好友
阅读权限10
听众
最后登录1970-1-1
|
女孩不可信
发表于 2011-4-23 14:00
本帖最后由 女孩不可信 于 2011-4-23 14:03 编辑
YY是款语音聊天软件大家都不陌生,官方设置其每台电脑只可以开5个.所以我们就来破解下其多开检测. 方法很简单.
首先:我们先开5个YY,当准备打开第6个的时候会提示如图所示.
看到了吧,这就是限制,知道了问题,我们开始破解它吧.
1.先将YY目录中的duospeak.exe载入OD,运行,这时候会出来一个如图提示
原来YY需要用目录中的Start.exe启动,但这样不方便我们调试,那我们就先破解这个限制吧.
从上面可以知道,两个限制都会弹出对话框提示用户.那我们就从对话框入手.
同样将YY目录中的duospeak.exe载入OD,然后ALT+E,找到模块LayoutWr
然后右击模块,选择查看名称
这时会出来一个窗口,在窗口中找到wnd::CMessageWnd::MessageBoxW,并下好断点.
然后F9运行程序,这时候程序会断下,我们看堆栈窗口,然后反汇编窗口跟随.
这时我们来到00425F91 |. 834D FC FF OR DWORD PTR SS:[EBP-4],FFFFFFFF
往上翻会找个一个跳转,改成JMP就过了其一个校验.也就是“请使用start 启动YY”
00425EFF /0F85 A0000000 JNZ duospeak.00425FA5
00425F05 |. |68 7CF14C00 PUSH duospeak.004CF17C
00425F0A |. |8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C]
00425F0D |. |FF15 C89C4C00 CALL DWORD PTR DS:[<&MSVCP71.std::basic_>; MSVCP71.std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >
00425F13 |. |8365 FC 00 AND DWORD PTR SS:[EBP-4],0
00425F17 |. |68 E4B54C00 PUSH duospeak.004CB5E4 ; UNICODE "ProductName"
00425F1C |. |8D4D B8 LEA ECX,DWORD PTR SS:[EBP-48]
00425F1F |. |FF15 C89C4C00 CALL DWORD PTR DS:[<&MSVCP71.std::basic_>; MSVCP71.std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >
00425F25 |. |8D45 B8 LEA EAX,DWORD PTR SS:[EBP-48]
00425F28 |. |50 PUSH EAX
00425F29 |. |8D45 9C LEA EAX,DWORD PTR SS:[EBP-64]
00425F2C |. |50 PUSH EAX
00425F2D |. |C645 FC 01 MOV BYTE PTR SS:[EBP-4],1
00425F31 |. |E8 AA210800 CALL duospeak.004A80E0
00425F36 |. |59 POP ECX
00425F37 |. |59 POP ECX
00425F38 |. |8BC8 MOV ECX,EAX
00425F3A |. |C645 FC 02 MOV BYTE PTR SS:[EBP-4],2
00425F3E |. |FF15 C09C4C00 CALL DWORD PTR DS:[<&MSVCP71.std::basic_>; MSVCP71.std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >::data
00425F44 |. |50 PUSH EAX
00425F45 |. |8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C]
00425F48 |. |FF15 F89C4C00 CALL DWORD PTR DS:[<&MSVCP71.std::basic_>; MSVCP71.std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >::operator+=
00425F4E |. |8D4D 9C LEA ECX,DWORD PTR SS:[EBP-64]
00425F51 |. |C645 FC 01 MOV BYTE PTR SS:[EBP-4],1
00425F55 |. |FF15 209B4C00 CALL DWORD PTR DS:[<&MSVCP71.std::basic_>; MSVCP71.std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >::~basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >
00425F5B |. |8D4D B8 LEA ECX,DWORD PTR SS:[EBP-48]
00425F5E |. |C645 FC 00 MOV BYTE PTR SS:[EBP-4],0
00425F62 |. |FF15 209B4C00 CALL DWORD PTR DS:[<&MSVCP71.std::basic_>; MSVCP71.std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >::~basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >
00425F68 |. |68 78F14C00 PUSH duospeak.004CF178
00425F6D |. |8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C]
00425F70 |. |FF15 F89C4C00 CALL DWORD PTR DS:[<&MSVCP71.std::basic_>; MSVCP71.std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >::operator+=
00425F76 |. |6A 00 PUSH 0
00425F78 |. |6A 40 PUSH 40
00425F7A |. |68 6CF14C00 PUSH duospeak.004CF16C
00425F7F |. |8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C]
00425F82 |. |FF15 C09C4C00 CALL DWORD PTR DS:[<&MSVCP71.std::basic_>; MSVCP71.std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >::data
00425F88 |. |50 PUSH EAX
00425F89 |. |6A 00 PUSH 0
00425F8B |. |FF15 08944C00 CALL DWORD PTR DS:[<&LayoutWrapper.wnd::>; LayoutWr.wnd::CMessageWnd::MessageBoxW
00425F91 |. |834D FC FF OR DWORD PTR SS:[EBP-4],FFFFFFFF
00425F95 |. |83C4 14 ADD ESP,14
00425F98 |. |8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C]
00425F9B |. |FF15 209B4C00 CALL DWORD PTR DS:[<&MSVCP71.std::basic_>; MSVCP71.std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >::~basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >
00425FA1 |. |33C0 XOR EAX,EAX
00425FA3 |. |EB 03 JMP SHORT duospeak.00425FA8
00425FA5 |> \33C0 XOR EAX,EAX
第二个就是多开校验了.重新载入OD,先将第一个校验去除,00425EFF |. /0F85 A0000000 JNZ duospeak.00425FA5
将它改成JMP.然后同样方法找wnd::CMessageWnd::MessageBoxW,并下好断点.
断下之后查看堆栈窗口
0012FE2C 00426464 返回到 duospeak.00426464 来自 LayoutWr.wnd::CMessageWnd::MessageBoxW
我们返回到00426464
00426446 . /74 2D JE SHORT duospeak.00426475
00426448 . |807D F0 00 CMP BYTE PTR SS:[EBP-10],0
0042644C . |75 20 JNZ SHORT duospeak.0042646E
0042644E . |6A 00 PUSH 0
00426450 . |6A 40 PUSH 40
00426452 . |68 A0C34C00 PUSH duospeak.004CC3A0
00426457 . |68 0CF24C00 PUSH duospeak.004CF20C
0042645C . |6A 00 PUSH 0
0042645E . |FF15 08944C00 CALL DWORD PTR DS:[<&LayoutWrapper.wnd::>; LayoutWr.wnd::CMessageWnd::MessageBoxW
00426464 . |83C4 14 ADD ESP,14
00426467 . |8BCE MOV ECX,ESI
00426469 . |E8 2BCEFFFF CALL duospeak.00423299
0042646E > |33C0 XOR EAX,EAX
00426470 . |E9 3E010000 JMP duospeak.004265B3
00426475 > \8BCE MOV ECX,ESI
上面有两个跳转,将JE改成jmp即可去除多开校验.
所以我们只要修改00426446改成JMP即可,然后复制到可执行文件-所有修改-全部复制-右键保存文件-保存. 这样YY3.0多开校验就可以去除了.
方法很简单,我描述的可能不怎么详细,见谅.
|
免费评分
-
查看全部评分
|
楼主 好生牛逼的 //