好友
阅读权限40
听众
最后登录1970-1-1
|
本帖最后由 silly 于 2010-8-18 20:23 编辑
本筆記看著有點迷糊可以參考我CS4的破解,CS5只記錄了關鍵的位置,和CS4破解對照看回明了些.
傳送門:http://bbs.pediy.com/showthread.php?t=107136
直接跳了2处搞定,没再跟了.对应amtlib.dll v3.0.0.64/1:
6098C63C C746 0C 01000>mov dword ptr [esi+C], 1
6098C643 90 nop
6098C644 90 nop
6098C645 90 nop
6098C646 EB 0F jmp short 6098C657
6098C648 |. 55 push ebp
6098C649 |. 68 38A5A160 push 60A1A538 ; ASCII "ERROR: Failure %sing Product License!"
6098C64E |. 68 B8A6A160 push 60A1A6B8 ; ASCII "%sing"
6098C653 |. 6A 02 push 2
6098C655 |. EB 0D jmp short 6098C664
//2:
6098BEDD 8BC3 mov eax, ebx
6098BEDF E9 AD010000 jmp 6098C091
6098BEE4 90 nop
6098BEE5 83FD 01 cmp ebp, 1
6098BEE8 75 2B jnz short 6098BF15
6098BEEA |. 68 E8A1A160 push 60A1A1E8 ; ASCII "PrevalIDAtion finds app not activated. Requiring foreground validate."
6098BEEF |. 6A 00 push 0
6098BEF1 |. 6A 04 push 4
6098BEF3 |> 68 0863A160 push 60A16308 ; ASCII "AMT"
6098BEF8 |. E8 2309FEFF call 6096C820
amtlib_v30064.rar
(307.84 KB, 下载次数: 34)
//amtlib.dll從3MB左右變化到不到1MB,估摸著以前的方法是不管用了,碰碰看了.
//根據以前CS4的破解,故查找"Forcing first launch workflow at product request"
//發現地址為:
65EDDA8B |> \68 14ABF665 push 65F6AB14 ; ASCII "Forcing first launch workflow at product request."
65EDDA90 |. EB 05 jmp short 65EDDA97
65EDDA92 |> 68 C0AAF665 push 65F6AAC0 ; ASCII "Forcing first launch workflow because product is not licensed from previous launch."
65EDDA97 |> 6A 00 push 0
65EDDA99 |. 6A 04 push 4
65EDDA9B |. 68 0863F665 push 65F66308 ; ASCII "AMT"
65EDDAA0 |. E8 7BEDFDFF call 65EBC820
65EDDAA5 |. 50 push eax
65EDDAA6 |. E8 95040200 call 65EFDF40
65EDDAAB |. 83C4 14 add esp, 14
65EDDAAE |. 6A 00 push 0
65EDDAB0 |. 8BCE mov ecx, esi
65EDDAB2 |. E8 59E9FFFF call 65EDC410 ;按CS4的方法,進這裡
//同樣的一大段就找到了,直接運行PSCS5,發現在這裡斷下:
65EDC410 /nbsp; 83EC 0C sub esp, 0C
65EDC413 |. 55 push ebp
65EDC414 |. 56 push esi
65EDC415 |. 57 push edi
65EDC416 |. 8B7C24 1C mov edi, dword ptr [esp+1C]
65EDC41A |. 8BF1 mov esi, ecx
65EDC41C |. 85FF test edi, edi
65EDC41E |. 75 0A jnz short 65EDC42A
65EDC420 |. C74424 0C F0A>mov dword ptr [esp+C], 65F6A6F0 ; ASCII "Obtain"
65EDC428 |. EB 15 jmp short 65EDC43F
65EDC42A |> C74424 0C E8A>mov dword ptr [esp+C], 65F6A6E8 ; ASCII "Validat"
65EDC432 |. 83FF 02 cmp edi, 2
65EDC435 |. 74 08 je short 65EDC43F
65EDC437 |. C74424 0C DCA>mov dword ptr [esp+C], 65F6A6DC ; ASCII "PreValidat"
65EDC43F |> 8B6C24 0C mov ebp, dword ptr [esp+C]
65EDC443 |. 55 push ebp
65EDC444 |. 68 C0A6F665 push 65F6A6C0 ; ASCII "AMT: %sing Product License."
65EDC449 |. 68 B8A6F665 push 65F6A6B8 ; ASCII "%sing"
65EDC44E |. 6A 04 push 4
65EDC450 |. 68 0863F665 push 65F66308 ; ASCII "AMT"
65EDC455 |. E8 C603FEFF call 65EBC820
65EDC45A |. 50 push eax
65EDC45B |. E8 E01A0200 call 65EFDF40
65EDC460 |. 83C4 18 add esp, 18
65EDC463 |. 807E 5C 00 cmp byte ptr [esi+5C], 0
65EDC467 |. 74 21 je short 65EDC48A
65EDC469 |. 68 88A6F665 push 65F6A688 ; ASCII "Launch Workflow already done in this session."
65EDC46E |. 6A 00 push 0
65EDC470 |. 6A 04 push 4
65EDC472 |. 68 0863F665 push 65F66308 ; ASCII "AMT"
65EDC477 |. E8 A403FEFF call 65EBC820
65EDC47C |. 50 push eax
65EDC47D |. E8 BE1A0200 call 65EFDF40
65EDC482 |. 83C4 14 add esp, 14
65EDC485 |. E9 A1010000 jmp 65EDC62B
65EDC48A |> 83FF 01 cmp edi, 1
65EDC48D |. 75 07 jnz short 65EDC496
65EDC48F |. 68 58A6F665 push 65F6A658 ; ASCII "Launch Workflow not yet done in this session."
65EDC494 |. EB 05 jmp short 65EDC49B
65EDC496 |> 68 1CA6F665 push 65F6A61C ; ASCII "Launch Workflow not yet done in foreground in this session."
65EDC49B |> 6A 00 push 0
65EDC49D |. 6A 04 push 4
65EDC49F |. 68 0863F665 push 65F66308 ; ASCII "AMT"
65EDC4A4 |. E8 7703FEFF call 65EBC820
65EDC4A9 |. 50 push eax
65EDC4AA |. E8 911A0200 call 65EFDF40
65EDC4AF |. 83C4 14 add esp, 14
65EDC4B2 |. 57 push edi
65EDC4B3 |. 8BCE mov ecx, esi
65EDC4B5 |. E8 66F7FFFF call 65EDBC20 ;這裡需要跟進去
65EDC4BA |. 807E 21 00 cmp byte ptr [esi+21], 0
65EDC4BE |. 0F85 09010000 jnz 65EDC5CD
65EDC4C4 |. 807E 22 00 cmp byte ptr [esi+22], 0
65EDC4C8 |. 0F85 FF000000 jnz 65EDC5CD
65EDC4CE |. 83FF 01 cmp edi, 1
65EDC4D1 |. 0F85 F6000000 jnz 65EDC5CD
65EDC4D7 |. 8B4E 1C mov ecx, dword ptr [esi+1C]
65EDC4DA |. E8 B102FEFF call 65EBC790
65EDC4DF |. 84C0 test al, al
65EDC4E1 |. 0F85 E6000000 jnz 65EDC5CD
65EDC4E7 |. 68 D8A5F665 push 65F6A5D8 ; ASCII "Calling AUM API to create scheduler entry to be used by updater."
65EDC4EC |. 6A 00 push 0
65EDC4EE |. 6A 04 push 4
65EDC4F0 |. 68 0863F665 push 65F66308 ; ASCII "AMT"
65EDC4F5 |. E8 2603FEFF call 65EBC820
65EDC4FA |. 50 push eax
65EDC4FB |. E8 401A0200 call 65EFDF40
65EDC500 |. 83C4 14 add esp, 14
65EDC503 |. E8 58A30200 call 65F06860
65EDC508 |. 8BE8 mov ebp, eax
65EDC50A |. 85ED test ebp, ebp
65EDC50C |. 0F84 9F000000 je 65EDC5B1
65EDC512 |. 8D4424 10 lea eax, dword ptr [esp+10]
65EDC516 |. 50 push eax
65EDC517 |. 8DBE 50030000 lea edi, dword ptr [esi+350]
65EDC51D |. 57 push edi
65EDC51E |. 55 push ebp
65EDC51F |. C707 01000000 mov dword ptr [edi], 1
65EDC525 |. C74424 1C 000>mov dword ptr [esp+1C], 0
65EDC52D |. E8 EEA60200 call 65F06C20
65EDC532 |. 83C4 0C add esp, 0C
65EDC535 |. 837C24 10 00 cmp dword ptr [esp+10], 0
65EDC53A |. 74 4A je short 65EDC586
65EDC53C |. 833F 00 cmp dword ptr [edi], 0
65EDC53F |. 75 45 jnz short 65EDC586
65EDC541 |. 8D4C24 14 lea ecx, dword ptr [esp+14]
65EDC545 |. 51 push ecx
65EDC546 |. 57 push edi
65EDC547 |. 55 push ebp
65EDC548 |. C74424 20 000>mov dword ptr [esp+20], 0
65EDC550 |. E8 EBA40200 call 65F06A40
65EDC555 |. 8B17 mov edx, dword ptr [edi]
65EDC557 |. 83C4 0C add esp, 0C
65EDC55A |. 52 push edx
65EDC55B |. 68 B0A5F665 push 65F6A5B0 ; ASCII "AUM GetLEID called with status =%d."
65EDC560 |. 6A 00 push 0
65EDC562 |. 6A 04 push 4
65EDC564 |. 68 0863F665 push 65F66308 ; ASCII "AMT"
65EDC569 |. E8 B202FEFF call 65EBC820
65EDC56E |. 50 push eax
65EDC56F |. E8 CC190200 call 65EFDF40
65EDC574 |. 83C4 18 add esp, 18
65EDC577 |. 55 push ebp
65EDC578 |. E8 031C0200 call 65EFE180
65EDC57D |. 8B7C24 20 mov edi, dword ptr [esp+20]
65EDC581 |. 83C4 04 add esp, 4
65EDC584 |. EB 47 jmp short 65EDC5CD
65EDC586 |> 68 8CA5F665 push 65F6A58C ; ASCII "Updater is not enabled by admin."
65EDC58B |. 6A 00 push 0
65EDC58D |. 6A 04 push 4
65EDC58F |. 68 0863F665 push 65F66308 ; ASCII "AMT"
65EDC594 |. E8 8702FEFF call 65EBC820
65EDC599 |. 50 push eax
65EDC59A |. E8 A1190200 call 65EFDF40
65EDC59F |. 83C4 14 add esp, 14
65EDC5A2 |. 55 push ebp
65EDC5A3 |. E8 D81B0200 call 65EFE180
65EDC5A8 |. 8B7C24 20 mov edi, dword ptr [esp+20]
65EDC5AC |. 83C4 04 add esp, 4
65EDC5AF |. EB 1C jmp short 65EDC5CD
65EDC5B1 |> 68 60A5F665 push 65F6A560 ; ASCII "AUM Service Object failed to get created."
65EDC5B6 |. 6A 00 push 0
65EDC5B8 |. 6A 04 push 4
65EDC5BA |. 68 0863F665 push 65F66308 ; ASCII "AMT"
65EDC5BF |. E8 5C02FEFF call 65EBC820
65EDC5C4 |. 50 push eax
65EDC5C5 |. E8 76190200 call 65EFDF40
65EDC5CA |. 83C4 14 add esp, 14
65EDC5CD |> 837E 0C 02 cmp dword ptr [esi+C], 2
65EDC5D1 |. 75 3C jnz short 65EDC60F
65EDC5D3 |. 8B4E 1C mov ecx, dword ptr [esi+1C]
65EDC5D6 |. E8 F500FEFF call 65EBC6D0
65EDC5DB |. 84C0 test al, al
65EDC5DD |. 74 30 je short 65EDC60F
65EDC5DF |. 8B4E 1C mov ecx, dword ptr [esi+1C]
65EDC5E2 |. E8 4902FEFF call 65EBC830
65EDC5E7 |. 84C0 test al, al
65EDC5E9 |. 74 24 je short 65EDC60F
65EDC5EB |. 83FF 02 cmp edi, 2
65EDC5EE |. 75 1F jnz short 65EDC60F
65EDC5F0 |. 57 push edi
65EDC5F1 |. 8BCE mov ecx, esi
65EDC5F3 |. C746 0C 00000>mov dword ptr [esi+C], 0
65EDC5FA |. E8 A11BFFFF call 65ECE1A0
65EDC5FF |. 6A 00 push 0
65EDC601 |. E8 FA89FFFF call 65ED5000
65EDC606 |. 5F pop edi
65EDC607 |. 5E pop esi
65EDC608 |. 5D pop ebp
65EDC609 |. 83C4 0C add esp, 0C
65EDC60C |. C2 0400 retn 4
65EDC60F |> 837E 0C 00 cmp dword ptr [esi+C], 0
65EDC613 |. 74 12 je short 65EDC627
65EDC615 |. 6A 00 push 0
65EDC617 |. 8BCE mov ecx, esi
65EDC619 |. E8 E289FFFF call 65ED5000
65EDC61E |. 5F pop edi
65EDC61F |. 5E pop esi
65EDC620 |. 5D pop ebp
65EDC621 |. 83C4 0C add esp, 0C
65EDC624 |. C2 0400 retn 4
65EDC627 |> 8B6C24 0C mov ebp, dword ptr [esp+C]
65EDC62B |> 57 push edi
65EDC62C |. 8BCE mov ecx, esi
65EDC62E |. E8 0D38FFFF call 65ECFE40
65EDC633 |. 6A 00 push 0
65EDC635 |. 8BCE mov ecx, esi
65EDC637 |. E8 C489FFFF call 65ED5000
65EDC63C |. 8B76 0C mov esi, dword ptr [esi+C] ; mov dword ptr[esi + c], 1
65EDC63F |. 85F6 test esi, esi ; jmp short 65EDC657
65EDC641 |. 74 14 je short 65EDC657
65EDC643 |. 83FE 01 cmp esi, 1
65EDC646 |. 74 0F je short 65EDC657
65EDC648 |. 55 push ebp
65EDC649 |. 68 38A5F665 push 65F6A538 ; ASCII "ERROR: Failure %sing Product License!"
65EDC64E |. 68 B8A6F665 push 65F6A6B8 ; ASCII "%sing"
65EDC653 |. 6A 02 push 2
65EDC655 |. EB 0D jmp short 65EDC664
65EDC657 |> 55 push ebp
65EDC658 |. 68 1CA5F665 push 65F6A51C ; ASCII "AMT: Product License %sed."
65EDC65D |. 68 14A5F665 push 65F6A514 ; ASCII "%sed"
65EDC662 |. 6A 04 push 4
65EDC664 |> 68 0863F665 push 65F66308 ; ASCII "AMT"
65EDC669 |. E8 B201FEFF call 65EBC820
65EDC66E |. 50 push eax
65EDC66F |. E8 CC180200 call 65EFDF40
65EDC674 |. 83C4 18 add esp, 18
65EDC677 |. 5F pop edi
65EDC678 |. 5E pop esi
65EDC679 |. 5D pop ebp
65EDC67A |. 83C4 0C add esp, 0C
65EDC67D \. C2 0400 retn 4
// 跟進來後這裡卡死~!
65EDBD64 |. 6A 01 push 1
65EDBD66 |. 55 push ebp
65EDBD67 |. 8BCE mov ecx, esi
65EDBD69 |. E8 125BFFFF call 65ED1880
65EDBD6E |. 84C0 test al, al
// 往下点根就到这里,看来这里要跳掉:
6530BED8 |> \E8 E35CFEFF call 652F1BC0
6530BEDD |. 3BC3 cmp eax, ebx ;mov eax, ebx
6530BEDF |. 0F84 AC010000 je 6530C091 ;je-> jmp
6530BEE5 |. 83FD 01 cmp ebp, 1
6530BEE8 |. 75 2B jnz short 6530BF15
6530BEEA |. 68 E8A13965 push 6539A1E8 ; ASCII "Prevalidation finds app not activated. Requiring foreground validate."
6530BEEF |. 6A 00 push 0
6530BEF1 |. 6A 04 push 4
6530BEF3 |> 68 08633965 push 65396308 ; ASCII "AMT"
6530BEF8 |. E8 2309FEFF call 652EC820
6530BEFD |. 50 push eax
6530BEFE |. E8 3D200200 call 6532DF40
6530BF03 |. 83C4 14 add esp, 14
6530BF06 |. 5F pop edi
6530BF07 |. C746 0C 02000>mov dword ptr [esi+C], 2
6530BF0E |. 5E pop esi
6530BF0F |. 5D pop ebp
6530BF10 |. 5B pop ebx
6530BF11 |. 59 pop ecx
6530BF12 |. C2 0400 retn 4
//看来差不多,这里JE一下跳到了沒激活的地方
6530BF15 |> \807E 21 00 cmp byte ptr [esi+21], 0
6530BF19 |. 74 43 je short 6530BF5E
6530BF1B |. 8B4E 1C mov ecx, dword ptr [esi+1C]
6530BF1E |. E8 9D5CFEFF call 652F1BC0
6530BF23 |. 85C0 test eax, eax
6530BF25 |. 75 07 jnz short 6530BF2E
6530BF27 |. 68 A8A13965 push 6539A1A8 ; ASCII "Headless: Product is not licensed. Doing silent license check."
6530BF2C |. EB 35 jmp short 6530BF63
6530BF2E |> 68 60A13965 push 6539A160 ; ASCII "Headless: Product has a license. Skipping silent license verification."
6530BF33 |. 6A 00 push 0
6530BF35 |. 6A 04 push 4
6530BF37 |. 68 08633965 push 65396308 ; ASCII "AMT"
6530BF3C |. E8 DF08FEFF call 652EC820
6530BF41 |. 50 push eax
6530BF42 |. E8 F91F0200 call 6532DF40
6530BF47 |. 8B4E 1C mov ecx, dword ptr [esi+1C]
6530BF4A |. 83C4 14 add esp, 14
6530BF4D |. 6A 00 push 0
6530BF4F |. 6A 01 push 1
6530BF51 |. E8 8AB7FEFF call 652F76E0
6530BF56 |. 5F pop edi
6530BF57 |. 5E pop esi
6530BF58 |. 5D pop ebp
6530BF59 |. 5B pop ebx
6530BF5A |. 59 pop ecx
6530BF5B |. C2 0400 retn 4
//需要看看如何跳到激活的地方:
6530BF5E |> \68 10A13965 push 6539A110 ; ASCII "Product is not activated. Starting ALM launch-time product licensing UI."
6530BF63 |> 6A 00 push 0
6530BF65 |. 6A 04 push 4
6530BF67 |. 68 08633965 push 65396308 ; ASCII "AMT"
6530BF6C |. E8 AF08FEFF call 652EC820
6530BF71 |. 50 push eax
6530BF72 |. E8 C91F0200 call 6532DF40
//修改後卡死在這裡
65EBAE42 . 51 push ecx
65EBAE43 . E8 08040400 call 65EFB250
65EBAE48 . E8 83000400 call 65EFAED0 ;這裡斷點
65EBAE4D . 8B15 7478F865 mov edx, dword ptr [65F87874]
65EBAE53 . 51 push ecx
65EBAE54 . DD1C24 fstp qword ptr [esp]
65EBAE57 . 68 206FF665 push 65F66F20 ; ASCII "AMTObtainProductLicense took %f ms"
65EBAE5C . 68 F467F665 push 65F667F4 ; ASCII "%f"
65EBAE61 . 6A 04 push 4
65EBAE63 . 68 FC62F665 push 65F662FC ; ASCII "performance"
65EBAE68 . 52 push edx
65EBAE69 . E8 D2300400 call 65EFDF40
//關掉OD,直接運行PS,未出現激活窗口,在菜單裏查看到,激活菜單已經為灰色,破解完成~!
//我是幸運的按CS4的方法,拿下了CS5,不過是英文的,我有點迷茫了~!
-By Menting
2010. 05. 06 清晨
補丁在這裡:
amtlib_cs5.rar
(311.27 KB, 下载次数: 117)
漢化補丁:
修正了已經發現的CS4字樣;
Photoshop_CS5_Patch_zh_CN.rar
(397.22 KB, 下载次数: 90)
有什麼問題,可以跟帖,我抽時間再看看. |
|
[复制链接]
发表于 2010-5-6 13:39
发表于 2010-5-6 14:14
