好友
阅读权限10
听众
最后登录1970-1-1
|
爆破黄金岛斗地主记牌器过程
【破文标题】爆破黄金岛斗地主记牌器过程
【破文作者】hnld
【作者邮箱】
【作者主页】
【破解工具】OD
【破解平台】盗版XP sp2
【软件名称】DDZ
【软件大小】
【原版下载】搜一下吧!
【保护方式】
【软件简介】一个外挂
【破解声明】刚学破解,超级菜鸟一个,大侠不要见笑.
------------------------------------------------------------------------
【破解过程】本人才学破解,由于没有老师指点,所以很多事情学起来是颠三倒四的,那个地方走不通了,就临时学一下.然后回个头来再破.但总是破不了.正因为这样所以越破越没信心了.无聊中找到这个外挂.无意中竞然破解了它.狂喜之后,拿出来分享一下.请大家不要见笑,总算是我独立完成的东西.
用PEID0.94查壳,显示:ASPack 2.12 -> Alexey Solodovnikov
用超级巡警之虚拟机自动脱壳机直接脱壳。运行脱过后的程序显示:注册码不正确.再用PEID0.94查壳。显示:Borland Delphi 6.0 - 7.0。
用OD载入:
00459230 >/$ 55 push ebp ; (initial cpu selection)
00459231 |. 8BEC mov ebp, esp
00459233 |. 83C4 E4 add esp, -1C
00459236 |. 53 push ebx
00459237 |. 33C0 xor eax, eax
00459239 |. 8945 EC mov dword ptr [ebp-14], eax
0045923C |. 8945 E8 mov dword ptr [ebp-18], eax
0045923F |. 8945 E4 mov dword ptr [ebp-1C], eax
00459242 |. B8 00904500 mov eax, 00459000 ; e
00459247 |. E8 4CD1FAFF call 00406398
0045924C |. 33C0 xor eax, eax
0045924E |. 55 push ebp
0045924F |. 68 30934500 push 00459330
00459254 |. 64:FF30 push dword ptr fs:[eax]
00459257 |. 64:8920 mov dword ptr fs:[eax], esp
0045925A |. E8 D597FAFF call 00402A34
0045925F |. 48 dec eax
00459260 |. 7E 50 jle short 004592B2
00459262 |. 6A 01 push 1
00459264 |. 6A 00 push 0
用OD插件查看ASCⅡ。
上下查看发现有2处注册码不正确。一处注册成功。双击注册成功处。往上查看来到如下地址:
00456EB0 . 55 push ebp
00456EB1 . 68 4F704500 push 0045704F
00456EB6 . 64:FF30 push dword ptr fs:[eax]
00456EB9 . 64:8920 mov dword ptr fs:[eax], esp
00456EBC . 8D55 F0 lea edx, dword ptr [ebp-10]
00456EBF . 8B86 FC020000 mov eax, dword ptr [esi+2FC]
00456EC5 . E8 12D2FDFF call 004340DC
00456ECA . 8B45 F0 mov eax, dword ptr [ebp-10]
00456ECD . E8 06D9FAFF call 004047D8
00456ED2 . 85C0 test eax, eax
00456ED4 . 75 25 jnz short 00456EFB
00456ED6 . 6A 00 push 0
00456ED8 . B9 DC704500 mov ecx, 004570DC ; 错误
00456EDD . BA E4704500 mov edx, 004570E4 ; 注册码不能为空!
00456EE2 . A1 DCB14500 mov eax, dword ptr [45B1DC]
00456EE7 . 8B00 mov eax, dword ptr [eax]
00456EE9 . E8 22CDFFFF call 00453C10
00456EEE . 33C0 xor eax, eax
00456EF0 . 5A pop edx
00456EF1 . 59 pop ecx
00456EF2 . 59 pop ecx
00456EF3 . 64:8910 mov dword ptr fs:[eax], edx
00456EF6 . E9 A0010000 jmp 0045709B
00456EFB > 8D55 E8 lea edx, dword ptr [ebp-18]
00456EFE . 8B86 FC020000 mov eax, dword ptr [esi+2FC]
00456F04 . E8 D3D1FDFF call 004340DC
00456F09 . 8B45 E8 mov eax, dword ptr [ebp-18]
00456F0C . 8D4D EC lea ecx, dword ptr [ebp-14]
00456F0F . BA 00714500 mov edx, 00457100 ; xingsoft
00456F14 . E8 03E4FFFF call 0045531C
00456F19 . 8B45 EC mov eax, dword ptr [ebp-14]
00456F1C . BA 14714500 mov edx, 00457114 ; hjdddz20080306
00456F21 . E8 FED9FAFF call 00404924
00456F26 . EB 48 je short 00456F70
00456F28 . 6A 00 push 0
00456F2A . B9 DC704500 mov ecx, 004570DC ; 错误
00456F2F . BA 24714500 mov edx, 00457124 ; 注册码不正确!
00456F34 . A1 DCB14500 mov eax, dword ptr [45B1DC]
00456F39 . 8B00 mov eax, dword ptr [eax]
00456F3B . E8 D0CCFFFF call 00453C10
00456F40 . 6A 01 push 1 ; /IsShown = 1
00456F42 . 6A 00 push 0 ; |DefDir = NULL
00456F44 . 6A 00 push 0 ; |Parameters = NULL
00456F46 . 68 34714500 push 00457134 ; |
00456F4B . 68 58714500 push 00457158 ; |open
00456F50 . 6A 00 push 0 ; |hWnd = NULL
00456F52 . E8 91FBFCFF call <jmp.&shell32.ShellExecuteA> ; \ShellExecuteA
00456F57 . A1 DCB14500 mov eax, dword ptr [45B1DC]
00456F5C . 8B00 mov eax, dword ptr [eax]
00456F5E . E8 09CCFFFF call 00453B6C
00456F63 . 33C0 xor eax, eax
00456F65 . 5A pop edx
00456F66 . 59 pop ecx
00456F67 . 59 pop ecx
00456F68 . 64:8910 mov dword ptr fs:[eax], edx
00456F6B . E9 2B010000 jmp 0045709B
00456F70 > 6A 00 push 0
00456F72 . B9 60714500 mov ecx, 00457160 ; 提示
00456F77 . BA 68714500 mov edx, 00457168 ; 注册成功!
通过往上翻看知道注册成功是由
00456F26 . EB 48 je short 00456F70
跳转得来,把je改成jmp.保存修改后的程序。运行。随便输入一个数字。提示注册成功。 |
|
发表于 2008-4-3 19:04
