QQ朗读器破解方法

liuxingyuu 发表于 2009-1-1 10:57

QQ朗读器破解方法

查壳为：Borland Delphi 6.0 - 7.0

运行程序显示为 QQ朗读器（未注册）

点注册，输入假码没有任何反映，这个时候OD载入查找字符串也没有任何消息，那就用 C32Asm 查找
http://pic.禁止使用网挣网盘/servlet/ReadFileStream?filename=//zzage/上传分享/2009/1/1/QQ截图未命名1230778598593.JPG

然后OD载入，Ctrl+G在 0049b36d和0049b39b下断

0049B36D > \BA 54BC4900 mov edx,qqtalk.0049BC54
0049B372 .A1 14A44A00 mov eax,dword ptr ds:
0049B377 .E8 3C7EFBFF call qqtalk.004531B8
0049B37C .8B45 EC    mov eax,dword ptr ss:
0049B37F .8B80 5C040000 mov eax,dword ptr ds:
0049B385 .B2 01       mov dl,1
0049B387 .E8 D428FAFF call qqtalk.0043DC60
0049B38C >33C0       xor eax,eax
0049B38E .5A          pop edx
0049B38F .59          pop ecx
0049B390 .59          pop ecx
0049B391 .64:8910    mov dword ptr fs:,edx
0049B394 .EB 29       jmp short qqtalk.0049B3BF
0049B396 .^ E9 6994F6FF jmp qqtalk.00404804
0049B39B .BA 54BC4900 mov edx,qqtalk.0049BC54

分析一下发现

0049B34A . /75 21       jnz short qqtalk.0049B36D    关键跳
0049B34C > |BA 3CBC4900 mov edx,qqtalk.0049BC3C
0049B351 . |A1 14A44A00 mov eax,dword ptr ds:
0049B356 . |E8 5D7EFBFF call qqtalk.004531B8
0049B35B . |8B45 EC    mov eax,dword ptr ss:
0049B35E . |8B80 5C040000 mov eax,dword ptr ds:
0049B364 . |33D2       xor edx,edx
0049B366 . |E8 F528FAFF call qqtalk.0043DC60
0049B36B . |EB 1F       jmp short qqtalk.0049B38C
0049B36D > \BA 54BC4900 mov edx,qqtalk.0049BC54

0049B34A . /75 21       jnz short qqtalk.0049B36D这个是关键跳转，修改下就OK了，保存之后就没有未注册字样，但注册框还是有。。而且不知道什么原因，运行一次之后破解的就不见了，可能是被系统自动去掉了，~~汗~~

重新OK载入。。。

Ctrl+G来到这里 0049b36d

找断首，F2下段
0049B280 .55          push ebp
0049B281 .8BEC       mov ebp,esp
0049B283 .B9 10000000 mov ecx,10
0049B288 >6A 00       push 0
0049B28A .6A 00       push 0
0049B28C .49          dec ecx
0049B28D .^ 75 F9       jnz short qqtalk.0049B288
0049B28F .53          push ebx
0049B290 .56          push esi
0049B291 .57          push edi
0049B292 .8945 EC    mov dword ptr ss:,eax
0049B295 .33C0       xor eax,eax
0049B297 .55          push ebp
0049B298 .68 AEBB4900 push qqtalk.0049BBAE
0049B29D .64:FF30    push dword ptr fs:
0049B2A0 .64:8920    mov dword ptr fs:,esp
0049B2A3    E8 0CC8FEFF call qqtalk.00487AB4                      问题CALL，我们把这里NOP掉
0049B2A8 .A1 30404A00 mov eax,dword ptr ds:
0049B2AD .C600 2D    mov byte ptr ds:,2D
0049B2B0 .A1 10414A00 mov eax,dword ptr ds:
0049B2B5 .BA C4BB4900 mov edx,qqtalk.0049BBC4                ;ASCII "yyyy-mm-dd"
0049B2BA .E8 B99FF6FF call qqtalk.00405278
0049B2BF .A1 68444A00 mov eax,dword ptr ds:
0049B2C4 .BA C4BB4900 mov edx,qqtalk.0049BBC4                ;ASCII "yyyy-mm-dd"
0049B2C9 .E8 AA9FF6FF call qqtalk.00405278
0049B2CE .8D4D F0    lea ecx,dword ptr ss:
0049B2D1 .BA D8BB4900 mov edx,qqtalk.0049BBD8                ;ASCII "qqtalk"
0049B2D6 .B8 E8BB4900 mov eax,qqtalk.0049BBE8                ;ASCII "mengfeixiang"
0049B2DB .E8 80CEFEFF call qqtalk.00488160
0049B2E0 .33C0       xor eax,eax
0049B2E2 .55          push ebp
0049B2E3 .68 96B34900 push qqtalk.0049B396
0049B2E8 .64:FF30    push dword ptr fs:
0049B2EB .64:8920    mov dword ptr fs:,esp
0049B2EE .6A 00       push 0
0049B2F0 .8D45 DC    lea eax,dword ptr ss:
0049B2F3 .50          push eax
0049B2F4 .B9 00BC4900 mov ecx,qqtalk.0049BC00                ;ASCII "EF1B"
0049B2F9 .BA 10BC4900 mov edx,qqtalk.0049BC10                ;ASCII "95669E30254FD9FC24F642D880006E75"
0049B2FE .8B45 F0    mov eax,dword ptr ss:
0049B301    E8 4EBFFEFF call qqtalk.00487254                   ;问题CALL，我们把这里NOP掉
0049B306 .8B45 DC    mov eax,dword ptr ss:
0049B309 .50          push eax
0049B30A .8D45 D8    lea eax,dword ptr ss:
0049B30D .E8 B2CBFEFF call qqtalk.00487EC4
0049B312 .8B55 D8    mov edx,dword ptr ss:
0049B315 .58          pop eax
0049B316 .E8 31A3F6FF call qqtalk.0040564C
0049B31B    74 2F       je short qqtalk.0049B34C                      这里就是关键跳了
0049B31D .6A 00       push 0
0049B31F .8D45 D4    lea eax,dword ptr ss:
0049B322 .50          push eax
0049B323 .B9 00BC4900 mov ecx,qqtalk.0049BC00                ;ASCII "EF1B"
0049B328 .BA 10BC4900 mov edx,qqtalk.0049BC10                ;ASCII "95669E30254FD9FC24F642D880006E75"
0049B32D .8B45 F0    mov eax,dword ptr ss:
0049B330 .E8 1FBFFEFF call qqtalk.00487254
0049B335 .8B45 D4    mov eax,dword ptr ss:
0049B338 .50          push eax
0049B339 .8D45 D0    lea eax,dword ptr ss:
0049B33C .E8 CFCBFEFF call qqtalk.00487F10
0049B341 .8B55 D0    mov edx,dword ptr ss:
0049B344 .58          pop eax
0049B345 .E8 02A3F6FF call qqtalk.0040564C
0049B34A .75 21       jnz short qqtalk.0049B36D                跳未注册
0049B34C >BA 3CBC4900 mov edx,qqtalk.0049BC3C
0049B351 .A1 14A44A00 mov eax,dword ptr ds:
0049B356 .E8 5D7EFBFF call qqtalk.004531B8
0049B35B .8B45 EC    mov eax,dword ptr ss:
0049B35E .8B80 5C040000 mov eax,dword ptr ds:
0049B364 .33D2       xor edx,edx
0049B366 .E8 F528FAFF call qqtalk.0043DC60
0049B36B .EB 1F       jmp short qqtalk.0049B38C
0049B36D >BA 54BC4900 mov edx,qqtalk.0049BC54

F8单步走，当走到这个CALL的时候出现问题。。。

0049B2A3    E8 0CC8FEFF call qqtalk.00487AB4    问题CALL，我们把这里NOP掉

0049B301    E8 4EBFFEFF call qqtalk.00487254    走到这里还有个问题CALL，汗！！NOP掉

然后把 0049B31B /EB 2F       jmp short qqtalk.0049B34C 这个关键跳修改为 JMP

保存所有修改，运行。。。。就OK了~~呵呵不过还有点小问题。。汗~~~不知道是不是我电脑的原因，郁闷

[ 本帖最后由 liuxingyuu 于 2009-1-1 11:01 编辑 ]

cshow 发表于 2009-1-1 19:17

额~~
支持一下~~
原来删除是这么一回事情啊`~
谢谢了~~

那个删除应该也算是一种保护机制
自杀模式~~~

lovessyy 发表于 2009-1-3 15:10

原来是这么回事，怪不得啊。。。。

yncxhcd 发表于 2009-3-22 12:51

好像没看过哦，下载看看

xie83544109 发表于 2009-3-22 22:32

多谢楼主分享

mokaiwei 发表于 2009-3-24 21:27

简单明了。。

qq869544257 发表于 2009-3-27 18:14

辛苦了`辛苦了`辛苦了`辛苦了`辛苦了`

hahappp 发表于 2012-11-22 10:58

谢谢楼主分享。

1360423 发表于 2012-11-22 20:21

爆破不是最终解决办法。要做到完美破解很是门学问。

页: [1]

吾爱破解 - 52pojie.cn's Archiver

QQ朗读器破解方法