好友
阅读权限20
听众
最后登录1970-1-1
|
QQ朗读器破解方法
查壳为:Borland Delphi 6.0 - 7.0
运行程序显示为 QQ朗读器(未注册)
点注册,输入假码没有任何反映,这个时候OD载入查找字符串也没有任何消息,那就用 C32Asm 查找
然后OD载入,Ctrl+G在 0049b36d和0049b39b下断
0049B36D > \BA 54BC4900 mov edx,qqtalk.0049BC54
0049B372 . A1 14A44A00 mov eax,dword ptr ds:[4AA414]
0049B377 . E8 3C7EFBFF call qqtalk.004531B8
0049B37C . 8B45 EC mov eax,dword ptr ss:[ebp-14]
0049B37F . 8B80 5C040000 mov eax,dword ptr ds:[eax+45C]
0049B385 . B2 01 mov dl,1
0049B387 . E8 D428FAFF call qqtalk.0043DC60
0049B38C > 33C0 xor eax,eax
0049B38E . 5A pop edx
0049B38F . 59 pop ecx
0049B390 . 59 pop ecx
0049B391 . 64:8910 mov dword ptr fs:[eax],edx
0049B394 . EB 29 jmp short qqtalk.0049B3BF
0049B396 .^ E9 6994F6FF jmp qqtalk.00404804
0049B39B . BA 54BC4900 mov edx,qqtalk.0049BC54
分析一下发现
0049B34A . /75 21 jnz short qqtalk.0049B36D 关键跳
0049B34C > |BA 3CBC4900 mov edx,qqtalk.0049BC3C
0049B351 . |A1 14A44A00 mov eax,dword ptr ds:[4AA414]
0049B356 . |E8 5D7EFBFF call qqtalk.004531B8
0049B35B . |8B45 EC mov eax,dword ptr ss:[ebp-14]
0049B35E . |8B80 5C040000 mov eax,dword ptr ds:[eax+45C]
0049B364 . |33D2 xor edx,edx
0049B366 . |E8 F528FAFF call qqtalk.0043DC60
0049B36B . |EB 1F jmp short qqtalk.0049B38C
0049B36D > \BA 54BC4900 mov edx,qqtalk.0049BC54
0049B34A . /75 21 jnz short qqtalk.0049B36D 这个是关键跳转,修改下就OK了,保存之后就没有未注册字样,但注册框还是有。。而且不知道什么原因,运行一次之后破解的就不见了,可能是被系统自动去掉了,~~汗~~
重新OK载入。。。
Ctrl+G来到这里 0049b36d
找断首,F2下段
0049B280 . 55 push ebp
0049B281 . 8BEC mov ebp,esp
0049B283 . B9 10000000 mov ecx,10
0049B288 > 6A 00 push 0
0049B28A . 6A 00 push 0
0049B28C . 49 dec ecx
0049B28D .^ 75 F9 jnz short qqtalk.0049B288
0049B28F . 53 push ebx
0049B290 . 56 push esi
0049B291 . 57 push edi
0049B292 . 8945 EC mov dword ptr ss:[ebp-14],eax
0049B295 . 33C0 xor eax,eax
0049B297 . 55 push ebp
0049B298 . 68 AEBB4900 push qqtalk.0049BBAE
0049B29D . 64:FF30 push dword ptr fs:[eax]
0049B2A0 . 64:8920 mov dword ptr fs:[eax],esp
0049B2A3 E8 0CC8FEFF call qqtalk.00487AB4 问题CALL,我们把这里NOP掉
0049B2A8 . A1 30404A00 mov eax,dword ptr ds:[4A4030]
0049B2AD . C600 2D mov byte ptr ds:[eax],2D
0049B2B0 . A1 10414A00 mov eax,dword ptr ds:[4A4110]
0049B2B5 . BA C4BB4900 mov edx,qqtalk.0049BBC4 ; ASCII "yyyy-mm-dd"
0049B2BA . E8 B99FF6FF call qqtalk.00405278
0049B2BF . A1 68444A00 mov eax,dword ptr ds:[4A4468]
0049B2C4 . BA C4BB4900 mov edx,qqtalk.0049BBC4 ; ASCII "yyyy-mm-dd"
0049B2C9 . E8 AA9FF6FF call qqtalk.00405278
0049B2CE . 8D4D F0 lea ecx,dword ptr ss:[ebp-10]
0049B2D1 . BA D8BB4900 mov edx,qqtalk.0049BBD8 ; ASCII "qqtalk"
0049B2D6 . B8 E8BB4900 mov eax,qqtalk.0049BBE8 ; ASCII "mengfeixiang"
0049B2DB . E8 80CEFEFF call qqtalk.00488160
0049B2E0 . 33C0 xor eax,eax
0049B2E2 . 55 push ebp
0049B2E3 . 68 96B34900 push qqtalk.0049B396
0049B2E8 . 64:FF30 push dword ptr fs:[eax]
0049B2EB . 64:8920 mov dword ptr fs:[eax],esp
0049B2EE . 6A 00 push 0
0049B2F0 . 8D45 DC lea eax,dword ptr ss:[ebp-24]
0049B2F3 . 50 push eax
0049B2F4 . B9 00BC4900 mov ecx,qqtalk.0049BC00 ; ASCII "EF1B"
0049B2F9 . BA 10BC4900 mov edx,qqtalk.0049BC10 ; ASCII "95669E30254FD9FC24F642D880006E75"
0049B2FE . 8B45 F0 mov eax,dword ptr ss:[ebp-10]
0049B301 E8 4EBFFEFF call qqtalk.00487254 ; 问题CALL,我们把这里NOP掉
0049B306 . 8B45 DC mov eax,dword ptr ss:[ebp-24]
0049B309 . 50 push eax
0049B30A . 8D45 D8 lea eax,dword ptr ss:[ebp-28]
0049B30D . E8 B2CBFEFF call qqtalk.00487EC4
0049B312 . 8B55 D8 mov edx,dword ptr ss:[ebp-28]
0049B315 . 58 pop eax
0049B316 . E8 31A3F6FF call qqtalk.0040564C
0049B31B 74 2F je short qqtalk.0049B34C 这里就是关键跳了
0049B31D . 6A 00 push 0
0049B31F . 8D45 D4 lea eax,dword ptr ss:[ebp-2C]
0049B322 . 50 push eax
0049B323 . B9 00BC4900 mov ecx,qqtalk.0049BC00 ; ASCII "EF1B"
0049B328 . BA 10BC4900 mov edx,qqtalk.0049BC10 ; ASCII "95669E30254FD9FC24F642D880006E75"
0049B32D . 8B45 F0 mov eax,dword ptr ss:[ebp-10]
0049B330 . E8 1FBFFEFF call qqtalk.00487254
0049B335 . 8B45 D4 mov eax,dword ptr ss:[ebp-2C]
0049B338 . 50 push eax
0049B339 . 8D45 D0 lea eax,dword ptr ss:[ebp-30]
0049B33C . E8 CFCBFEFF call qqtalk.00487F10
0049B341 . 8B55 D0 mov edx,dword ptr ss:[ebp-30]
0049B344 . 58 pop eax
0049B345 . E8 02A3F6FF call qqtalk.0040564C
0049B34A . 75 21 jnz short qqtalk.0049B36D 跳未注册
0049B34C > BA 3CBC4900 mov edx,qqtalk.0049BC3C
0049B351 . A1 14A44A00 mov eax,dword ptr ds:[4AA414]
0049B356 . E8 5D7EFBFF call qqtalk.004531B8
0049B35B . 8B45 EC mov eax,dword ptr ss:[ebp-14]
0049B35E . 8B80 5C040000 mov eax,dword ptr ds:[eax+45C]
0049B364 . 33D2 xor edx,edx
0049B366 . E8 F528FAFF call qqtalk.0043DC60
0049B36B . EB 1F jmp short qqtalk.0049B38C
0049B36D > BA 54BC4900 mov edx,qqtalk.0049BC54
F8单步走,当走到这个CALL的时候出现问题。。。
0049B2A3 E8 0CC8FEFF call qqtalk.00487AB4 问题CALL,我们把这里NOP掉
0049B301 E8 4EBFFEFF call qqtalk.00487254 走到这里还有个问题CALL,汗!!NOP掉
然后把 0049B31B /EB 2F jmp short qqtalk.0049B34C 这个关键跳修改为 JMP
保存所有修改,运行。。。。就OK了~~呵呵 不过还有点小问题。。汗~~~不知道是不是我电脑的原因,郁闷
[ 本帖最后由 liuxingyuu 于 2009-1-1 11:01 编辑 ] |
|
发表于 2009-1-1 10:57
