//-----------------------------------------------------------------------------------------------------------------
// Photoshop CS4 文件大約是50MB,這是我第一次破這麼專業的軟件,我花了一天時間來反復的跟蹤..~!
// 幸好ADOBE比較良心,並未加殼,我不是破解高手~~!只是一編雜亂的筆記,雖然在我破完後,發現網絡上早就有破解補丁,我是很失
// 落~!發出來給大家,希望對有所需要的朋友有所幫助.
// 破解需要注意的文件為atmlib.dll,atmserver.dll這兩個文件,起初打算在PS內部JMP,但是,我最不喜歡動PS,一個是50MB的個頭,
// 另一個是最不想動手修改文件,原汁原味我最喜歡.od加載的時候注意,由於平凡的等待服務和線程,導致F8和F7跟蹤的時候卡住,
// 辦法是在卡住的函數後F2斷點,然後重新加載,F9到斷點,最好取消斷點,如果中途耽擱時間比較多,估計後面還會卡住,如此反復.
// 需要注意的是50MB,OD分析有一整子,可以直接按空格終止,每次加載都會分析,很厭煩~!
// 我就不羅略太多的代碼了.只把關鍵點發出來~!
// -By EasyStudy
// 看雪技術論壇: http://bbs.pediy.com
// 2010.02.12 深夜
//-----------------------------------------------------------------------------------------------------------------
// 入口:
0114E32A > E8 E5040000 call 0114E814
0114E32F ^ E9 35FDFFFF jmp 0114E069
0114E334 CC int3
0114E335 CC int3
0114E336 CC int3
0114E337 CC int3
0114E338 CC int3
0114E339 CC int3
// WinMain函數:
010CEF20 81EC 00050000 sub esp, 500
010CEF26 A1 34039101 mov eax, dword ptr [1910334]
010CEF2B 33C4 xor eax, esp
010CEF2D 898424 FC040000 mov dword ptr [esp+4FC], eax
010CEF34 8B8424 04050000 mov eax, dword ptr [esp+504]
010CEF3B 8B8C24 08050000 mov ecx, dword ptr [esp+508]
010CEF42 53 push ebx
010CEF43 55 push ebp
010CEF44 56 push esi
010CEF45 57 push edi
010CEF46 33FF xor edi, edi
010CEF48 894424 18 mov dword ptr [esp+18], eax
010CEF4C 894C24 20 mov dword ptr [esp+20], ecx
010CEF50 897C24 10 mov dword ptr [esp+10], edi
010CEF54 897C24 14 mov dword ptr [esp+14], edi
010CEF58 FF15 F4925801 call dword ptr [<&KERNEL32.GetCommand>; kernel32.GetCommandLineW
//
010CF335 C605 1B63AB01 0>mov byte ptr [1AB631B], 1
010CF33C E8 9FFF43FF call 0050F2E0 ;這裡進入
010CF341 A1 309AAC01 mov eax, dword ptr [1AC9A30]
010CF346 3BC7 cmp eax, edi
//
0050F45E 53 push ebx
0050F45F 68 C4DA8D01 push 018DDAC4
0050F464 68 A8DA8D01 push 018DDAA8
0050F469 53 push ebx
0050F46A 50 push eax
0050F46B E8 ECE6C300 call <jmp.&MSVCR80.__RTDynamicCast>
0050F470 8BF0 mov esi, eax
0050F472 6A 0A push 0A
0050F474 8975 E0 mov dword ptr [ebp-20], esi
0050F477 E8 5410BF00 call 011004D0
0050F47C 83C4 18 add esp, 18
0050F47F E8 3C08BF00 call 010FFCC0
0050F484 8BCE mov ecx, esi
0050F486 885D EF mov byte ptr [ebp-11], bl
0050F489 E8 D2717500 call 00C66660 ;但是需要從這裡進去
0050F48E 68 40891001 push 01108940
0050F493 FF15 28985801 call dword ptr [<&MSVCR80.set_unexpec>; MSVCR80.set_unexpected
0050F499 68 20F25000 push 0050F220
0050F49E FF15 2C985801 call dword ptr [<&MSVCR80.set_termina>; MSVCR80.set_terminate
0050F4A4 83C4 08 add esp, 8
0050F4A7 8945 D8 mov dword ptr [ebp-28], eax
0050F4AA C645 FC 04 mov byte ptr [ebp-4], 4
0050F4AE E8 6D99EFFF call 00408E20
0050F4B3 84C0 test al, al
0050F4B5 0F85 E9000000 jnz 0050F5A4 ;實際這裡就能JMP了,只是每次啟動會有那個協議框
0050F4BB C645 FC 05 mov byte ptr [ebp-4], 5
0050F4BF E8 0CB7AF00 call AIF::float4x4::~float4x4
0050F4C4 E8 07B7AF00 call AIF::float4x4::~float4x4
0050F4C9 E8 2282B300 call 010476F0
0050F4CE E8 DD3FB500 call 010634B0
0050F4D3 E8 F8B6AF00 call AIF::float4x4::~float4x4
0050F4D8 E8 338DB300 call 01048210
0050F4DD 8BCE mov ecx, esi
0050F4DF E8 5C8D7500 call 00C68240
0050F4E4 8B0D 74638F01 mov ecx, dword ptr [18F6374] ; Photosho.01AB1118
0050F4EA E8 B16B6A00 call 00BB60A0
0050F4EF C745 FC 0400000>mov dword ptr [ebp-4], 4
0050F4F6 EB 55 jmp short 0050F54D
//
00C6674F 66:A3 0C63AB01 mov word ptr [1AB630C], ax
00C66755 C605 91A2AC01 0>mov byte ptr [1ACA291], 0
00C6675C C605 A0A2AC01 0>mov byte ptr [1ACA2A0], 0
00C66763 C605 9AA2AC01 0>mov byte ptr [1ACA29A], 1
00C6676A C705 9CA2AC01 F>mov dword ptr [1ACA29C], 0FFFF
00C66774 C705 0863AB01 0>mov dword ptr [1AB6308], 0
00C6677E E8 0D3C7AFF call 0040A390 ;這裡進去
00C66783 E8 98267AFF call 00408E20
00C66788 84C0 test al, al
00C6678A 75 34 jnz short 00C667C0
00C6678C E8 1FE51000 call 00D74CB0
00C66791 33C0 xor eax, eax
00C66793 33F6 xor esi, esi
00C66795 0FBFC8 movsx ecx, ax
00C66798 80CA FF or dl, 0FF
00C6679B 2AD0 sub dl, al
//
0040A6D6 68 08BD9201 push 0192BD08
0040A6DB 68 04BD9201 push 0192BD04
0040A6E0 8D4C24 54 lea ecx, dword ptr [esp+54]
0040A6E4 51 push ecx
0040A6E5 53 push ebx
0040A6E6 68 A0BC9201 push 0192BCA0
0040A6EB 50 push eax
0040A6EC 6A 01 push 1
0040A6EE 56 push esi
0040A6EF 57 push edi
0040A6F0 55 push ebp
0040A6F1 FF15 00BC9201 call dword ptr [192BC00] ; amtlib.AMTObtainProductLicense ;這裡進去
0040A6F7 8B7C24 74 mov edi, dword ptr [esp+74]
//---------------------------------------------------------------------------------------------------------
//
// 跟到這裡:
0811652B > \55 push ebp
0811652C . 8B6C24 10 mov ebp, dword ptr [esp+10]
08116530 . 57 push edi
08116531 . 8B7C24 20 mov edi, dword ptr [esp+20]
08116535 . 57 push edi
08116536 . C605 2A2F3908>mov byte ptr [8392F2A], 1
0811653D . 893D 0C2F3908 mov dword ptr [8392F0C], edi
08116543 . 892D 0CC03608 mov dword ptr [836C00C], ebp
08116549 . E8 92F3FFFF call AMTPreObtainProductLicense
0811654E . A1 182F3908 mov eax, dword ptr [8392F18]
08116553 . 50 push eax
08116554 . E8 872B0F00 call 082090E0
08116559 . 83C4 08 add esp, 8
0811655C . 833D 082F3908>cmp dword ptr [8392F08], 0 ;F2 ->F9 ->F2
// 再跟就到這裡了:
08133304 |> /50 /push eax
08133305 |. |56 |push esi
08133306 |. |68 948A3308 |push 08338A94 ; ASCII "App Product Locale [%d] = %s"
0813330B |. |68 8C8A3308 |push 08338A8C ; ASCII "%d %s"
08133310 |. |6A 04 |push 4
08133312 |. |68 20483308 |push 08334820 ; ASCII "AMT"
08133317 |. |E8 644AFEFF |call 08117D80
0813331C |. |50 |push eax
0813331D |. |E8 6E060D00 |call 08203990
08133322 |. |8B44B7 04 |mov eax, dword ptr [edi+esi*4+4]
08133326 |. |83C6 01 |add esi, 1
08133329 |. |83C4 1C |add esp, 1C
0813332C |. |85C0 |test eax, eax
0813332E |.^\75 D4 \jnz short 08133304
// 往下:
081333E3 |. 51 push ecx
081333E4 |. 8B4C24 74 mov ecx, dword ptr [esp+74]
081333E8 |. 52 push edx
081333E9 |. 8B5424 74 mov edx, dword ptr [esp+74]
081333ED |. 51 push ecx
081333EE |. 52 push edx
081333EF |. 50 push eax
081333F0 |. 8B4424 70 mov eax, dword ptr [esp+70]
081333F4 |. 50 push eax
081333F5 |. 8BCD mov ecx, ebp
081333F7 |. E8 04F1FFFF call 08132500
// 再往下:這裡基本已經結束了,需要在上面個函數來做處理:
08133463 |. 8B4D 14 mov ecx, dword ptr [ebp+14]
08133466 |. E8 C5BAFEFF call 0811EF30
0813346B |. 84C0 test al, al
0813346D |. 74 2F je short 0813349E
0813346F |. 68 C0893308 push 083389C0 ; ASCII "This is a subsequent launch. Deferring services."
08133474 |. 6A 00 push 0
08133476 |. 6A 04 push 4
08133478 |. 68 20483308 push 08334820 ; ASCII "AMT"
0813347D |. E8 FE48FEFF call 08117D80
08133482 |. 50 push eax
08133483 |. E8 08050D00 call 08203990
08133488 |. 83C4 14 add esp, 14
0813348B |. C745 04 00000>mov dword ptr [ebp+4], 0
08133492 |. E9 C9000000 jmp 08133560
//call 08132500 -> F7進來:
081325E6 |. 50 push eax
081325E7 |. 51 push ecx
081325E8 |. 52 push edx
081325E9 |. 8D4424 44 lea eax, dword ptr [esp+44]
081325ED |. 50 push eax
081325EE |. 8D4C24 2C lea ecx, dword ptr [esp+2C]
081325F2 |. 51 push ecx
081325F3 |. C64424 70 01 mov byte ptr [esp+70], 1
081325F8 |. E8 2311FFFF call 08123720 ;F7進
//
081238B6 > \56 push esi
081238B7 . E8 347D0E00 call 0820B5F0 ;F7進
081238BC . A1 74FD3D08 mov eax, dword ptr [83DFD74]
081238C1 . 50 push eax
081238C2 . E8 D9820E00 call 0820BBA0
081238C7 . 8B0D 302F3908 mov ecx, dword ptr [8392F30]
081238CD . 8981 8C020000 mov dword ptr [ecx+28C], eax
081238D3 . 8B0D 302F3908 mov ecx, dword ptr [8392F30]
081238D9 . 83C4 08 add esp, 8
081238DC . 3999 8C020000 cmp dword ptr [ecx+28C], ebx
081238E2 . 75 43 jnz short 08123927
081238E4 . 8BF1 mov esi, ecx
081238E6 . E8 1561FFFF call 08119A00
081238EB . 56 push esi
081238EC . E8 98521300 call 08258B89
081238F1 . 8B15 342F3908 mov edx, dword ptr [8392F34]
081238F7 . 68 7C613308 push 0833617C ; ASCII "ERROR: No configuration service found for application."
081238FC . 53 push ebx
081238FD . 6A 02 push 2
081238FF . 68 20483308 push 08334820 ; ASCII "AMT"
08123904 . 52 push edx
08123905 . 891D 302F3908 mov dword ptr [8392F30], ebx
0812390B . E8 80000E00 call 08203990
08123910 . 83C4 18 add esp, 18
08123913 . 32C0 xor al, al
08123915 . 8B4D F4 mov ecx, dword ptr [ebp-C]
08123918 . 64:890D 00000>mov dword ptr fs:[0], ecx
0812391F . 59 pop ecx
08123920 . 5F pop edi
08123921 . 5E pop esi
08123922 . 5B pop ebx
08123923 . 8BE5 mov esp, ebp
08123925 . 5D pop ebp
//一路跟到這裡:
0812399E . 8B0D 302F3908 mov ecx, dword ptr [8392F30]
081239A4 . E8 E7FAFFFF call 08123490 ;F7進
081239A9 . 8B0D 302F3908 mov ecx, dword ptr [8392F30]
081239AF . 3999 F8000000 cmp dword ptr [ecx+F8], ebx
//
081234CB |. 8B0D B4D03808 mov ecx, dword ptr [838D0B4] ; amtlib.08345314
081234D1 |. 8B86 8C020000 mov eax, dword ptr [esi+28C]
081234D7 |. 51 push ecx
081234D8 |. 68 2C523308 push 0833522C ; ASCII "application.xml"
081234DD |. 68 00040000 push 400
081234E2 |. 8D5424 34 lea edx, dword ptr [esp+34]
081234E6 |. 52 push edx
081234E7 |. 33DB xor ebx, ebx
081234E9 |. 50 push eax
081234EA |. 885C24 3C mov byte ptr [esp+3C], bl
081234EE |. E8 BDA70E00 call 0820DCB0
//
08123547 |. 6A 01 push 1
08123549 |. 68 2C523308 push 0833522C ; ASCII "application.xml"
0812354E |. 68 68603308 push 08336068 ; ASCII "config ERROR: unified configuration file [%s] not found! (Errno = %ld)"
08123553 |. 53 push ebx
08123554 |. 6A 02 push 2
08123556 |. 68 20483308 push 08334820 ; ASCII "AMT"
0812355B |. 51 push ecx
0812355C |. E8 2F040E00 call 08203990
08123561 |. 83C4 24 add esp, 24
08123564 |. EB 07 jmp short 0812356D
08123566 |> 8BCE mov ecx, esi
08123568 |. E8 43E2FFFF call 081217B0 //F7進
//一路往下: 進去一圈無結果T_T
081222AA |. 8B0D 342F3908 mov ecx, dword ptr [8392F34]
081222B0 |. 68 905C3308 push 08335C90 ; ASCII "config: No BridgeTalkCode found in configuration; Bridgetalk will be disabled."
081222B5 |. 53 push ebx
081222B6 |. 6A 04 push 4
081222B8 |. 68 20483308 push 08334820 ; ASCII "AMT"
081222BD |. 51 push ecx
081222BE |. E8 CD160E00 call 08203990
081222C3 |. 83C4 14 add esp, 14
081222C6 |> 8BCE mov ecx, esi
081222C8 |. E8 A3E9FFFF call 08120C70 //F7進
//返回後來這裡:
081239B5 . /75 30 jnz short 081239E7
081239B7 . |8BF1 mov esi, ecx
081239B9 . |E8 4260FFFF call 08119A00
081239BE . |56 push esi
081239BF . |E8 C5511300 call 08258B89
081239C4 . |A1 342F3908 mov eax, dword ptr [8392F34]
081239C9 . |68 10613308 push 08336110 ; ASCII "ERROR: No licensing configuration found for application."
081239CE . |53 push ebx
081239CF . |6A 02 push 2
081239D1 . |68 20483308 push 08334820 ; ASCII "AMT"
081239D6 . |50 push eax
081239D7 . |891D 302F3908 mov dword ptr [8392F30], ebx
081239DD . |E8 AEFF0D00 call 08203990
081239E2 . |83C4 18 add esp, 18
081239E5 . |EB 4E jmp short 08123A35
//似乎到了目的地~~!加油~~!
081239E7 > \8B55 10 mov edx, dword ptr [ebp+10]
081239EA . 8951 54 mov dword ptr [ecx+54], edx
081239ED . 8B0D 302F3908 mov ecx, dword ptr [8392F30]
081239F3 . E8 F848FFFF call 081182F0
081239F8 . 8B0D 302F3908 mov ecx, dword ptr [8392F30]
081239FE . E8 ADFBFFFF call 081235B0 ;悲劇性卡死~~T_T
08123A03 . EB 30 jmp short 08123A35
08123A05 . A1 342F3908 mov eax, dword ptr [8392F34]
08123A0A . 68 EC603308 push 083360EC ; ASCII "Application failed to initialize"
08123A0F . 33DB xor ebx, ebx
08123A11 . 53 push ebx
08123A12 . 6A 01 push 1
08123A14 . 68 20483308 push 08334820 ; ASCII "AMT"
08123A19 . 50 push eax
08123A1A . E8 71FF0D00 call 08203990
08123A1F . 83C4 14 add esp, 14
08123A22 . E8 A963FFFF call 08119DD0
08123A27 . 891D 302F3908 mov dword ptr [8392F30], ebx
08123A2D . B8 333A1208 mov eax, 08123A33
08123A32 . C3 retn
//再啟動,再進:
//重複上面,一路跟到這裡:
08133463 |. 8B4D 14 mov ecx, dword ptr [ebp+14]
08133466 |. E8 C5BAFEFF call 0811EF30
0813346B |. 84C0 test al, al
0813346D |. 74 2F je short 0813349E
0813346F |. 68 C0893308 push 083389C0 ; ASCII "This is a subsequent launch. Deferring services."
08133474 |. 6A 00 push 0
08133476 |. 6A 04 push 4
08133478 |. 68 20483308 push 08334820 ; ASCII "AMT"
0813347D |. E8 FE48FEFF call 08117D80
08133482 |. 50 push eax
08133483 |. E8 08050D00 call 08203990
08133488 |. 83C4 14 add esp, 14
0813348B |. C745 04 00000>mov dword ptr [ebp+4], 0
08133492 |. E9 C9000000 jmp 08133560
//^o^挖挖~~!終於來到了~!
08133497 |> \68 8C893308 push 0833898C ; ASCII "Forcing first launch workflow at product request."
0813349C |. EB 05 jmp short 081334A3
0813349E |> 68 38893308 push 08338938 ; ASCII "Forcing first launch workflow because product is not licensed from previous launch."
081334A3 |> 6A 00 push 0
081334A5 |. 6A 04 push 4
081334A7 |. 68 20483308 push 08334820 ; ASCII "AMT"
081334AC |. E8 CF48FEFF call 08117D80
081334B1 |. 50 push eax
081334B2 |. E8 D9040D00 call 08203990
081334B7 |. 83C4 14 add esp, 14
081334BA |. 6A 00 push 0
081334BC |. 8BCD mov ecx, ebp
081334BE |. E8 8DFAFFFF call 08132F50 ;幸福的道路在這裡
//整個函數我羅列了出來,^_^.看看那文字似乎和產品驗證有很大關係,一路JMP
08132F50 /$ 53 push ebx
08132F51 |. 8B5C24 08 mov ebx, dword ptr [esp+8]
08132F55 |. 85DB test ebx, ebx
08132F57 |. 56 push esi
08132F58 |. 57 push edi
08132F59 |. 8BF1 mov esi, ecx
08132F5B |. 75 07 jnz short 08132F64
08132F5D |. BF E8883308 mov edi, 083388E8 ; ASCII "Obtain"
08132F62 |. EB 0F jmp short 08132F73
08132F64 |> 83FB 02 cmp ebx, 2
08132F67 |. BF E0883308 mov edi, 083388E0 ; ASCII "ValIDAt"
08132F6C |. 74 05 je short 08132F73
08132F6E |. BF D4883308 mov edi, 083388D4 ; ASCII "PreValidat"
08132F73 |> 57 push edi
08132F74 |. 68 B8883308 push 083388B8 ; ASCII "AMT: %sing Product License."
08132F79 |. 68 B0883308 push 083388B0 ; ASCII "%sing"
08132F7E |. 6A 04 push 4
08132F80 |. 68 20483308 push 08334820 ; ASCII "AMT"
08132F85 |. E8 F64DFEFF call 08117D80
08132F8A |. 50 push eax
08132F8B |. E8 000A0D00 call 08203990
08132F90 |. 83C4 18 add esp, 18
08132F93 |. 807E 54 00 cmp byte ptr [esi+54], 0
08132F97 |. 74 53 je short 08132FEC
08132F99 |. 68 80883308 push 08338880 ; ASCII "Launch Workflow already done in this session."
08132F9E |. 6A 00 push 0
08132FA0 |. 6A 04 push 4
08132FA2 |. 68 20483308 push 08334820 ; ASCII "AMT"
08132FA7 |. E8 D44DFEFF call 08117D80
08132FAC |. 50 push eax
08132FAD |. E8 DE090D00 call 08203990
08132FB2 |. 83C4 14 add esp, 14
08132FB5 |> 53 push ebx
08132FB6 |. 8BCE mov ecx, esi
08132FB8 |. E8 33CAFFFF call 0812F9F0
08132FBD |. 6A 00 push 0
08132FBF |. 8BCE mov ecx, esi
08132FC1 |. E8 4ADDFFFF call 08130D10
08132FC6 C746 04 01000>mov dword ptr [esi+4], 1 ;我的修改
08132FCD B8 01000000 mov eax, 1 ;我的修改
08132FD2 90 nop ;我的修改
08132FD3 90 nop ;我的修改
08132FD4 E9 9B000000 jmp 08133074 ;我的修改
08132FD9 90 nop ;我的修改
08132FDA 57 push edi
08132FDB 68 60883308 push 08338860 ; ASCII "Failure %sing Product License!"
08132FE0 |. 68 B0883308 push 083388B0 ; ASCII "%sing"
08132FE5 |. 6A 02 push 2
08132FE7 |. E9 95000000 jmp 08133081
08132FEC |> 83FB 01 cmp ebx, 1
08132FEF |. 75 07 jnz short 08132FF8
08132FF1 |. 68 30883308 push 08338830 ; ASCII "Launch Workflow not yet done in this session."
08132FF6 |. EB 05 jmp short 08132FFD
08132FF8 |> 68 F4873308 push 083387F4 ; ASCII "Launch Workflow not yet done in foreground in this session."
08132FFD |> 6A 00 push 0
08132FFF |. 6A 04 push 4
08133001 |. 68 20483308 push 08334820 ; ASCII "AMT"
08133006 |. E8 754DFEFF call 08117D80
0813300B |. 50 push eax
0813300C |. E8 7F090D00 call 08203990
08133011 |. 83C4 14 add esp, 14
08133014 |. 53 push ebx
08133015 |. 8BCE mov ecx, esi
08133017 |. E8 74FBFFFF call 08132B90 ;這裡需要跟進去
0813301C |. 837E 04 02 cmp dword ptr [esi+4], 2
08133020 |. 75 39 jnz short 0813305B
08133022 |. 8B4E 14 mov ecx, dword ptr [esi+14]
08133025 |. E8 064CFEFF call 08117C30
0813302A |. 84C0 test al, al
0813302C |. 74 2D je short 0813305B
0813302E |. 8B4E 14 mov ecx, dword ptr [esi+14]
08133031 |. E8 5A4DFEFF call 08117D90
08133036 |. 84C0 test al, al
08133038 |. 74 21 je short 0813305B
0813303A |. 83FB 02 cmp ebx, 2
0813303D |. 75 1C jnz short 0813305B
0813303F |. 53 push ebx
08133040 |. 8BCE mov ecx, esi
08133042 |. C746 04 00000>mov dword ptr [esi+4], 0
08133049 |. E8 D2B9FFFF call 0812EA20
0813304E |. 6A 00 push 0
08133050 |. E8 BBDCFFFF call 08130D10
08133055 |. 5F pop edi
08133056 |. 5E pop esi
08133057 |. 5B pop ebx
08133058 |. C2 0400 retn 4
0813305B |> 837E 04 00 cmp dword ptr [esi+4], 0
0813305F |.^ 0F84 50FFFFFF je 08132FB5
08133065 |. 6A 00 push 0
08133067 |. 8BCE mov ecx, esi
08133069 |. E8 A2DCFFFF call 08130D10
0813306E |. 5F pop edi
0813306F |. 5E pop esi
08133070 |. 5B pop ebx
08133071 |. C2 0400 retn 4
08133074 |> 57 push edi
08133075 |. 68 D8873308 push 083387D8 ; ASCII "AMT: Product License %sed."
0813307A |. 68 D0873308 push 083387D0 ; ASCII "%sed"
0813307F |. 6A 04 push 4
08133081 |> 68 20483308 push 08334820 ; ASCII "AMT"
08133086 |. E8 F54CFEFF call 08117D80
0813308B |. 50 push eax
0813308C |. E8 FF080D00 call 08203990
08133091 |. 83C4 18 add esp, 18
08133094 |. 837E 04 00 cmp dword ptr [esi+4], 0
08133098 |. 0F85 A3010000 jnz 08133241
0813309E |. 807E 19 00 cmp byte ptr [esi+19], 0
081330A2 |. 0F85 99010000 jnz 08133241
081330A8 |. 807E 1A 00 cmp byte ptr [esi+1A], 0
081330AC |. 0F85 8F010000 jnz 08133241
081330B2 |. 8B4E 14 mov ecx, dword ptr [esi+14]
081330B5 |. E8 764BFEFF call 08117C30
081330BA |. 84C0 test al, al
081330BC |. 0F84 FF000000 je 081331C1
081330C2 |. 8B4E 14 mov ecx, dword ptr [esi+14]
081330C5 |. E8 5694FEFF call 0811C520
081330CA |. 83F8 03 cmp eax, 3
081330CD |. 0F85 EE000000 jnz 081331C1
081330D3 |. E8 0868FFFF call 081298E0
081330D8 |. 68 94873308 push 08338794 ; ASCII "Product has been activated. Ensuring that it's registered."
081330DD |. 6A 00 push 0
081330DF |. 6A 04 push 4
081330E1 |. 68 20483308 push 08334820 ; ASCII "AMT"
081330E6 |. 8BF8 mov edi, eax
081330E8 |. E8 934CFEFF call 08117D80
081330ED |. 50 push eax
081330EE |. E8 9D080D00 call 08203990
081330F3 |. 8B4E 14 mov ecx, dword ptr [esi+14]
081330F6 |. 83C4 14 add esp, 14
081330F9 |. E8 E24BFEFF call 08117CE0
081330FE |. 84C0 test al, al
08133100 |. 0F85 BB000000 jnz 081331C1
08133106 |. 8B4E 14 mov ecx, dword ptr [esi+14]
08133109 |. E8 22A9FEFF call 0811DA30
0813310E |. 84C0 test al, al
08133110 |. 0F85 AB000000 jnz 081331C1
08133116 |. 8BCF mov ecx, edi
08133118 |. E8 E398FFFF call 0812CA00
0813311D |. 84C0 test al, al
0813311F |. 0F85 9C000000 jnz 081331C1
08133125 |. 68 803A0900 push 93A80
0813312A |. 8BCF mov ecx, edi
0813312C |. E8 0FA2FFFF call 0812D340
08133131 |. 84C0 test al, al
08133133 |. 0F84 88000000 je 081331C1
08133139 |. 68 5C873308 push 0833875C ; ASCII "Product has not yet been registered, and a nag is due."
0813313E |. 6A 00 push 0
08133140 |. 6A 04 push 4
08133142 |. 68 20483308 push 08334820 ; ASCII "AMT"
08133147 |. E8 344CFEFF call 08117D80
0813314C |. 50 push eax
0813314D |. E8 3E080D00 call 08203990
08133152 |. 83C4 14 add esp, 14
08133155 |. 83FB 01 cmp ebx, 1
08133158 |. 75 22 jnz short 0813317C
0813315A |. 68 28873308 push 08338728 ; ASCII "Pre-Validation: Foreground validation is required."
0813315F |. 6A 00 push 0
08133161 |. 6A 04 push 4
08133163 |. 68 20483308 push 08334820 ; ASCII "AMT"
08133168 |. E8 134CFEFF call 08117D80
0813316D |. 50 push eax
0813316E |. E8 1D080D00 call 08203990
08133173 |. C746 04 02000>mov dword ptr [esi+4], 2
0813317A |. EB 42 jmp short 081331BE
0813317C |> 68 0C873308 push 0833870C ; ASCII "Invoking EPIC Registration."
08133181 |. 6A 00 push 0
08133183 |. 6A 04 push 4
08133185 |. 68 20483308 push 08334820 ; ASCII "AMT"
0813318A |. E8 F14BFEFF call 08117D80
0813318F |. 50 push eax
08133190 |. E8 FB070D00 call 08203990
08133195 |. 83C4 14 add esp, 14
08133198 |. 6A 01 push 1
0813319A |. 8BCF mov ecx, edi
0813319C |. E8 9F9CFFFF call 0812CE40
081331A1 |. 84C0 test al, al
081331A3 |. 75 1C jnz short 081331C1
081331A5 |. 68 AC743308 push 083374AC ; ASCII "Product Registration failed."
081331AA |. 6A 00 push 0
081331AC |. 6A 03 push 3
081331AE |. 68 20483308 push 08334820 ; ASCII "AMT"
081331B3 |. E8 C84BFEFF call 08117D80
081331B8 |. 50 push eax
081331B9 |. E8 D2070D00 call 08203990
081331BE |> 83C4 14 add esp, 14
081331C1 |> 8B4E 14 mov ecx, dword ptr [esi+14]
081331C4 |. E8 67BDFEFF call 0811EF30
081331C9 |. 84C0 test al, al
081331CB |. 75 22 jnz short 081331EF
081331CD |. 68 C8863308 push 083386C8 ; ASCII "Suppressing silent AUM update check on first or unlicensed launch."
081331D2 |. 6A 00 push 0
081331D4 |. 6A 04 push 4
081331D6 |. 68 20483308 push 08334820 ; ASCII "AMT"
081331DB |. E8 A04BFEFF call 08117D80
081331E0 |. 50 push eax
081331E1 |. E8 AA070D00 call 08203990
081331E6 |. 83C4 14 add esp, 14
081331E9 |. 5F pop edi
081331EA |. 5E pop esi
081331EB |. 5B pop ebx
081331EC |. C2 0400 retn 4
081331EF |> 85DB test ebx, ebx
081331F1 |. 74 4E je short 08133241
081331F3 |. 8B4E 14 mov ecx, dword ptr [esi+14]
081331F6 |. E8 354AFEFF call 08117C30
081331FB |. 84C0 test al, al
081331FD |. 74 42 je short 08133241
081331FF |. 8B4E 14 mov ecx, dword ptr [esi+14]
08133202 |. E8 E94AFEFF call 08117CF0
08133207 |. 84C0 test al, al
08133209 |. 75 36 jnz short 08133241
0813320B |. 68 A8863308 push 083386A8 ; ASCII "Doing silent AUM update check."
08133210 |. 6A 00 push 0
08133212 |. 6A 04 push 4
08133214 |. 68 20483308 push 08334820 ; ASCII "AMT"
08133219 |. E8 624BFEFF call 08117D80
0813321E |. 50 push eax
0813321F |. E8 6C070D00 call 08203990
08133224 |. 83C4 14 add esp, 14
08133227 |. E8 54CE0D00 call 08210080
0813322C |. 8BF0 mov esi, eax
0813322E |. 85F6 test esi, esi
08133230 |. 74 0F je short 08133241
08133232 |. 56 push esi
08133233 |. E8 28CF0D00 call 08210160
08133238 |. 56 push esi
08133239 |. E8 B2830D00 call 0820B5F0
0813323E |. 83C4 08 add esp, 8
08133241 |> 5F pop edi
08133242 |. 5E pop esi
08133243 |. 5B pop ebx
08133244 \. C2 0400 retn 4
//
08132C80 |> \68 90853308 push 08338590 ; ASCII "Passive app is not installed. Possibly missing driver data. Allowing non-installed use."
08132C85 |. 6A 00 push 0
08132C87 |. 6A 03 push 3
08132C89 |. 68 20483308 push 08334820 ; ASCII "AMT"
08132C8E |. E8 ED50FEFF call 08117D80
08132C93 |. 50 push eax
08132C94 |. E8 F70C0D00 call 08203990
08132C99 |. 83C4 14 add esp, 14
08132C9C |> 807E 19 00 cmp byte ptr [esi+19], 0
08132CA0 |. 75 6E jnz short 08132D10
08132CA2 |. 807E 1A 00 cmp byte ptr [esi+1A], 0
08132CA6 |. 75 68 jnz short 08132D10
08132CA8 |. 8B4E 14 mov ecx, dword ptr [esi+14]
08132CAB |. E8 2050FEFF call 08117CD0
08132CB0 |. 84C0 test al, al
08132CB2 EB 5C jmp short 08132D10 ;需要修改為JMP
08132CB4 |. 8B4E 14 mov ecx, dword ptr [esi+14]
08132CB7 |. E8 744FFEFF call 08117C30
08132CBC |. 84C0 test al, al
08132CBE |. 74 50 je short 08132D10
08132CC0 |. 53 push ebx ;這裡進去就會出現那個協議對話框
08132CC1 |. 8BCE mov ecx, esi
08132CC3 |. E8 58DBFFFF call 08130820
08132CC8 |. 84C0 test al, al
08132CCA 75 44 jnz short 08132D10
08132CCC |. 83FB 01 cmp ebx, 1
08132CCF |. 74 0B je short 08132CDC
08132CD1 |. 68 60853308 push 08338560 ; ASCII "EULA has been refused. Application must exit."
08132CD6 |. 6A 00 push 0
08132CD8 |. 6A 01 push 1
08132CDA |. EB 09 jmp short 08132CE5
08132CDC |> 68 24853308 push 08338524 ; ASCII "EULA needs to be presented. Requiring foreground validate."
08132CE1 |. 6A 00 push 0
08132CE3 |. 6A 04 push 4
08132CE5 |> 68 20483308 push 08334820 ; ASCII "AMT"
08132CEA |. E8 9150FEFF call 08117D80
08132CEF |. 50 push eax
08132CF0 |. E8 9B0C0D00 call 08203990
08132CF5 |. 8B4E 14 mov ecx, dword ptr [esi+14]
08132CF8 |. 83C4 14 add esp, 14
08132CFB |. 6A 00 push 0
08132CFD |. 6A 00 push 0
08132CFF |. E8 1C01FFFF call 08122E20
08132D04 |. C746 04 02000>mov dword ptr [esi+4], 2
08132D0B |. 5E pop esi
08132D0C |. 5B pop ebx
08132D0D |. C2 0400 retn 4
//
08132DAB |> \8BCF mov ecx, edi
08132DAD |. E8 FE39FEFF call 081167B0
08132DB2 |. 84C0 test al, al
08132DB4 EB 0E jmp short 08132DC4 ;這裡需要JMP
08132DB6 |. 68 60843308 push 08338460 ; ASCII "ALM failed to initialize and read trusted storage, hence no license."
08132DBB |. 6A 00 push 0
08132DBD |. 6A 01 push 1
08132DBF |. E9 29010000 jmp 08132EED
08132DC4 |> 8B4E 14 mov ecx, dword ptr [esi+14]
//
08132E29 |> \E8 F296FEFF call 0811C520
08132E2E B8 03000000 mov eax, 3
08132E33 ^ E9 51FFFFFF jmp 08132D89 ;這裡需要JMP
08132E38 90 nop
08132E39 90 nop
08132E3A 75 29 jnz short 08132E65
08132E3C |. 68 70833308 push 08338370 ; ASCII "Prevalidation finds app not activated. Requiring foreground validate."
08132E41 |. 6A 00 push 0
08132E43 |. 6A 04 push 4
08132E45 |> 68 20483308 push 08334820 ; ASCII "AMT"
08132E4A |. E8 314FFEFF call 08117D80
08132E4F |. 50 push eax
08132E50 |. E8 3B0B0D00 call 08203990
08132E55 |. 83C4 14 add esp, 14
08132E58 |. 5F pop edi
08132E59 |. C746 04 02000>mov dword ptr [esi+4], 2
08132E60 |. 5E pop esi
08132E61 |. 5B pop ebx
08132E62 |. C2 0400 retn 4
//--------------------------------------------------------------------------------------------------------
//經過以上修改基本上就可以使用了~!
//---------------------------------------------------------------------------------------------------------
//補充1:
//
085B70D8 53 push ebx
085B70D9 6A 01 push 1
085B70DB 6A 03 push 3
085B70DD 8D4424 6C lea eax, dword ptr [esp+6C]
085B70E1 50 push eax
085B70E2 55 push ebp
085B70E3 56 push esi
085B70E4 56 push esi
085B70E5 8B4C24 3C mov ecx, dword ptr [esp+3C]
085B70E9 8B4424 40 mov eax, dword ptr [esp+40]
085B70ED 51 push ecx
085B70EE 8D5424 38 lea edx, dword ptr [esp+38]
085B70F2 52 push edx
085B70F3 50 push eax
085B70F4 FF5424 3C call dword ptr [esp+3C] ;顯示對話框
//-----------------------------------------------------------------------------------------------------------
//補充2:
08132CA8 |. 8B4E 14 mov ecx, dword ptr [esi+14]
08132CAB |. E8 2050FEFF call 08117CD0
08132CB0 |. 84C0 test al, al
08132CB2 |. 75 5C jnz short 08132D10
08132CB4 |. 8B4E 14 mov ecx, dword ptr [esi+14]
08132CB7 |. E8 744FFEFF call 08117C30
08132CBC |. 84C0 test al, al
08132CBE |. 74 50 je short 08132D10
08132CC0 |. 53 push ebx
08132CC1 |. 8BCE mov ecx, esi
08132CC3 |. E8 58DBFFFF call 08130820 ;這裡已經顯示對話框
08132CC8 |. 84C0 test al, al
08132CCA 75 44 jnz short 08132D10
081281C7 |. 8B7424 0C mov esi, dword ptr [esp+C]
081281CB |. 8D4C24 7C lea ecx, dword ptr [esp+7C]
081281CF |. C78424 B80000>mov dword ptr [esp+B8], -1
081281DA |. E8 C1BDFFFF call 08123FA0
081281DF |. 8D4C24 7C lea ecx, dword ptr [esp+7C]
081281E3 |. 51 push ecx
081281E4 |. C78424 800000>mov dword ptr [esp+80], 08335574
081281EF |. E8 17E71200 call 0825690B
081281F4 |. 83C4 04 add esp, 4
081281F7 |. 8BC6 mov eax, esi
081281F9 |. 8B8C24 B00000>mov ecx, dword ptr [esp+B0]
08128200 |. 64:890D 00000>mov dword ptr fs:[0], ecx
08128207 |. 59 pop ecx
08128208 |. 5E pop esi
08128209 |. 5B pop ebx
0812820A |. 81C4 B0000000 add esp, 0B0
08128210 \. C3 retn ;這裡必須返回3:
//這裡返回3:
0811C63B |> \B8 03000000 mov eax, 3 ; Case 3 of switch 0811C5A8
0811C640 |. 8B4C24 44 mov ecx, dword ptr [esp+44]
0811C644 |. 64:890D 00000>mov dword ptr fs:[0], ecx
0811C64B |. 59 pop ecx
0811C64C |. 5E pop esi
0811C64D |. 5B pop ebx
0811C64E |. 83C4 44 add esp, 44
0811C651 |. C3 retn
//這裡才會等於跳轉:
08132E1F |> \68 B8833308 push 083383B8 ; ASCII "Product is non-serialized. Bypassing EULA and ALM product-level license checks."
08132E24 |.^ E9 3DFFFFFF jmp 08132D66
08132E29 |> E8 F296FEFF call 0811C520
08132E2E |. 83F8 03 cmp eax, 3
08132E31 ^ 0F84 52FFFFFF je 08132D89 ; 這裡我直接修改JMP,不修改其他函數了
//修改如下:
10032E1F |> \68 B8832310 push 102383B8 ; ASCII "Product is non-serialized. Bypassing EULA and ALM product-level license checks."
10032E24 |.^ E9 3DFFFFFF jmp 10032D66
10032E29 |> E8 F296FEFF call 1001C520
10032E2E B8 03000000 mov eax, 3
10032E33 ^ E9 51FFFFFF jmp 10032D89
10032E38 90 nop
10032E39 90 nop
//修改如下:
08132FBD |. 6A 00 push 0
08132FBF |. 8BCE mov ecx, esi
08132FC1 |. E8 4ADDFFFF call 08130D10
08132FC6 C746 04 01000>mov dword ptr [esi+4], 1
08132FCD B8 01000000 mov eax, 1
08132FD2 90 nop
08132FD3 90 nop
08132FD4 E9 9B000000 jmp 08133074
08132FD9 90 nop
08132FDA 57 push edi
08132FDB 68 60883308 push 08338860 ; ASCII "Failure %sing Product License!"
08132FE0 |. 68 B0883308 push 083388B0 ; ASCII "%sing"
08132FE5 |. 6A 02 push 2
08132FE7 |. E9 95000000 jmp 08133081
发表于 2010-2-27 11:58
发表于 2010-2-27 12:53
这文章可能以后我用的上~~~
