Atlantis Word Processor1.6.5.8爆破过程(国外的一款软件)大牛们PASS
本帖最后由 5598869 于 2012-2-15 23:10 编辑我是很菜的小菜鸟,只能爆破,算法分析就差太多了。本款软件的前半部分是从10年的精华里找的,因为看不懂算法分析,只能自己爆破。希望大牛们不要笑话。。。。。。。。。。
Atlantis Word Processor1.6.5.8爆破过程第一处地方:字符串查找“Theregistration code you have specified is invalid.Please check that it has been correctly entered. If itstill will not work, don't hesitate to contact us for help at support@AtlantisWordProcessor.com”双击来到这里:00494A8B E888FB1600 call Atlantis.0060461800494A90 837DFC 00 cmp dword ptr ss:,0x000494A94 7517 jnz XAtlantis.00494AAD//》》关键跳改为JMP00494A96 B84C4B4900 moveax,Atlantis.00494B4C ; ASCII"Please enter your registration code."00494A9B E844A21400 call Atlantis.005DECE400494AA0 8B869C010000 mov eax,dword ptrds:00494AA6 8B10 mov edx,dword ptrds:00494AA8 FF5268 call dword ptr ds:00494AAB EB45 jmp XAtlantis.00494AF200494AAD 8D55FC lea edx,dword ptr ss:00494AB0 8B869C010000 mov eax,dword ptrds:00494AB6 E85DFB1600 call Atlantis.0060461800494ABB 8B45FC mov eax,dword ptr ss:00494ABE E8F5060000 call Atlantis.004951B800494AC3 84C0 test al,al00494AC5 7517 jnz XAtlantis.00494ADE00494AC7 B87C4B4900 mov eax,Atlantis.00494B7C ; ASCII "The registration codeyou have specified is invalid.Please check that it has been correctly entered. If itstill will not work, don't hesitate to contact us for help atsupport@AtlantisWordProcessor.com"00494ACC E827A21400 call Atlantis.005DECF800494AD1 8B869C010000 mov eax,dword ptrds:00494AD7 8B10 mov edx,dword ptrds:00494AD9 FF5268 call dword ptr ds:00494ADC EB14 jmp XAtlantis.00494AF200494ADE B8504C4900 moveax,Atlantis.00494C50 ; ASCII"You have successfully registered your copy of Atlantis.Thank you very much for registering."00494AE3 E8FCA11400 call Atlantis.005DECE400494AE8 C78640010000 0>mov dword ptr ds:,0x100494AF2 33C0 xor eax,eax00494AF4 5A pop edx00494AF5 59 pop ecx00494AF6 59 pop ecx00494AF7 64:8910 mov dword ptrfs:,edx00494AFA 680F4B4900 push Atlantis.00494B0F00494AFF 8D45FC lea eax,dword ptr ss:00494B02 E809E8F6FF call Atlantis.0040331000494B07 C3 retn第二处地方:查找字符串“Unregisteredcopy.”双击来到这里:00495525 E89AAFF7FF call Atlantis.004104C40049552A A1249D6100 mov eax,dword ptrds:0049552F 833800 cmp dword ptr ds:,0x000495532 7562 jnz XAtlantis.00495596//》》关键跳改为JMP00495534 BAFF000000 mov edx,0xFF00495539 8B430C mov eax,dword ptr ds:0049553C E803AAF7FF call Atlantis.0040FF4400495541 6830564900 push Atlantis.00495630 ; ASCII "Unregisteredcopy."00495546 8D5424 04 lea edx,dword ptrss:0049554A 8BBE94010000 mov edi,dword ptrds:00495550 8BC7 mov eax,edi00495552 E841ED1600 call Atlantis.0060429800495557 8B4C24 10 mov ecx,dword ptrss:0049555B 8B5728 mov edx,dword ptrds:0049555E 8BC3 mov eax,ebx00495560 E82FB5F7FF call Atlantis.00410A9400495565 684C564900 push Atlantis.0049564C ; ASCII "Please register."0049556A 8D5424 04 lea edx,dword ptrss:0049556E 8BBE94010000 mov edi,dword ptrds:00495574 8BC7 mov eax,edi00495576 E81DED1600 call Atlantis.006042980049557B 8B6C24 10 mov ebp,dword ptrss:0049557F 8BC3 mov eax,ebx00495581 E8F2B6F7FF call Atlantis.00410C7800495586 03E8 add ebp,eax00495588 8BCD mov ecx,ebp0049558A 8B5728 mov edx,dword ptrds:0049558D 8BC3 mov eax,ebx0049558F E800B5F7FF call Atlantis.00410A9400495594 EB64 jmp XAtlantis.004955FA00495596 6868564900 push Atlantis.00495668 ; ASCII "Registeredto:"第二处地方NAG窗口重新打开软件后会出现NAG窗口,用F12暂停调用堆栈法来解决这个问题。OD载入,运行(F9)出现NAG窗口。“暂停”》》》“ALT+K调用堆栈”
地址堆栈函数过程/ 参数调用来自结构0012FF0877D19418 包含ntdll.KiFastSystemCallRet USER32.77D19416 0012FF280012FF0C006022DA <jmp.&USER32.WaitMessage> Atlantis.006022D5 0012FF280012FF2C00601278 Atlantis.006021D8 Atlantis.00601273 0012FF280012FF6C005E1C86 ?Atlantis.00601180 Atlantis.005E1C81 0012FF680012FF7800494F98 Atlantis.005E1C74 Atlantis.00494F93 0012FFC00012FF7C0060C29B Atlantis.00494F64 Atlantis.0060C296 0012FFC0在最后的语句“0060C29B”右键》》》“显示调用”来到这里0060C28B B00F mov al,0xF0060C28D E876F0FCFF call Atlantis.005DB3080060C292 84C0 test al,al0060C294 7558 jnz XAtlantis.0060C2EE//》》关键跳改为JMP0060C296 E8C98CE8FF call Atlantis.00494F640060C29B A1249D6100 mov eax,dword ptrds:0060C2A0 833800 cmp dword ptr ds:,0x00060C2A3 7549 jnz XAtlantis.0060C2EE第三处地方,关闭软件时出现NAG窗口仍然用”F12暂停调用堆栈法”解决。点击“关闭”按钮,出现NAG窗口。“暂停”》》》》“ALT+K调用堆栈”地址堆栈函数过程/ 参数调用来自结构
0012F72477D19418 包含ntdll.KiFastSystemCallRet USER32.77D19416 0012F7440012F728006022DA<jmp.&USER32.WaitMessage> Atlantis.006022D5 0012F7440012F74800601278 Atlantis.006021D8 Atlantis.00601273 0012F7440012F788005E1C86 ?Atlantis.00601180 Atlantis.005E1C81 0012F7840012F79400494F98 Atlantis.005E1C74 Atlantis.00494F93 0012F84C0012F798004F11D8 Atlantis.00494F64 Atlantis.004F11D3 0012F84C0012F7A400601074 包含Atlantis.004F11D8 Atlantis.0060106E 0012F84C0012F7B800600F99 Atlantis.0060101C Atlantis.00600F94 0012F84C0012F7C400600B21 Atlantis.00600F78 Atlantis.00600B1C 0012F84C0012F7C800604CE3 Atlantis.00402A84 Atlantis.00604CDE 0012F84C0012F7D8006063A3 Atlantis.00604C3C Atlantis.0060639E 0012F84C0012F7F8005FFB9D Atlantis.00606284 Atlantis.005FFB98 0012F84C0012F808005E1D05 Atlantis.005FFB2C Atlantis.005E1D00 0012F84C0012F814004F45A0 Atlantis.005E1CE8 Atlantis.004F459B 0012F84C0012F8200060610B 包含Atlantis.004F45A0 Atlantis.00606108 0012F84C在005E1C86这里右键,》》“显示调用”来到这里005E1C7A FF5018 call dword ptr ds:005E1C7D 8BF0 mov esi,eax005E1C7F 8BC6 mov eax,esi005E1C81 E8FAF40100 call Atlantis.00601180//》》关键CALL要NOP掉005E1C86 48 dec eax005E1C87 0F94C3 sete bl005E1C8A 8BC6 mov eax,esi005E1C8C E8AF0CE2FF call Atlantis.00402940后记:现在一般的软件都带重启验证,解决方法其中之一就是F12暂停调用堆栈法。如有错误,请各位多加指点。
我来坐沙发,顺便学习一下 建议加上code代码奥~~类似于这样的 学习了啊谢谢楼主!
页:
[1]