Photoshop CS5 激活,破解記錄~!更新中文版破解~!
本帖最后由 silly 于 2010-8-18 20:23 编辑本筆記看著有點迷糊可以參考我CS4的破解,CS5只記錄了關鍵的位置,和CS4破解對照看回明了些.
傳送門:http://bbs.pediy.com/showthread.php?t=107136
直接跳了2处搞定,没再跟了.对应amtlib.dll v3.0.0.64
/1:
6098C63C C746 0C 01000>mov dword ptr , 1
6098C643 90 nop
6098C644 90 nop
6098C645 90 nop
6098C646 EB 0F jmp short 6098C657
6098C648|.55 push ebp
6098C649|.68 38A5A160 push 60A1A538 ;ASCII "ERROR: Failure %sing Product License!"
6098C64E|.68 B8A6A160 push 60A1A6B8 ;ASCII "%sing"
6098C653|.6A 02 push 2
6098C655|.EB 0D jmp short 6098C664
//2:
6098BEDD 8BC3 mov eax, ebx
6098BEDF E9 AD010000 jmp 6098C091
6098BEE4 90 nop
6098BEE5 83FD 01 cmp ebp, 1
6098BEE8 75 2B jnz short 6098BF15
6098BEEA|.68 E8A1A160 push 60A1A1E8 ;ASCII "Prevalidation finds app not activated.Requiring foreground validate."
6098BEEF|.6A 00 push 0
6098BEF1|.6A 04 push 4
6098BEF3|>68 0863A160 push 60A16308 ;ASCII "AMT"
6098BEF8|.E8 2309FEFF call 6096C820
//amtlib.dll從3MB左右變化到不到1MB,估摸著以前的方法是不管用了,碰碰看了.
//根據以前CS4的破解,故查找"Forcing first launch workflow at product request"
//發現地址為:
65EDDA8B|> \68 14ABF665 push 65F6AB14 ;ASCII "Forcing first launch workflow at product request."
65EDDA90|.EB 05 jmp short 65EDDA97
65EDDA92|>68 C0AAF665 push 65F6AAC0 ;ASCII "Forcing first launch workflow because product is not licensed from previous launch."
65EDDA97|>6A 00 push 0
65EDDA99|.6A 04 push 4
65EDDA9B|.68 0863F665 push 65F66308 ;ASCII "AMT"
65EDDAA0|.E8 7BEDFDFF call 65EBC820
65EDDAA5|.50 push eax
65EDDAA6|.E8 95040200 call 65EFDF40
65EDDAAB|.83C4 14 add esp, 14
65EDDAAE|.6A 00 push 0
65EDDAB0|.8BCE mov ecx, esi
65EDDAB2|.E8 59E9FFFF call 65EDC410 ;按CS4的方法,進這裡
//同樣的一大段就找到了,直接運行PSCS5,發現在這裡斷下:
65EDC410/[ DISCUZ_CODE_2 ]nbsp; 83EC 0C sub esp, 0C
65EDC413|.55 push ebp
65EDC414|.56 push esi
65EDC415|.57 push edi
65EDC416|.8B7C24 1C mov edi, dword ptr
65EDC41A|.8BF1 mov esi, ecx
65EDC41C|.85FF test edi, edi
65EDC41E|.75 0A jnz short 65EDC42A
65EDC420|.C74424 0C F0A>mov dword ptr , 65F6A6F0 ;ASCII "Obtain"
65EDC428|.EB 15 jmp short 65EDC43F
65EDC42A|>C74424 0C E8A>mov dword ptr , 65F6A6E8 ;ASCII "Validat"
65EDC432|.83FF 02 cmp edi, 2
65EDC435|.74 08 je short 65EDC43F
65EDC437|.C74424 0C DCA>mov dword ptr , 65F6A6DC ;ASCII "PreValidat"
65EDC43F|>8B6C24 0C mov ebp, dword ptr
65EDC443|.55 push ebp
65EDC444|.68 C0A6F665 push 65F6A6C0 ;ASCII "AMT: %sing Product License."
65EDC449|.68 B8A6F665 push 65F6A6B8 ;ASCII "%sing"
65EDC44E|.6A 04 push 4
65EDC450|.68 0863F665 push 65F66308 ;ASCII "AMT"
65EDC455|.E8 C603FEFF call 65EBC820
65EDC45A|.50 push eax
65EDC45B|.E8 E01A0200 call 65EFDF40
65EDC460|.83C4 18 add esp, 18
65EDC463|.807E 5C 00 cmp byte ptr , 0
65EDC467|.74 21 je short 65EDC48A
65EDC469|.68 88A6F665 push 65F6A688 ;ASCII "Launch Workflow already done in this session."
65EDC46E|.6A 00 push 0
65EDC470|.6A 04 push 4
65EDC472|.68 0863F665 push 65F66308 ;ASCII "AMT"
65EDC477|.E8 A403FEFF call 65EBC820
65EDC47C|.50 push eax
65EDC47D|.E8 BE1A0200 call 65EFDF40
65EDC482|.83C4 14 add esp, 14
65EDC485|.E9 A1010000 jmp 65EDC62B
65EDC48A|>83FF 01 cmp edi, 1
65EDC48D|.75 07 jnz short 65EDC496
65EDC48F|.68 58A6F665 push 65F6A658 ;ASCII "Launch Workflow not yet done in this session."
65EDC494|.EB 05 jmp short 65EDC49B
65EDC496|>68 1CA6F665 push 65F6A61C ;ASCII "Launch Workflow not yet done in foreground in this session."
65EDC49B|>6A 00 push 0
65EDC49D|.6A 04 push 4
65EDC49F|.68 0863F665 push 65F66308 ;ASCII "AMT"
65EDC4A4|.E8 7703FEFF call 65EBC820
65EDC4A9|.50 push eax
65EDC4AA|.E8 911A0200 call 65EFDF40
65EDC4AF|.83C4 14 add esp, 14
65EDC4B2|.57 push edi
65EDC4B3|.8BCE mov ecx, esi
65EDC4B5|.E8 66F7FFFF call 65EDBC20 ;這裡需要跟進去
65EDC4BA|.807E 21 00 cmp byte ptr , 0
65EDC4BE|.0F85 09010000 jnz 65EDC5CD
65EDC4C4|.807E 22 00 cmp byte ptr , 0
65EDC4C8|.0F85 FF000000 jnz 65EDC5CD
65EDC4CE|.83FF 01 cmp edi, 1
65EDC4D1|.0F85 F6000000 jnz 65EDC5CD
65EDC4D7|.8B4E 1C mov ecx, dword ptr
65EDC4DA|.E8 B102FEFF call 65EBC790
65EDC4DF|.84C0 test al, al
65EDC4E1|.0F85 E6000000 jnz 65EDC5CD
65EDC4E7|.68 D8A5F665 push 65F6A5D8 ;ASCII "Calling AUM API to create scheduler entry to be used by updater."
65EDC4EC|.6A 00 push 0
65EDC4EE|.6A 04 push 4
65EDC4F0|.68 0863F665 push 65F66308 ;ASCII "AMT"
65EDC4F5|.E8 2603FEFF call 65EBC820
65EDC4FA|.50 push eax
65EDC4FB|.E8 401A0200 call 65EFDF40
65EDC500|.83C4 14 add esp, 14
65EDC503|.E8 58A30200 call 65F06860
65EDC508|.8BE8 mov ebp, eax
65EDC50A|.85ED test ebp, ebp
65EDC50C|.0F84 9F000000 je 65EDC5B1
65EDC512|.8D4424 10 lea eax, dword ptr
65EDC516|.50 push eax
65EDC517|.8DBE 50030000 lea edi, dword ptr
65EDC51D|.57 push edi
65EDC51E|.55 push ebp
65EDC51F|.C707 01000000 mov dword ptr , 1
65EDC525|.C74424 1C 000>mov dword ptr , 0
65EDC52D|.E8 EEA60200 call 65F06C20
65EDC532|.83C4 0C add esp, 0C
65EDC535|.837C24 10 00cmp dword ptr , 0
65EDC53A|.74 4A je short 65EDC586
65EDC53C|.833F 00 cmp dword ptr , 0
65EDC53F|.75 45 jnz short 65EDC586
65EDC541|.8D4C24 14 lea ecx, dword ptr
65EDC545|.51 push ecx
65EDC546|.57 push edi
65EDC547|.55 push ebp
65EDC548|.C74424 20 000>mov dword ptr , 0
65EDC550|.E8 EBA40200 call 65F06A40
65EDC555|.8B17 mov edx, dword ptr
65EDC557|.83C4 0C add esp, 0C
65EDC55A|.52 push edx
65EDC55B|.68 B0A5F665 push 65F6A5B0 ;ASCII "AUM GetLEID called with status =%d."
65EDC560|.6A 00 push 0
65EDC562|.6A 04 push 4
65EDC564|.68 0863F665 push 65F66308 ;ASCII "AMT"
65EDC569|.E8 B202FEFF call 65EBC820
65EDC56E|.50 push eax
65EDC56F|.E8 CC190200 call 65EFDF40
65EDC574|.83C4 18 add esp, 18
65EDC577|.55 push ebp
65EDC578|.E8 031C0200 call 65EFE180
65EDC57D|.8B7C24 20 mov edi, dword ptr
65EDC581|.83C4 04 add esp, 4
65EDC584|.EB 47 jmp short 65EDC5CD
65EDC586|>68 8CA5F665 push 65F6A58C ;ASCII "Updater is not enabled by admin."
65EDC58B|.6A 00 push 0
65EDC58D|.6A 04 push 4
65EDC58F|.68 0863F665 push 65F66308 ;ASCII "AMT"
65EDC594|.E8 8702FEFF call 65EBC820
65EDC599|.50 push eax
65EDC59A|.E8 A1190200 call 65EFDF40
65EDC59F|.83C4 14 add esp, 14
65EDC5A2|.55 push ebp
65EDC5A3|.E8 D81B0200 call 65EFE180
65EDC5A8|.8B7C24 20 mov edi, dword ptr
65EDC5AC|.83C4 04 add esp, 4
65EDC5AF|.EB 1C jmp short 65EDC5CD
65EDC5B1|>68 60A5F665 push 65F6A560 ;ASCII "AUM Service Object failed to get created."
65EDC5B6|.6A 00 push 0
65EDC5B8|.6A 04 push 4
65EDC5BA|.68 0863F665 push 65F66308 ;ASCII "AMT"
65EDC5BF|.E8 5C02FEFF call 65EBC820
65EDC5C4|.50 push eax
65EDC5C5|.E8 76190200 call 65EFDF40
65EDC5CA|.83C4 14 add esp, 14
65EDC5CD|>837E 0C 02 cmp dword ptr , 2
65EDC5D1|.75 3C jnz short 65EDC60F
65EDC5D3|.8B4E 1C mov ecx, dword ptr
65EDC5D6|.E8 F500FEFF call 65EBC6D0
65EDC5DB|.84C0 test al, al
65EDC5DD|.74 30 je short 65EDC60F
65EDC5DF|.8B4E 1C mov ecx, dword ptr
65EDC5E2|.E8 4902FEFF call 65EBC830
65EDC5E7|.84C0 test al, al
65EDC5E9|.74 24 je short 65EDC60F
65EDC5EB|.83FF 02 cmp edi, 2
65EDC5EE|.75 1F jnz short 65EDC60F
65EDC5F0|.57 push edi
65EDC5F1|.8BCE mov ecx, esi
65EDC5F3|.C746 0C 00000>mov dword ptr , 0
65EDC5FA|.E8 A11BFFFF call 65ECE1A0
65EDC5FF|.6A 00 push 0
65EDC601|.E8 FA89FFFF call 65ED5000
65EDC606|.5F pop edi
65EDC607|.5E pop esi
65EDC608|.5D pop ebp
65EDC609|.83C4 0C add esp, 0C
65EDC60C|.C2 0400 retn 4
65EDC60F|>837E 0C 00 cmp dword ptr , 0
65EDC613|.74 12 je short 65EDC627
65EDC615|.6A 00 push 0
65EDC617|.8BCE mov ecx, esi
65EDC619|.E8 E289FFFF call 65ED5000
65EDC61E|.5F pop edi
65EDC61F|.5E pop esi
65EDC620|.5D pop ebp
65EDC621|.83C4 0C add esp, 0C
65EDC624|.C2 0400 retn 4
65EDC627|>8B6C24 0C mov ebp, dword ptr
65EDC62B|>57 push edi
65EDC62C|.8BCE mov ecx, esi
65EDC62E|.E8 0D38FFFF call 65ECFE40
65EDC633|.6A 00 push 0
65EDC635|.8BCE mov ecx, esi
65EDC637|.E8 C489FFFF call 65ED5000
65EDC63C|.8B76 0C mov esi, dword ptr ; mov dword ptr, 1
65EDC63F|.85F6 test esi, esi ; jmp short 65EDC657
65EDC641|.74 14 je short 65EDC657
65EDC643|.83FE 01 cmp esi, 1
65EDC646|.74 0F je short 65EDC657
65EDC648|.55 push ebp
65EDC649|.68 38A5F665 push 65F6A538 ;ASCII "ERROR: Failure %sing Product License!"
65EDC64E|.68 B8A6F665 push 65F6A6B8 ;ASCII "%sing"
65EDC653|.6A 02 push 2
65EDC655|.EB 0D jmp short 65EDC664
65EDC657|>55 push ebp
65EDC658|.68 1CA5F665 push 65F6A51C ;ASCII "AMT: Product License %sed."
65EDC65D|.68 14A5F665 push 65F6A514 ;ASCII "%sed"
65EDC662|.6A 04 push 4
65EDC664|>68 0863F665 push 65F66308 ;ASCII "AMT"
65EDC669|.E8 B201FEFF call 65EBC820
65EDC66E|.50 push eax
65EDC66F|.E8 CC180200 call 65EFDF40
65EDC674|.83C4 18 add esp, 18
65EDC677|.5F pop edi
65EDC678|.5E pop esi
65EDC679|.5D pop ebp
65EDC67A|.83C4 0C add esp, 0C
65EDC67D\.C2 0400 retn 4
// 跟進來後這裡卡死~!
65EDBD64|.6A 01 push 1
65EDBD66|.55 push ebp
65EDBD67|.8BCE mov ecx, esi
65EDBD69|.E8 125BFFFF call 65ED1880
65EDBD6E|.84C0 test al, al
// 往下点根就到这里,看来这里要跳掉:
6530BED8|> \E8 E35CFEFF call 652F1BC0
6530BEDD|.3BC3 cmp eax, ebx;mov eax, ebx
6530BEDF|.0F84 AC010000 je 6530C091;je-> jmp
6530BEE5|.83FD 01 cmp ebp, 1
6530BEE8|.75 2B jnz short 6530BF15
6530BEEA|.68 E8A13965 push 6539A1E8 ;ASCII "Prevalidation finds app not activated.Requiring foreground validate."
6530BEEF|.6A 00 push 0
6530BEF1|.6A 04 push 4
6530BEF3|>68 08633965 push 65396308 ;ASCII "AMT"
6530BEF8|.E8 2309FEFF call 652EC820
6530BEFD|.50 push eax
6530BEFE|.E8 3D200200 call 6532DF40
6530BF03|.83C4 14 add esp, 14
6530BF06|.5F pop edi
6530BF07|.C746 0C 02000>mov dword ptr , 2
6530BF0E|.5E pop esi
6530BF0F|.5D pop ebp
6530BF10|.5B pop ebx
6530BF11|.59 pop ecx
6530BF12|.C2 0400 retn 4
//看来差不多,这里JE一下跳到了沒激活的地方
6530BF15|> \807E 21 00 cmp byte ptr , 0
6530BF19|.74 43 je short 6530BF5E
6530BF1B|.8B4E 1C mov ecx, dword ptr
6530BF1E|.E8 9D5CFEFF call 652F1BC0
6530BF23|.85C0 test eax, eax
6530BF25|.75 07 jnz short 6530BF2E
6530BF27|.68 A8A13965 push 6539A1A8 ;ASCII "Headless: Product is not licensed. Doing silent license check."
6530BF2C|.EB 35 jmp short 6530BF63
6530BF2E|>68 60A13965 push 6539A160 ;ASCII "Headless: Product has a license. Skipping silent license verification."
6530BF33|.6A 00 push 0
6530BF35|.6A 04 push 4
6530BF37|.68 08633965 push 65396308 ;ASCII "AMT"
6530BF3C|.E8 DF08FEFF call 652EC820
6530BF41|.50 push eax
6530BF42|.E8 F91F0200 call 6532DF40
6530BF47|.8B4E 1C mov ecx, dword ptr
6530BF4A|.83C4 14 add esp, 14
6530BF4D|.6A 00 push 0
6530BF4F|.6A 01 push 1
6530BF51|.E8 8AB7FEFF call 652F76E0
6530BF56|.5F pop edi
6530BF57|.5E pop esi
6530BF58|.5D pop ebp
6530BF59|.5B pop ebx
6530BF5A|.59 pop ecx
6530BF5B|.C2 0400 retn 4
//需要看看如何跳到激活的地方:
6530BF5E|> \68 10A13965 push 6539A110 ;ASCII "Product is not activated.Starting ALM launch-time product licensing UI."
6530BF63|>6A 00 push 0
6530BF65|.6A 04 push 4
6530BF67|.68 08633965 push 65396308 ;ASCII "AMT"
6530BF6C|.E8 AF08FEFF call 652EC820
6530BF71|.50 push eax
6530BF72|.E8 C91F0200 call 6532DF40
//修改後卡死在這裡
65EBAE42 .51 push ecx
65EBAE43 .E8 08040400 call 65EFB250
65EBAE48 .E8 83000400 call 65EFAED0 ;這裡斷點
65EBAE4D .8B15 7478F865 mov edx, dword ptr
65EBAE53 .51 push ecx
65EBAE54 .DD1C24 fstp qword ptr
65EBAE57 .68 206FF665 push 65F66F20 ;ASCII "AMTObtainProductLicense took %f ms"
65EBAE5C .68 F467F665 push 65F667F4 ;ASCII "%f"
65EBAE61 .6A 04 push 4
65EBAE63 .68 FC62F665 push 65F662FC ;ASCII "performance"
65EBAE68 .52 push edx
65EBAE69 .E8 D2300400 call 65EFDF40
//關掉OD,直接運行PS,未出現激活窗口,在菜單裏查看到,激活菜單已經為灰色,破解完成~!
//我是幸運的按CS4的方法,拿下了CS5,不過是英文的,我有點迷茫了~!
-By Menting
2010. 05. 06 清晨
補丁在這裡:
漢化補丁:
修正了已經發現的CS4字樣;
有什麼問題,可以跟帖,我抽時間再看看. 貌似可以通过修改host文件+注册码来实现破解啊 天书 本来就是一本天书呵呵 板凳 不错 谢谢分享,不错的东西 貌似过不了验证。。 没看懂...下载下来继续学习ing..... 感谢婷婷分享破解经验,大家看看还有没有问题. 这个不晓得,真假啊。试一试。 不多说了