 1
004875EB |. |0F94C2 |sete dl
004875EE |. |8B0D D4A64800 |mov ecx, dword ptr [<off_48A6D4>] ; <CRAZYTET.unk_49AC78>
004875F4 |. |8B09 |mov ecx, dword ptr [ecx]
004875F6 |. |881419 |mov byte ptr [ecx+ebx], dl
004875F9 |. |48 |dec eax
004875FA |. |0F94C0 |sete al
004875FD |. |8B15 3CA74800 |mov edx, dword ptr [<off_48A73C>] ; <CRAZYTET.unk_49AC7C>
00487603 |. |8B12 |mov edx, dword ptr [edx]
00487605 |. |88041A |mov byte ptr [edx+ebx], al
00487608 |. |43 |inc ebx
00487609 |. |81FB 11270000 |cmp ebx, 2711
0048760F |.^\75 CD \jnz short <loc_4875DE>

复制代码

这里就是给[[48A6D4]]和[[48A73C]]所指向的内存地址随机的填入0或1，同步填入的，继续F9我们来到

00480D7C > A1 D4A64800 /mov eax, dword ptr [<off_48A6D4>] ; loc_480D7C
00480D81 8B00 |mov eax, dword ptr [eax]
00480D83 8A0430 |mov al, byte ptr [eax+esi]
00480D86 8B15 3CA74800 |mov edx, dword ptr [<off_48A73C>] ; <CRAZYTET.unk_49AC7C>
00480D8C 8B12 |mov edx, dword ptr [edx]
00480D8E 880432 |mov byte ptr [edx+esi], al
00480D91 46 |inc esi
00480D92 81FE 11270000 |cmp esi, 2711
00480D98 ^ 75 E2 \jnz short <loc_480D7C>

复制代码

会发现其实这就是将先前[[48A6D4]]所指的内容复制到[[48A73C]]中，感觉不是多此一举么，我们向上看看会发现是个跳转过来的

00480D54 /75 24 jnz short <loc_480D7A>
00480D56 |. |33F6 xor esi, esi
00480D58 >|> |A1 D4A64800 /mov eax, dword ptr [<off_48A6D4>] ; loc_480D58
00480D5D |. |8B00 |mov eax, dword ptr [eax]
00480D5F |. |8A0430 |mov al, byte ptr [eax+esi]
00480D62 |. |34 01 |xor al, 1
00480D64 |. |8B15 3CA74800 |mov edx, dword ptr [<off_48A73C>] ; <CRAZYTET.unk_49AC7C>
00480D6A |. |8B12 |mov edx, dword ptr [edx]
00480D6C |. |880432 |mov byte ptr [edx+esi], al
00480D6F |. |46 |inc esi
00480D70 |. |81FE 11270000 |cmp esi, 2711
00480D76 |.^|75 E0 \jnz short <loc_480D58>
00480D78 |. |EB 20 jmp short <loc_480D9A>
00480D7A >|> \33F6 xor esi, esi ; loc_480D7A

复制代码

分析一下，上面这段会看到这段是将[[48A6D4]]所指的内容求反后送给[[48A73C]]中，难道这就是我们所要的东西？？
直接将

00480D54 /75 24 jnz short <loc_480D7A>

复制代码

这句NOP掉，再试试，会发现已经注册了，但是开始启动时还是会弹出一个提示窗口提示未注册，说明还有一处桩，记得NISY大说过可以下
bp ShowWindow断点，下好断点后，用OD重新运行，注意堆栈处，经过多次分析当堆栈窗口为

0012E79C 0044727A /CALL 到 ShowWindow 来自 CRAZYTET.00447275
0012E7A0 006A0364 |hWnd = 006A0364 ('Crazy Tetris',class='TForm3',parent=006103FE)

复制代码

当class='TForm3'时说明是那个提示窗口，取消ShowWindow断点后，按Alt+F9来到程序领空

经过无数次F8后我们会来到一处循环，Nisy的讲课里面提到过的

00447861 |> /8B03 /mov eax, dword ptr [ebx]
00447863 |. |E8 BC2D0000 |call 0044A624
00447868 |. |8B03 |mov eax, dword ptr [ebx]
0044786A |. |80B8 8C000000>|cmp byte ptr [eax+8C], 0
00447871 |. |74 0F |je short 00447882
00447873 |. |8B45 FC |mov eax, [local.1]
00447876 |. |C780 34020000>|mov dword ptr [eax+234], 2
00447880 |. |EB 14 |jmp short 00447896
00447882 |> |8B45 FC |mov eax, [local.1]
00447885 |. |83B8 34020000>|cmp dword ptr [eax+234], 0
0044788C |. |74 08 |je short 00447896
0044788E |. |8B45 FC |mov eax, [local.1]
00447891 |. |E8 26FDFFFF |call 004475BC
00447896 |> |8B45 FC |mov eax, [local.1]
00447899 |. |8B80 34020000 |mov eax, dword ptr [eax+234]
0044789F |. |85C0 |test eax, eax
004478A1 |.^\74 BE \je short 00447861

复制代码

我们在

004478A3 |. 8945 F8 mov [local.2], eax

复制代码

下断点，F9直接运行，直接关闭那个提示窗口，OD会断下来，还是F8单步，我们看这段函数返回到哪，还是N次F8后我们来到

00486C58 . 803D 64A64800>cmp byte ptr [48A664], 0
00486C5F . 74 16 je short 00486C77
00486C61 . C605 64A64800>mov byte ptr [48A664], 0
00486C68 . A1 14AA4800 mov eax, dword ptr [48AA14]
00486C6D . 8B00 mov eax, dword ptr [eax]
00486C6F . 8B10 mov edx, dword ptr [eax]
00486C71 . FF92 D8000000 call near dword ptr [edx+D8]
00486C77 > C3 retn

复制代码

我们看看上面有个比较，有个跳转，这就是关键地方了哦，可以直接改je为jne但这方法不是很可靠，

00486C58 . 803D 64A64800>cmp byte ptr [48A664], 0
00486C5F . 74 16 je short 00486C77

复制代码

我们注意一下[48A664]，应该是个全局变量，我们在48a664所指的数据区下硬件访问断点，看是谁访问了这个值，重新运行程序
在下面会发生硬件断点异常

0048792C |> \A1 70AC4800 mov eax, dword ptr [48AC70]
00487931 |. C600 01 mov byte ptr [eax], 1
00487934 |> 8B0D ECAB4800 mov ecx, dword ptr [48ABEC] ; CRAZYTET.0049BDC0

复制代码

可以看到，这是程序初始的时候给[48a664]处付值了，我们只需将 mov byte ptr [eax], 1改为mov byte ptr [eax], 0即可了

到处破解完成
总结一下一共改了三处，实际上是两处，第一处是对文件名判断的修改
1.

004874F9 |. /74 05 je short <loc_487500>
004874FB |. |E8 64C4F7FF call <System::__linkproc__ Halt0(void)>

复制代码

将这两句NOP掉，实际可改文件名字
2.

00480D54 /75 24 jnz short <loc_480D7A>

复制代码

将上面nop 掉，实现内存块内容不一样
3.

00487931 |. C600 01 mov byte ptr [eax], 1

复制代码

将上面改为改为mov byte ptr [eax], 0
就可以了

东沟 · 发表于 2010-7-12 08:04:29

回复 1# Nisy

学习了，我什么都不会

assume · 发表于 2010-7-12 16:31:38

回复 7# manbug

学习了，强悍！

sun50 · 发表于 2010-7-12 17:03:58

【文章标题】: Crazy Tetris考题破文
【文章作者】: sun50
【作者邮箱】: [email protected]
【软件名称】: Crazy Tetris
【加壳方式】: tElock 0.98b2 -> tE!

破解说明：
当时的纪录没了，这是后来重新做的

查壳是tElock的壳，不会脱，直接到看雪下了个脱壳机，脱了壳，发现文件名更改后，程序不能启动，下ExitProcess断点，
找到
004874EF BA 587A4800    MOV EDX,00487A58    ASCII "CRAZYTET.EXE"
004874F4 E8 33C9F7FF    CALL 00403E2C
004874F9 74 05          JE SHORT 00487500    //改成jmp即可改名启动
004874FB E8 64C4F7FF    CALL 00403964

启动有个注册Nag，用F12暂停法，定位到
00486C58 803D 64A64800 0>CMP BYTE PTR DS:[48A664],0
00486C5F 74 16          JE SHORT 00486C77    //改成jmp即可跳过nag
00486C61 C605 64A64800 0>MOV BYTE PTR DS:[48A664],0
00486C68 A1 14AA4800    MOV EAX,DWORD PTR DS:[48AA14]
00486C6D 8B00          MOV EAX,DWORD PTR DS:[EAX]
00486C6F 8B10          MOV EDX,DWORD PTR DS:[EAX]
00486C71 FF92 D8000000 CALL DWORD PTR DS:[EDX+D8]
00486C77 C3             RETN

软件功能限制
经过分析，发现软件判断注册的代码都差不多，用UltraEdit直接替换
FF92B400000084C075
FF92B400000084C0EB

8B093A041175
8B093A0411EB

8B123A426475
8B123A4264EB

8338000F849F000000
83380090e99F000000

3A04110F85AC000000
3A041190e9AC000000

0047C013 FF92 B4000000 CALL DWORD PTR DS:[EDX+B4]
0047C019 84C0          TEST AL,AL
0047C01B 75 5A          JNZ SHORT 0047C077

0047804A 8B09          MOV ECX,DWORD PTR DS:[ECX]
0047804C 3A0411       CMP AL,BYTE PTR DS:[ECX+EDX]
0047804F 75 69          JNZ SHORT 004780BA

00478146 8B09          MOV ECX,DWORD PTR DS:[ECX]
00478148 3A0411       CMP AL,BYTE PTR DS:[ECX+EDX]
0047814B 75 6C          JNZ SHORT 004781B9

00477E0D 8B09          MOV ECX,DWORD PTR DS:[ECX]
00477E0F 3A0411       CMP AL,BYTE PTR DS:[ECX+EDX]
00477E12 75 69          JNZ SHORT 00477E7D

00486CF8 8B12          MOV EDX,DWORD PTR DS:[EDX]
00486CFA 3A42 64       CMP AL,BYTE PTR DS:[EDX+64]
00486CFD 75 54          JNZ SHORT 00486D53

004798B5 837D FC 00    CMP DWORD PTR SS:[EBP-4],0
004798B9 0F84 CF010000 JE 00479A8E

004846E7 8338 00       CMP DWORD PTR DS:[EAX],0
004846EA 0F84 9F000000 JE 0048478F

0048380C 3A0411       CMP AL,BYTE PTR DS:[ECX+EDX]
0048380F 0F85 AC000000 JNZ 004838C1

功能限制大多解除了，只是关闭程序的时候出错了
找到关键改下
004475DF FF92 D0000000 CALL DWORD PTR DS:[EDX+D0]
004475E5 84C0          TEST AL,AL
004475E7 74 26          JE SHORT 0044760F //改成JMP SHORT 00447631

由于水平有限，还有很多没有分析出来。失误之处敬请诸位大侠赐教!

		自动登录	找回密码
密码			加入我们

[活动] 第十轮教学考题交流帖

相关帖子