好友
阅读权限40
听众
最后登录1970-1-1
|
本帖最后由 冥界3大法王 于 2014-2-21 13:29 编辑
myBase Desktop 6.35 破解分析:
看不到图片别失望,
请下载附件以HTML文件打开就OK了
Desktop.rar
(553.17 KB, 下载次数: 115)
file:///C:/Users/Administrator/Desktop/测试.files/img1.jpg
file:///C:/Users/Administrator/Desktop/测试.files/img2.jpg
OD,载入后,右键--〉中文搜索引擎--〉智能搜索,能找到Invalid license key……
file:///C:/Users/Administrator/Desktop/测试.files/img3.jpg
file:///C:/Users/Administrator/Desktop/测试.files/img4.jpg重要指标之 B
00510A3E > \68 88A06100 push 0061A088 ; Invalid license key……
F2设断后 来到此处
往上看,你看能看到thank you之类的这样
00510720 /0F85 18030000 jnz 00510A3E
00510726 . |57 push edi ; /timer => NULL
00510727 . |FF15 8CDC5B00 call dword ptr [<&MSVCRT.time>] ; \time
0051072D . |8B1D 302A6200 mov ebx, dword ptr [0x622A30]
00510733 . |83C4 04 add esp, 0x4
00510736 . |2BC3 sub eax, ebx
00510738 . |894424 0C mov dword ptr [esp+0xC], eax
0051073C . |DB4424 0C fild dword ptr [esp+0xC]
00510740 . |DC0D D8DF5B00 fmul qword ptr [0x5BDFD8]
00510746 . |E8 15890700 call <jmp.&MSVCRT._ftol>
0051074B . |B9 1E000000 mov ecx, 0x1E
00510750 . |2BC8 sub ecx, eax
00510752 . |85C9 test ecx, ecx
00510754 |0F8F E4020000 jg 00510A3E
0051075A . |8D4C24 18 lea ecx, dword ptr [esp+0x18]
0051075E . |E8 D1780700 call <jmp.&MFC42u.#540>
00510763 . |8B5424 10 mov edx, dword ptr [esp+0x10]
00510767 . |6A 07 push 0x7
00510769 . |52 push edx
0051076A . |8D4424 20 lea eax, dword ptr [esp+0x20]
0051076E . |68 00A26100 push 0061A200 ; %s+%d
00510773 . |50 push eax
00510774 . |C68424 200100>mov byte ptr [esp+0x120], 0xE
0051077C . |E8 E9780700 call <jmp.&MFC42u.#2810>
00510781 . |83C4 10 add esp, 0x10
00510784 . |8D4C24 14 lea ecx, dword ptr [esp+0x14]
00510788 . |8D5424 18 lea edx, dword ptr [esp+0x18]
0051078C . |51 push ecx
0051078D . |52 push edx
0051078E . |B9 E0296200 mov ecx, 006229E0 ; P9B
00510793 . |E8 F83BF0FF call 00414390
00510798 . |85C0 test eax, eax
0051079A . |74 1E je short 005107BA
0051079C . |A1 302A6200 mov eax, dword ptr [0x622A30]
005107A1 . |C705 442A6200>mov dword ptr [0x622A44], 0x1
005107AB . |05 803A0900 add eax, 0x93A80
005107B0 . |BF 01000000 mov edi, 0x1
005107B5 . |A3 302A6200 mov dword ptr [0x622A30], eax
005107BA > |8D4C24 18 lea ecx, dword ptr [esp+0x18]
005107BE . |C68424 100100>mov byte ptr [esp+0x110], 0xB
005107C6 . |E8 63780700 call <jmp.&MFC42u.#800>
005107CB . |85FF test edi, edi
005107CD |0F84 6B020000 je 00510A3E 代码长,但我们只关心这些标兰的地方
005107D3 > |8B46 20 mov eax, dword ptr [esi+0x20]
005107D6 . |6A 00 push 0x0 ; /lParam = 0x0
005107D8 . |6A 00 push 0x0 ; |wParam = 0x0
005107DA . |68 10040000 push 0x410 ; |Message = WM_USER+16.
005107DF . |50 push eax ; |hWnd
005107E0 . |FF15 B8DD5B00 call dword ptr [<&USER32.SendMessageW>; \SendMessageW
005107E6 . |68 BCA16100 push 0061A1BC ; Thank you for your registration.
005107EB . |8D4C24 1C lea ecx, dword ptr [esp+0x1C]
005107EF . |E8 46780700 call <jmp.&MFC42u.#538>
005107F4 . |8D4C24 18 lea ecx, dword ptr [esp+0x18]
005107F8 . |8D5424 30 lea edx, dword ptr [esp+0x30]
005107FC . |51 push ecx
005107FD . |68 04AD5C00 push 005CAD04 ; Prompt.Info.RegistrationDone
00510802 . |52 push edx
00510803 . |C68424 1C0100>mov byte ptr [esp+0x11C], 0xF
0051080B . |E8 F0F3F3FF call 0044FC00
00510810 . |8BF0 mov esi, eax
00510812 . |83C4 08 add esp, 0x8
00510815 . |B3 10 mov bl, 0x10
00510817 . |8BCC mov ecx, esp
00510819 . |896424 24 mov dword ptr [esp+0x24], esp
0051081D . |68 78CB6000 push 0060CB78 ; \n
00510822 . |889C24 180100>mov byte ptr [esp+0x118], bl
00510829 . |E8 0C780700 call <jmp.&MFC42u.#538>
0051082E . |51 push ecx
0051082F . |C68424 180100>mov byte ptr [esp+0x118], 0x11
00510837 . |8BCC mov ecx, esp
00510839 . |896424 34 mov dword ptr [esp+0x34], esp
0051083D . |68 BC266200 push 006226BC
00510842 . |E8 F3770700 call <jmp.&MFC42u.#538>
00510847 . |8D4C24 40 lea ecx, dword ptr [esp+0x40]
0051084B . |889C24 180100>mov byte ptr [esp+0x118], bl
00510852 . |E8 C973F0FF call 00417C20
00510857 . |56 push esi
00510858 . |8D4C24 50 lea ecx, dword ptr [esp+0x50]
0051085C . |C68424 140100>mov byte ptr [esp+0x114], 0x12
00510864 . |E8 BF770700 call <jmp.&MFC42u.#535>
00510869 . |8D4C24 30 lea ecx, dword ptr [esp+0x30]
0051086D . |C68424 100100>mov byte ptr [esp+0x110], 0x15
00510875 . |E8 B4770700 call <jmp.&MFC42u.#800>
0051087A . |8D4C24 18 lea ecx, dword ptr [esp+0x18]
0051087E . |C68424 100100>mov byte ptr [esp+0x110], 0x14
00510886 . |E8 A3770700 call <jmp.&MFC42u.#800>
0051088B . |6A 00 push 0x0
0051088D . |8D8C24 800000>lea ecx, dword ptr [esp+0x80]
00510894 . |E8 F7FBF1FF call 00430490
00510899 . |6A 01 push 0x1
0051089B . |8D4424 50 lea eax, dword ptr [esp+0x50]
0051089F . |6A 00 push 0x0
005108A1 . |50 push eax
005108A2 . |8D8C24 900000>lea ecx, dword ptr [esp+0x90]
005108A9 . |C68424 1C0100>mov byte ptr [esp+0x11C], 0x16
005108B1 . |E8 4A7EF0FF call 00418700
005108B6 . |B3 17 mov bl, 0x17
005108B8 . |68 78CB6000 push 0060CB78 ; \n
005108BD . |8D4C24 10 lea ecx, dword ptr [esp+0x10]
005108C1 . |889C24 140100>mov byte ptr [esp+0x114], bl
005108C8 . |E8 6D770700 call <jmp.&MFC42u.#538>
005108CD . |68 70CB6000 push 0060CB70 ; \n
005108D2 . |8D4C24 20 lea ecx, dword ptr [esp+0x20]
005108D6 . |C68424 140100>mov byte ptr [esp+0x114], 0x18
005108DE . |E8 57770700 call <jmp.&MFC42u.#538>
005108E3 . |8D4C24 1C lea ecx, dword ptr [esp+0x1C]
005108E7 . |8D5424 20 lea edx, dword ptr [esp+0x20]
005108EB . |51 push ecx
005108EC . |52 push edx
005108ED . |8D8C24 8C0000>lea ecx, dword ptr [esp+0x8C]
005108F4 . |C68424 180100>mov byte ptr [esp+0x118], 0x19
005108FC . |E8 1F81F0FF call 00418A20
00510901 . |8D4C24 0C lea ecx, dword ptr [esp+0xC]
00510905 . |C68424 100100>mov byte ptr [esp+0x110], 0x1A
0051090D . |51 push ecx
0051090E . |8BC8 mov ecx, eax
00510910 . |E8 0B80F0FF call 00418920
00510915 . |8D4C24 24 lea ecx, dword ptr [esp+0x24]
00510919 . |C68424 100100>mov byte ptr [esp+0x110], 0x19
00510921 . |E8 08770700 call <jmp.&MFC42u.#800>
00510926 . |8D4C24 1C lea ecx, dword ptr [esp+0x1C]
0051092A . |C68424 100100>mov byte ptr [esp+0x110], 0x18
00510932 . |E8 F7760700 call <jmp.&MFC42u.#800>
00510937 . |8D4C24 0C lea ecx, dword ptr [esp+0xC]
0051093B . |889C24 100100>mov byte ptr [esp+0x110], bl
00510942 . |E8 E7760700 call <jmp.&MFC42u.#800>
00510947 . |8D5424 0C lea edx, dword ptr [esp+0xC]
0051094B . |8D8C24 840000>lea ecx, dword ptr [esp+0x84]
00510952 . |52 push edx
00510953 . |E8 187EF0FF call 00418770
00510958 . |8D4424 20 lea eax, dword ptr [esp+0x20]
0051095C . |8D4C24 38 lea ecx, dword ptr [esp+0x38]
00510960 . |50 push eax
00510961 . |C68424 140100>mov byte ptr [esp+0x114], 0x1B
00510969 . |E8 1272F0FF call 00417B80
0051096E . |8BF0 mov esi, eax
00510970 . |8D4C24 0C lea ecx, dword ptr [esp+0xC]
00510974 . |68 68CB6000 push 0060CB68 ; \n\n
00510979 . |8D5424 30 lea edx, dword ptr [esp+0x30]
0051097D . |51 push ecx
0051097E . |52 push edx
0051097F . |C68424 1C0100>mov byte ptr [esp+0x11C], 0x1C
00510987 . |E8 C6760700 call <jmp.&MFC42u.#925>
0051098C . |56 push esi
0051098D . |50 push eax
0051098E . |8D4424 24 lea eax, dword ptr [esp+0x24]
00510992 . |C68424 180100>mov byte ptr [esp+0x118], 0x1D
0051099A . |50 push eax
0051099B . |E8 06770700 call <jmp.&MFC42u.#922>
005109A0 . |8B00 mov eax, dword ptr [eax]
005109A2 . |6A 00 push 0x0
005109A4 . |6A 40 push 0x40
005109A6 . |50 push eax
005109A7 . |C68424 1C0100>mov byte ptr [esp+0x11C], 0x1E
005109AF . |E8 EC760700 call <jmp.&MFC42u.#1197>
005109B4 . |8D4C24 1C lea ecx, dword ptr [esp+0x1C]
005109B8 . |C68424 100100>mov byte ptr [esp+0x110], 0x1D
005109C0 . |E8 69760700 call <jmp.&MFC42u.#800>
005109C5 . |8D4C24 2C lea ecx, dword ptr [esp+0x2C]
005109C9 . |C68424 100100>mov byte ptr [esp+0x110], 0x1C
005109D1 . |E8 58760700 call <jmp.&MFC42u.#800>
005109D6 . |8D4C24 20 lea ecx, dword ptr [esp+0x20]
005109DA . |C68424 100100>mov byte ptr [esp+0x110], 0x1B
005109E2 . |E8 47760700 call <jmp.&MFC42u.#800>
005109E7 . |8D4C24 0C lea ecx, dword ptr [esp+0xC]
005109EB . |889C24 100100>mov byte ptr [esp+0x110], bl
005109F2 . |E8 37760700 call <jmp.&MFC42u.#800>
005109F7 . |8D8C24 840000>lea ecx, dword ptr [esp+0x84]
005109FE . |C68424 100100>mov byte ptr [esp+0x110], 0x16
00510A06 . |E8 25C1F0FF call 0041CB30
00510A0B . |8D4C24 7C lea ecx, dword ptr [esp+0x7C]
00510A0F . |C68424 100100>mov byte ptr [esp+0x110], 0x14
00510A17 . |E8 D4B2F0FF call 0041BCF0
00510A1C . |8D4C24 4C lea ecx, dword ptr [esp+0x4C]
00510A20 . |C68424 100100>mov byte ptr [esp+0x110], 0x1F
00510A28 . |E8 01760700 call <jmp.&MFC42u.#800>
00510A2D . |C68424 100100>mov byte ptr [esp+0x110], 0xB
00510A35 . |8D4C24 38 lea ecx, dword ptr [esp+0x38]
00510A39 . |E9 89000000 jmp 00510AC7
00510A3E > \68 88A06100 push 0061A088 ; Invalid license key!\n\nIn case of typos entering key codes, we suggest that you copy/paste license key codes into the edit box in
上面的地方设上断点后,开始尝试,能否断下?
00510720 /0F85 18030000 jnz 00510A3E
这句可以!
一路按F8
发现到这句时,
00510754 /0F8F E4020000 jg 00510A3E 程序跳向失败的地方,当然不可以让它这么做啦~~
NOP掉
一路按F8
到0051079A . /74 1E je short 005107BA这句时,它要跳向thank you当然可啦~~
一路按F8
005107CD /0F84 6B020000 je 00510A3E 到这句时,又要跳向Invalid license,当然NOP了
一路按F8
005109AF . E8 EC760700 call <jmp.&MFC42u.#1197> 这里弹出 感谢注册
窗口左下角仍有 未注册字样 unregister
00510798 . 85C0 test eax, eax F2下断,发现断不下, eax=0000000上面的地方,重新来过,将寄存器这里设为1
果然thank you成功(假滴~~),所以说明全局eax=1,就是注册版本,重要指标之 A
因为注册文件 位于nyfedit.ini
App.UserLic.Extended=0
App.UserLic.FirstUseOn=1393039501
App.UserLic.LaunchNum=1
App.UserLic.NagNum=0
App.UserLic.RegKey=123456789012345678901234567890
App.UserLic.RegName=吾爱破解冥王至此
App.UserLic.SecsUsed=31
结合上面的,重要指标之 A 重要指标之 B
我们得出结论:在 到达 重要指标之 B 时设法使eax=1,您也就成功了
所以,重新来过:4F0DDC
004F0DD3 E8 B835F2FF call 00414390 ; 那个返回,会直接来到这里的下一句上
004F0DD8 . 85C0 test eax, eax----------〉漂亮MM会来到这里
004F0DDA 74 2A je short 004F0E06
004F0DDC . 68 B0836100 push 006183B0 ; - Licensed to
004F0DD3 上F2,Ctrl+F2,断下后F7跟进
====
00414390 /$ 6A FF push -0x1
00414392 |. 68 4AC55800 push 0058C54A ; 赴']; SE 处理程序安装
00414397 |. 64:A1 0000000>mov eax, dword ptr fs:[0]
0041439D |. 50 push eax
0041439E |. 64:8925 00000>mov dword ptr fs:[0], esp
004143A5 |. 83EC 4C sub esp, 0x4C
004143A8 |. 53 push ebx
004143A9 |. 56 push esi
004143AA |. 8BF1 mov esi, ecx
004143AC |. 8D4424 0B lea eax, dword ptr [esp+0xB]
004143B0 |. 57 push edi
004143B1 |. 8D4C24 10 lea ecx, dword ptr [esp+0x10]
004143B5 |. 50 push eax
004143B6 |. 33DB xor ebx, ebx
004143B8 |. 51 push ecx
004143B9 |. 6A 01 push 0x1
004143BB |. 8D4C24 24 lea ecx, dword ptr [esp+0x24]
004143BF |. 33FF xor edi, edi
004143C1 |. 895C24 1C mov dword ptr [esp+0x1C], ebx
004143C5 |. E8 A6110000 call 00415570
004143CA |. 8B5424 6C mov edx, dword ptr [esp+0x6C]
004143CE |. 8D4C24 18 lea ecx, dword ptr [esp+0x18]
004143D2 |. 895C24 60 mov dword ptr [esp+0x60], ebx
004143D6 |. 8B02 mov eax, dword ptr [edx]
004143D8 |. 50 push eax
004143D9 |. E8 C23C0000 call 004180A0
004143DE |. 8D4424 38 lea eax, dword ptr [esp+0x38]
004143E2 |. 8D4C24 18 lea ecx, dword ptr [esp+0x18]
004143E6 |. 50 push eax
004143E7 |. C74424 64 010>mov dword ptr [esp+0x64], 0x1
004143EF |. E8 AC3F0000 call 004183A0
004143F4 |. 8D4C24 18 lea ecx, dword ptr [esp+0x18]
004143F8 |. C64424 60 03 mov byte ptr [esp+0x60], 0x3
004143FD |. E8 DE4B1200 call 00538FE0
00414402 |. 8D4C24 0F lea ecx, dword ptr [esp+0xF]
00414406 |. 8D5424 14 lea edx, dword ptr [esp+0x14]
0041440A |. 51 push ecx
0041440B |. 52 push edx
0041440C |. 6A 01 push 0x1
0041440E |. 8D4C24 34 lea ecx, dword ptr [esp+0x34]
00414412 |. 895C24 20 mov dword ptr [esp+0x20], ebx
00414416 |. E8 55110000 call 00415570
0041441B |. 8B4424 3C mov eax, dword ptr [esp+0x3C]
0041441F |. C64424 60 04 mov byte ptr [esp+0x60], 0x4
00414424 |. 3BC3 cmp eax, ebx
00414426 |. 75 05 jnz short 0041442D
00414428 |. A1 A0DB5B00 mov eax, dword ptr [<&MSVCP60.`std::>
0041442D |> 50 push eax
0041442E |. 8D4C24 2C lea ecx, dword ptr [esp+0x2C]
00414432 |. E8 393B0000 call 00417F70
00414437 |. 8D4424 10 lea eax, dword ptr [esp+0x10]
0041443B |. 8D4C24 28 lea ecx, dword ptr [esp+0x28]
0041443F |. 50 push eax
00414440 |. C64424 64 05 mov byte ptr [esp+0x64], 0x5
00414445 |. E8 46650000 call 0041A990
0041444A |. 8D4C24 10 lea ecx, dword ptr [esp+0x10]
0041444E |. C64424 60 06 mov byte ptr [esp+0x60], 0x6
00414453 |. 51 push ecx
00414454 |. E8 E7000000 call 00414540
00414459 |. 83C4 04 add esp, 0x4
0041445C |. 8D4C24 10 lea ecx, dword ptr [esp+0x10]
00414460 |. 85C0 test eax, eax
00414462 |. 0F944424 6C sete byte ptr [esp+0x6C]
00414467 |. C64424 60 05 mov byte ptr [esp+0x60], 0x5
0041446C |. E8 BD3B1700 call <jmp.&MFC42u.#800>
00414471 |. 8D4C24 28 lea ecx, dword ptr [esp+0x28]
00414475 |. C64424 60 03 mov byte ptr [esp+0x60], 0x3
0041447A |. E8 614B1200 call 00538FE0
0041447F |. 385C24 6C cmp byte ptr [esp+0x6C], bl
00414483 |. 74 77 je short 004144FC
00414485 |. 8D5424 6C lea edx, dword ptr [esp+0x6C]
00414489 |. 8D4424 14 lea eax, dword ptr [esp+0x14]
0041448D |. 52 push edx
0041448E |. 50 push eax
0041448F |. 6A 01 push 0x1
00414491 |. 8D4C24 34 lea ecx, dword ptr [esp+0x34]
00414495 |. 895C24 20 mov dword ptr [esp+0x20], ebx
00414499 |. E8 D2100000 call 00415570
0041449E |. 8B4C24 68 mov ecx, dword ptr [esp+0x68]
004144A2 |. C64424 60 07 mov byte ptr [esp+0x60], 0x7
004144A7 |. 8B01 mov eax, dword ptr [ecx]
004144A9 |. 8D4C24 28 lea ecx, dword ptr [esp+0x28]
004144AD |. 50 push eax
004144AE |. E8 ED3B0000 call 004180A0
004144B3 |. 8D5424 48 lea edx, dword ptr [esp+0x48]
004144B7 |. 8D4C24 28 lea ecx, dword ptr [esp+0x28]
004144BB |. 52 push edx
004144BC |. C64424 64 08 mov byte ptr [esp+0x64], 0x8
004144C1 |. E8 6A400000 call 00418530
004144C6 |. 8D4C24 28 lea ecx, dword ptr [esp+0x28]
004144CA |. C64424 60 0A mov byte ptr [esp+0x60], 0xA
004144CF |. E8 0C4B1200 call 00538FE0
004144D4 |. 8D46 3C lea eax, dword ptr [esi+0x3C]
004144D7 |. 8D4C24 38 lea ecx, dword ptr [esp+0x38]
004144DB |. 50 push eax
004144DC |. 8D5424 4C lea edx, dword ptr [esp+0x4C]
004144E0 |. 51 push ecx
004144E1 |. 52 push edx
004144E2 |. 8BCE mov ecx, esi
004144E4 |. E8 37DBFFFF call 00412020
004144E9 |. 6A 01 push 0x1
004144EB |. 8D4C24 4C lea ecx, dword ptr [esp+0x4C]
004144EF |. 8BF8 mov edi, eax
004144F1 |. C64424 64 03 mov byte ptr [esp+0x64], 0x3
004144F6 |. FF15 98DB5B00 call dword ptr [<&MSVCP60.std::basic_>; msvcp60.std::basic_string<char,std::char_traits<char>,std::allocator<char> >::_Tidy
004144FC |> 8B4C24 3C mov ecx, dword ptr [esp+0x3C]
00414500 |. 3BCB cmp ecx, ebx
00414502 |. 74 1C je short 00414520
00414504 |. 8A41 FF mov al, byte ptr [ecx-0x1]
00414507 |. 3AC3 cmp al, bl
00414509 |. 74 0B je short 00414516
0041450B |. 3C FF cmp al, 0xFF
0041450D |. 74 07 je short 00414516
0041450F |. FEC8 dec al
00414511 |. 8841 FF mov byte ptr [ecx-0x1], al
00414514 |. EB 0A jmp short 00414520
00414516 |> 49 dec ecx
00414517 |. 51 push ecx
00414518 |. E8 053B1700 call <jmp.&MFC42u.#825>
0041451D |. 83C4 04 add esp, 0x4
00414520 |> 8B4C24 58 mov ecx, dword ptr [esp+0x58]
00414524 |. 8BC7 mov eax, edi
00414526 |. 5F pop edi
00414527 |. 5E pop esi
00414528 |. 5B pop ebx
00414529 64:890D 00000>mov dword ptr fs:[0], ecx 这里我们可以出手放大招了
mov eax,1
00414530 |. 83C4 58 add esp, 0x58
00414533 \. C2 0800 retn 0x8
file:///C:/Users/Administrator/Desktop/测试.files/img5.jpg
file:///C:/Users/Administrator/Desktop/测试.files/img6.jpg
看一眼信息窗口的内容: 返回到 004F0DD8 (nyfedit.004F0DD8)
004F0DD8 . 85C0 test eax, eax----------〉漂亮MM会来到这里
如果玩过TECMO DOA的同学就知道004F0DD8这个地方就完成了上段反,所以错码时上一句CALL你不会断下来,这是内因所在~~
由于用notebook写的破解日志,图片太多
所以请下载附件,用导出的.htm格式查看高清大MM被破写真集~~
编 这点玩意 ,竟然用了一个小时,晕,觉得不错就打赏点,明天再来发成果报告 。
这两天水平提升不少,破解日记有一堆新成果了~~~
新版本 的这软件 可以生成被winchm支持的CHM工程文件了,再用
winchm编辑 或生成CHM,超级方便 ,写汇编日志也超级不错,给力的日记软件。
|
免费评分
-
查看全部评分
|
[复制链接]
发表于 2014-2-21 13:17
|
发表于 2014-2-21 13:31
