myBase Desktop 6.35 破解分析:
本帖最后由 冥界3大法王 于 2014-2-21 13:29 编辑myBase Desktop 6.35 破解分析:
看不到图片别失望,
请下载附件以HTML文件打开就OK了
file:///C:/Users/Administrator/Desktop/测试.files/img1.jpg
file:///C:/Users/Administrator/Desktop/测试.files/img2.jpg
OD,载入后,右键--〉中文搜索引擎--〉智能搜索,能找到Invalid license key……
file:///C:/Users/Administrator/Desktop/测试.files/img3.jpg
file:///C:/Users/Administrator/Desktop/测试.files/img4.jpg重要指标之 B
00510A3E > \68 88A06100 push 0061A088 ;Invalid license key……
F2设断后 来到此处
往上看,你看能看到thank you之类的这样
00510720 /0F85 18030000 jnz 00510A3E
00510726 . |57 push edi ; /timer => NULL
00510727 . |FF15 8CDC5B00 call dword ptr [<&MSVCRT.time>] ; \time
0051072D . |8B1D 302A6200 mov ebx, dword ptr
00510733 . |83C4 04 add esp, 0x4
00510736 . |2BC3 sub eax, ebx
00510738 . |894424 0C mov dword ptr , eax
0051073C . |DB4424 0C fild dword ptr
00510740 . |DC0D D8DF5B00 fmul qword ptr
00510746 . |E8 15890700 call <jmp.&MSVCRT._ftol>
0051074B . |B9 1E000000 mov ecx, 0x1E
00510750 . |2BC8 sub ecx, eax
00510752 . |85C9 test ecx, ecx
00510754 |0F8F E4020000 jg 00510A3E
0051075A . |8D4C24 18 lea ecx, dword ptr
0051075E . |E8 D1780700 call <jmp.&MFC42u.#540>
00510763 . |8B5424 10 mov edx, dword ptr
00510767 . |6A 07 push 0x7
00510769 . |52 push edx
0051076A . |8D4424 20 lea eax, dword ptr
0051076E . |68 00A26100 push 0061A200 ;%s+%d
00510773 . |50 push eax
00510774 . |C68424 200100>mov byte ptr , 0xE
0051077C . |E8 E9780700 call <jmp.&MFC42u.#2810>
00510781 . |83C4 10 add esp, 0x10
00510784 . |8D4C24 14 lea ecx, dword ptr
00510788 . |8D5424 18 lea edx, dword ptr
0051078C . |51 push ecx
0051078D . |52 push edx
0051078E . |B9 E0296200 mov ecx, 006229E0 ;P9B
00510793 . |E8 F83BF0FF call 00414390
00510798 . |85C0 test eax, eax
0051079A . |74 1E je short 005107BA
0051079C . |A1 302A6200 mov eax, dword ptr
005107A1 . |C705 442A6200>mov dword ptr , 0x1
005107AB . |05 803A0900 add eax, 0x93A80
005107B0 . |BF 01000000 mov edi, 0x1
005107B5 . |A3 302A6200 mov dword ptr , eax
005107BA > |8D4C24 18 lea ecx, dword ptr
005107BE . |C68424 100100>mov byte ptr , 0xB
005107C6 . |E8 63780700 call <jmp.&MFC42u.#800>
005107CB . |85FF test edi, edi
005107CD |0F84 6B020000 je 00510A3E 代码长,但我们只关心这些标兰的地方
005107D3 > |8B46 20 mov eax, dword ptr
005107D6 . |6A 00 push 0x0 ; /lParam = 0x0
005107D8 . |6A 00 push 0x0 ; |wParam = 0x0
005107DA . |68 10040000 push 0x410 ; |Message = WM_USER+16.
005107DF . |50 push eax ; |hWnd
005107E0 . |FF15 B8DD5B00 call dword ptr [<&USER32.SendMessageW>; \SendMessageW
005107E6 . |68 BCA16100 push 0061A1BC ;Thank you for your registration.
005107EB . |8D4C24 1C lea ecx, dword ptr
005107EF . |E8 46780700 call <jmp.&MFC42u.#538>
005107F4 . |8D4C24 18 lea ecx, dword ptr
005107F8 . |8D5424 30 lea edx, dword ptr
005107FC . |51 push ecx
005107FD . |68 04AD5C00 push 005CAD04 ;Prompt.Info.RegistrationDone
00510802 . |52 push edx
00510803 . |C68424 1C0100>mov byte ptr , 0xF
0051080B . |E8 F0F3F3FF call 0044FC00
00510810 . |8BF0 mov esi, eax
00510812 . |83C4 08 add esp, 0x8
00510815 . |B3 10 mov bl, 0x10
00510817 . |8BCC mov ecx, esp
00510819 . |896424 24 mov dword ptr , esp
0051081D . |68 78CB6000 push 0060CB78 ;\n
00510822 . |889C24 180100>mov byte ptr , bl
00510829 . |E8 0C780700 call <jmp.&MFC42u.#538>
0051082E . |51 push ecx
0051082F . |C68424 180100>mov byte ptr , 0x11
00510837 . |8BCC mov ecx, esp
00510839 . |896424 34 mov dword ptr , esp
0051083D . |68 BC266200 push 006226BC
00510842 . |E8 F3770700 call <jmp.&MFC42u.#538>
00510847 . |8D4C24 40 lea ecx, dword ptr
0051084B . |889C24 180100>mov byte ptr , bl
00510852 . |E8 C973F0FF call 00417C20
00510857 . |56 push esi
00510858 . |8D4C24 50 lea ecx, dword ptr
0051085C . |C68424 140100>mov byte ptr , 0x12
00510864 . |E8 BF770700 call <jmp.&MFC42u.#535>
00510869 . |8D4C24 30 lea ecx, dword ptr
0051086D . |C68424 100100>mov byte ptr , 0x15
00510875 . |E8 B4770700 call <jmp.&MFC42u.#800>
0051087A . |8D4C24 18 lea ecx, dword ptr
0051087E . |C68424 100100>mov byte ptr , 0x14
00510886 . |E8 A3770700 call <jmp.&MFC42u.#800>
0051088B . |6A 00 push 0x0
0051088D . |8D8C24 800000>lea ecx, dword ptr
00510894 . |E8 F7FBF1FF call 00430490
00510899 . |6A 01 push 0x1
0051089B . |8D4424 50 lea eax, dword ptr
0051089F . |6A 00 push 0x0
005108A1 . |50 push eax
005108A2 . |8D8C24 900000>lea ecx, dword ptr
005108A9 . |C68424 1C0100>mov byte ptr , 0x16
005108B1 . |E8 4A7EF0FF call 00418700
005108B6 . |B3 17 mov bl, 0x17
005108B8 . |68 78CB6000 push 0060CB78 ;\n
005108BD . |8D4C24 10 lea ecx, dword ptr
005108C1 . |889C24 140100>mov byte ptr , bl
005108C8 . |E8 6D770700 call <jmp.&MFC42u.#538>
005108CD . |68 70CB6000 push 0060CB70 ;\n
005108D2 . |8D4C24 20 lea ecx, dword ptr
005108D6 . |C68424 140100>mov byte ptr , 0x18
005108DE . |E8 57770700 call <jmp.&MFC42u.#538>
005108E3 . |8D4C24 1C lea ecx, dword ptr
005108E7 . |8D5424 20 lea edx, dword ptr
005108EB . |51 push ecx
005108EC . |52 push edx
005108ED . |8D8C24 8C0000>lea ecx, dword ptr
005108F4 . |C68424 180100>mov byte ptr , 0x19
005108FC . |E8 1F81F0FF call 00418A20
00510901 . |8D4C24 0C lea ecx, dword ptr
00510905 . |C68424 100100>mov byte ptr , 0x1A
0051090D . |51 push ecx
0051090E . |8BC8 mov ecx, eax
00510910 . |E8 0B80F0FF call 00418920
00510915 . |8D4C24 24 lea ecx, dword ptr
00510919 . |C68424 100100>mov byte ptr , 0x19
00510921 . |E8 08770700 call <jmp.&MFC42u.#800>
00510926 . |8D4C24 1C lea ecx, dword ptr
0051092A . |C68424 100100>mov byte ptr , 0x18
00510932 . |E8 F7760700 call <jmp.&MFC42u.#800>
00510937 . |8D4C24 0C lea ecx, dword ptr
0051093B . |889C24 100100>mov byte ptr , bl
00510942 . |E8 E7760700 call <jmp.&MFC42u.#800>
00510947 . |8D5424 0C lea edx, dword ptr
0051094B . |8D8C24 840000>lea ecx, dword ptr
00510952 . |52 push edx
00510953 . |E8 187EF0FF call 00418770
00510958 . |8D4424 20 lea eax, dword ptr
0051095C . |8D4C24 38 lea ecx, dword ptr
00510960 . |50 push eax
00510961 . |C68424 140100>mov byte ptr , 0x1B
00510969 . |E8 1272F0FF call 00417B80
0051096E . |8BF0 mov esi, eax
00510970 . |8D4C24 0C lea ecx, dword ptr
00510974 . |68 68CB6000 push 0060CB68 ;\n\n
00510979 . |8D5424 30 lea edx, dword ptr
0051097D . |51 push ecx
0051097E . |52 push edx
0051097F . |C68424 1C0100>mov byte ptr , 0x1C
00510987 . |E8 C6760700 call <jmp.&MFC42u.#925>
0051098C . |56 push esi
0051098D . |50 push eax
0051098E . |8D4424 24 lea eax, dword ptr
00510992 . |C68424 180100>mov byte ptr , 0x1D
0051099A . |50 push eax
0051099B . |E8 06770700 call <jmp.&MFC42u.#922>
005109A0 . |8B00 mov eax, dword ptr
005109A2 . |6A 00 push 0x0
005109A4 . |6A 40 push 0x40
005109A6 . |50 push eax
005109A7 . |C68424 1C0100>mov byte ptr , 0x1E
005109AF . |E8 EC760700 call <jmp.&MFC42u.#1197>
005109B4 . |8D4C24 1C lea ecx, dword ptr
005109B8 . |C68424 100100>mov byte ptr , 0x1D
005109C0 . |E8 69760700 call <jmp.&MFC42u.#800>
005109C5 . |8D4C24 2C lea ecx, dword ptr
005109C9 . |C68424 100100>mov byte ptr , 0x1C
005109D1 . |E8 58760700 call <jmp.&MFC42u.#800>
005109D6 . |8D4C24 20 lea ecx, dword ptr
005109DA . |C68424 100100>mov byte ptr , 0x1B
005109E2 . |E8 47760700 call <jmp.&MFC42u.#800>
005109E7 . |8D4C24 0C lea ecx, dword ptr
005109EB . |889C24 100100>mov byte ptr , bl
005109F2 . |E8 37760700 call <jmp.&MFC42u.#800>
005109F7 . |8D8C24 840000>lea ecx, dword ptr
005109FE . |C68424 100100>mov byte ptr , 0x16
00510A06 . |E8 25C1F0FF call 0041CB30
00510A0B . |8D4C24 7C lea ecx, dword ptr
00510A0F . |C68424 100100>mov byte ptr , 0x14
00510A17 . |E8 D4B2F0FF call 0041BCF0
00510A1C . |8D4C24 4C lea ecx, dword ptr
00510A20 . |C68424 100100>mov byte ptr , 0x1F
00510A28 . |E8 01760700 call <jmp.&MFC42u.#800>
00510A2D . |C68424 100100>mov byte ptr , 0xB
00510A35 . |8D4C24 38 lea ecx, dword ptr
00510A39 . |E9 89000000 jmp 00510AC7
00510A3E > \68 88A06100 push 0061A088 ;Invalid license key!\n\nIn case of typos entering key codes, we suggest that you copy/paste license key codes into the edit box in
上面的地方设上断点后,开始尝试,能否断下?
00510720 /0F85 18030000 jnz 00510A3E
这句可以!
一路按F8
发现到这句时,
00510754 /0F8F E4020000 jg 00510A3E 程序跳向失败的地方,当然不可以让它这么做啦~~
NOP掉
一路按F8
到0051079A . /74 1E je short 005107BA这句时,它要跳向thank you当然可啦~~
一路按F8
005107CD /0F84 6B020000 je 00510A3E 到这句时,又要跳向Invalid license,当然NOP了
一路按F8
005109AF .E8 EC760700 call <jmp.&MFC42u.#1197> 这里弹出 感谢注册
窗口左下角仍有未注册字样 unregister
00510798 .85C0 test eax, eax F2下断,发现断不下,eax=0000000上面的地方,重新来过,将寄存器这里设为1
果然thank you成功(假滴~~),所以说明全局eax=1,就是注册版本,重要指标之 A
因为注册文件 位于nyfedit.ini
App.UserLic.Extended=0
App.UserLic.FirstUseOn=1393039501
App.UserLic.LaunchNum=1
App.UserLic.NagNum=0
App.UserLic.RegKey=123456789012345678901234567890
App.UserLic.RegName=吾爱破解冥王至此
App.UserLic.SecsUsed=31
结合上面的,重要指标之 A重要指标之 B
我们得出结论:在 到达 重要指标之 B 时设法使eax=1,您也就成功了
所以,重新来过:4F0DDC
004F0DD3 E8 B835F2FF call 00414390 ;那个返回,会直接来到这里的下一句上
004F0DD8 .85C0 test eax, eax----------〉漂亮MM会来到这里
004F0DDA 74 2A je short 004F0E06
004F0DDC .68 B0836100 push 006183B0 ; - Licensed to
004F0DD3 上F2,Ctrl+F2,断下后F7跟进
====
00414390/$6A FF push -0x1
00414392|.68 4AC55800 push 0058C54A ;赴']; SE 处理程序安装
00414397|.64:A1 0000000>mov eax, dword ptr fs:
0041439D|.50 push eax
0041439E|.64:8925 00000>mov dword ptr fs:, esp
004143A5|.83EC 4C sub esp, 0x4C
004143A8|.53 push ebx
004143A9|.56 push esi
004143AA|.8BF1 mov esi, ecx
004143AC|.8D4424 0B lea eax, dword ptr
004143B0|.57 push edi
004143B1|.8D4C24 10 lea ecx, dword ptr
004143B5|.50 push eax
004143B6|.33DB xor ebx, ebx
004143B8|.51 push ecx
004143B9|.6A 01 push 0x1
004143BB|.8D4C24 24 lea ecx, dword ptr
004143BF|.33FF xor edi, edi
004143C1|.895C24 1C mov dword ptr , ebx
004143C5|.E8 A6110000 call 00415570
004143CA|.8B5424 6C mov edx, dword ptr
004143CE|.8D4C24 18 lea ecx, dword ptr
004143D2|.895C24 60 mov dword ptr , ebx
004143D6|.8B02 mov eax, dword ptr
004143D8|.50 push eax
004143D9|.E8 C23C0000 call 004180A0
004143DE|.8D4424 38 lea eax, dword ptr
004143E2|.8D4C24 18 lea ecx, dword ptr
004143E6|.50 push eax
004143E7|.C74424 64 010>mov dword ptr , 0x1
004143EF|.E8 AC3F0000 call 004183A0
004143F4|.8D4C24 18 lea ecx, dword ptr
004143F8|.C64424 60 03mov byte ptr , 0x3
004143FD|.E8 DE4B1200 call 00538FE0
00414402|.8D4C24 0F lea ecx, dword ptr
00414406|.8D5424 14 lea edx, dword ptr
0041440A|.51 push ecx
0041440B|.52 push edx
0041440C|.6A 01 push 0x1
0041440E|.8D4C24 34 lea ecx, dword ptr
00414412|.895C24 20 mov dword ptr , ebx
00414416|.E8 55110000 call 00415570
0041441B|.8B4424 3C mov eax, dword ptr
0041441F|.C64424 60 04mov byte ptr , 0x4
00414424|.3BC3 cmp eax, ebx
00414426|.75 05 jnz short 0041442D
00414428|.A1 A0DB5B00 mov eax, dword ptr [<&MSVCP60.`std::>
0041442D|>50 push eax
0041442E|.8D4C24 2C lea ecx, dword ptr
00414432|.E8 393B0000 call 00417F70
00414437|.8D4424 10 lea eax, dword ptr
0041443B|.8D4C24 28 lea ecx, dword ptr
0041443F|.50 push eax
00414440|.C64424 64 05mov byte ptr , 0x5
00414445|.E8 46650000 call 0041A990
0041444A|.8D4C24 10 lea ecx, dword ptr
0041444E|.C64424 60 06mov byte ptr , 0x6
00414453|.51 push ecx
00414454|.E8 E7000000 call 00414540
00414459|.83C4 04 add esp, 0x4
0041445C|.8D4C24 10 lea ecx, dword ptr
00414460|.85C0 test eax, eax
00414462|.0F944424 6C sete byte ptr
00414467|.C64424 60 05mov byte ptr , 0x5
0041446C|.E8 BD3B1700 call <jmp.&MFC42u.#800>
00414471|.8D4C24 28 lea ecx, dword ptr
00414475|.C64424 60 03mov byte ptr , 0x3
0041447A|.E8 614B1200 call 00538FE0
0041447F|.385C24 6C cmp byte ptr , bl
00414483|.74 77 je short 004144FC
00414485|.8D5424 6C lea edx, dword ptr
00414489|.8D4424 14 lea eax, dword ptr
0041448D|.52 push edx
0041448E|.50 push eax
0041448F|.6A 01 push 0x1
00414491|.8D4C24 34 lea ecx, dword ptr
00414495|.895C24 20 mov dword ptr , ebx
00414499|.E8 D2100000 call 00415570
0041449E|.8B4C24 68 mov ecx, dword ptr
004144A2|.C64424 60 07mov byte ptr , 0x7
004144A7|.8B01 mov eax, dword ptr
004144A9|.8D4C24 28 lea ecx, dword ptr
004144AD|.50 push eax
004144AE|.E8 ED3B0000 call 004180A0
004144B3|.8D5424 48 lea edx, dword ptr
004144B7|.8D4C24 28 lea ecx, dword ptr
004144BB|.52 push edx
004144BC|.C64424 64 08mov byte ptr , 0x8
004144C1|.E8 6A400000 call 00418530
004144C6|.8D4C24 28 lea ecx, dword ptr
004144CA|.C64424 60 0Amov byte ptr , 0xA
004144CF|.E8 0C4B1200 call 00538FE0
004144D4|.8D46 3C lea eax, dword ptr
004144D7|.8D4C24 38 lea ecx, dword ptr
004144DB|.50 push eax
004144DC|.8D5424 4C lea edx, dword ptr
004144E0|.51 push ecx
004144E1|.52 push edx
004144E2|.8BCE mov ecx, esi
004144E4|.E8 37DBFFFF call 00412020
004144E9|.6A 01 push 0x1
004144EB|.8D4C24 4C lea ecx, dword ptr
004144EF|.8BF8 mov edi, eax
004144F1|.C64424 64 03mov byte ptr , 0x3
004144F6|.FF15 98DB5B00 call dword ptr [<&MSVCP60.std::basic_>;msvcp60.std::basic_string<char,std::char_traits<char>,std::allocator<char> >::_Tidy
004144FC|>8B4C24 3C mov ecx, dword ptr
00414500|.3BCB cmp ecx, ebx
00414502|.74 1C je short 00414520
00414504|.8A41 FF mov al, byte ptr
00414507|.3AC3 cmp al, bl
00414509|.74 0B je short 00414516
0041450B|.3C FF cmp al, 0xFF
0041450D|.74 07 je short 00414516
0041450F|.FEC8 dec al
00414511|.8841 FF mov byte ptr , al
00414514|.EB 0A jmp short 00414520
00414516|>49 dec ecx
00414517|.51 push ecx
00414518|.E8 053B1700 call <jmp.&MFC42u.#825>
0041451D|.83C4 04 add esp, 0x4
00414520|>8B4C24 58 mov ecx, dword ptr
00414524|.8BC7 mov eax, edi
00414526|.5F pop edi
00414527|.5E pop esi
00414528|.5B pop ebx
00414529 64:890D 00000>mov dword ptr fs:, ecx 这里我们可以出手放大招了
moveax,1
00414530|.83C4 58 add esp, 0x58
00414533\.C2 0800 retn 0x8
file:///C:/Users/Administrator/Desktop/测试.files/img5.jpg
file:///C:/Users/Administrator/Desktop/测试.files/img6.jpg
看一眼信息窗口的内容: 返回到 004F0DD8 (nyfedit.004F0DD8)
004F0DD8 .85C0 test eax, eax----------〉漂亮MM会来到这里
如果玩过TECMO DOA的同学就知道004F0DD8这个地方就完成了上段反,所以错码时上一句CALL你不会断下来,这是内因所在~~
由于用notebook写的破解日志,图片太多
所以请下载附件,用导出的.htm格式查看高清大MM被破写真集~~
编 这点玩意 ,竟然用了一个小时,晕,觉得不错就打赏点,明天再来发成果报告 。{:301_978:}
这两天水平提升不少,破解日记有一堆新成果了~~~
新版本 的这软件 可以生成被winchm支持的CHM工程文件了,再用
winchm编辑 或生成CHM,超级方便 ,写汇编日志也超级不错,给力的日记软件。
所以,最后总结下,
只修改
00414529 64:890D 00000>mov dword ptr fs:, ecx 这里我们可以出手放大招了
moveax,1
这一处 就可以马上KO了。
当然 上面是 福尔摩斯 推理过程~~ 这个教程非常给力呀。 感谢大大分享破文,膜拜 感谢大大分享 那如果 在上面RET的上一句 赋值行不行呢?因为OD显示修改的是4字节
答案是否定的,因为字节数不够了,会破坏到RET,而报错。 Nice analysis. Thanks for sharing. 吾爱-路人甲 发表于 2014-2-21 13:30
这个教程非常给力呀。
顶一下,我新来的. 牛B顶一下啊啊!!! 谢谢分享,有些还是没看明白。
页:
[1]
2