|
[讨论]装IE7.0的朋友们注意一下
我的是官方网上下载的,应该没问题吧! |
|
[原创]QQ斗地主助手V3.85注册算法研究
楼上的没看仔细,我说的是“新版”,你的版本太老!而且你的也是没爆破到核心! |
|
[原创]QQ斗地主助手V3.85注册算法研究
现在新版加强了反调试,连载入都不行了,脱壳也脱不了,不知闪电狼有没有研究过? |
|
|
|
[原创]QQ斗地主助手V3.85注册算法研究
回闪电狼,ok了。一直认为那里是检查调试器的,它会取调试器的名称和explore.exe比较,不等就自动关闭,所以我把调试器命名为explore.exe才能调试的。 |
|
[原创]QQ斗地主助手V3.85注册算法研究
谢谢闪电狼的指点!果然是另外一个5V+lKydkJ5cdtWXiuOBXAw=="下的JE搞鬼,现在可以游戏了,记牌器上也显示已注册,但还有一点问题就是打几局后联众大厅会被关闭,打完退出后房间也会关闭,要重新登录找房间才行,比较麻烦,不知道哪里还有问题!望再指点! |
|
[原创]QQ斗地主助手V3.85注册算法研究
爆破EXE虽然没有出现注册窗口,但功能受限,还是和没注册一样! 要搞定DLL才行! 我在破解的是“联众疯狂升级记牌器”,但都是一样的,下面是验证段: 004579AC $ 55 push ebp 004579AD . 8BEC mov ebp, esp 004579AF . 83C4 E0 add esp, -20 004579B2 . 53 push ebx 004579B3 . 33D2 xor edx, edx 004579B5 . 8955 E4 mov dword ptr [ebp-1C], edx 004579B8 . 8955 E0 mov dword ptr [ebp-20], edx 004579BB . 8BD8 mov ebx, eax 004579BD . 33C0 xor eax, eax 004579BF . 55 push ebp 004579C0 . 68 8E7B4500 push 00457B8E 004579C5 . 64:FF30 push dword ptr fs:[eax] 004579C8 . 64:8920 mov dword ptr fs:[eax], esp 004579CB . C645 FF 00 mov byte ptr [ebp-1], 0 004579CF . 8D45 E0 lea eax, dword ptr [ebp-20] 004579D2 . BA A87B4500 mov edx, 00457BA8 ; ASCII "C:\LZFGSJ.key" 004579D7 . E8 A0CAFAFF call 0040447C 004579DC . 8B45 E0 mov eax, dword ptr [ebp-20] 004579DF . E8 580FFBFF call 0040893C 004579E4 . 84C0 test al, al 004579E6 . 75 0D jnz short 004579F5 004579E8 . 8D55 E0 lea edx, dword ptr [ebp-20] 004579EB . B8 C07B4500 mov eax, 00457BC0 ; ASCII "LZFGSJ" 004579F0 . E8 9BFDFFFF call 00457790 004579F5 > 8B45 E0 mov eax, dword ptr [ebp-20] 004579F8 . E8 3F0FFBFF call 0040893C 004579FD . 84C0 test al, al 004579FF . 0F84 6E010000 je 00457B73 00457A05 . 6A 00 push 0 00457A07 . 6A 01 push 1 00457A09 . 68 C87B4500 push 00457BC8 ; ASCII "Microsoft Enhanced Cryptographic Provider v1.0" 00457A0E . 6A 00 push 0 00457A10 . 8D45 F0 lea eax, dword ptr [ebp-10] 00457A13 . 50 push eax 00457A14 . E8 37F1FFFF call <jmp.&advapi32.CryptAcquireConte> 00457A19 . 85C0 test eax, eax 00457A1B . 75 4F jnz short 00457A6C 00457A1D . 6A 08 push 8 00457A1F . 6A 01 push 1 00457A21 . 68 C87B4500 push 00457BC8 ; ASCII "Microsoft Enhanced Cryptographic Provider v1.0" 00457A26 . 6A 00 push 0 00457A28 . 8D45 F0 lea eax, dword ptr [ebp-10] 00457A2B . 50 push eax 00457A2C . E8 1FF1FFFF call <jmp.&advapi32.CryptAcquireConte> 00457A31 . 85C0 test eax, eax 00457A33 . 75 37 jnz short 00457A6C 00457A35 . 84DB test bl, bl 00457A37 . 0F84 36010000 je 00457B73 00457A3D . 6A 40 push 40 ; /Style = MB_OK|MB_ICONASTERISK|MB_APPLMODAL 00457A3F . 68 F87B4500 push 00457BF8 ; |Title = "提示" 00457A44 . 68 007C4500 push 00457C00 ; |Text = "本",BB,"?募用芩?,B7,"",A8,"",B0,"姹咎",AB,"低?,AC,"记牌?,F7,"可以正常运行?,AC,CR,LF,"?,AB,"",B2,"",BB,"能正常",D7,"",A2,"",B2,"幔",AC,"",B0,"",B4,"[?,B7,"",B6,"",A8,"]下载升?,B6,"程序?,AC,CR,LF,"下载完成后请运行升?,B6,"程序?,A1... 00457A49 . 6A 00 push 0 ; |hOwner = NULL 00457A4B . E8 84F2FAFF call <jmp.&user32.MessageBoxA> ; \MessageBoxA 00457A50 . 6A 01 push 1 ; /IsShown = 1 00457A52 . 6A 00 push 0 ; |DefDir = NULL 00457A54 . 6A 00 push 0 ; |Parameters = NULL 00457A56 . 68 747C4500 push 00457C74 ; |FileName = "http://www.51787.com/ie6setup.exe" 00457A5B . 68 987C4500 push 00457C98 ; |Operation = "open" 00457A60 . 6A 00 push 0 ; |hWnd = NULL 00457A62 . E8 61F2FCFF call <jmp.&shell32.ShellExecuteA> ; \ShellExecuteA 00457A67 . E9 07010000 jmp 00457B73 00457A6C > B2 01 mov dl, 1 00457A6E . A1 24274100 mov eax, dword ptr [412724] 00457A73 . E8 B0BBFAFF call 00403628 00457A78 . 8945 EC mov dword ptr [ebp-14], eax 00457A7B . 6A 65 push 65 ; /Arg2 = 00000065 00457A7D . 6A 0A push 0A ; |Arg1 = 0000000A 00457A7F . 8B0D 64C64500 mov ecx, dword ptr [45C664] ; | 00457A85 . B2 01 mov dl, 1 ; | 00457A87 . A1 A0274100 mov eax, dword ptr [4127A0] ; | 00457A8C . E8 6BEEFBFF call 004168FC ; \复件_unL.004168FC 00457A91 . 8945 E8 mov dword ptr [ebp-18], eax 00457A94 . 33C0 xor eax, eax 00457A96 . 55 push ebp 00457A97 . 68 6C7B4500 push 00457B6C 00457A9C . 64:FF30 push dword ptr fs:[eax] 00457A9F . 64:8920 mov dword ptr fs:[eax], esp 00457AA2 . 8D45 E4 lea eax, dword ptr [ebp-1C] 00457AA5 . E8 6AFBFFFF call 00457614 00457AAA . 8B55 E0 mov edx, dword ptr [ebp-20] 00457AAD . 8B45 EC mov eax, dword ptr [ebp-14] 00457AB0 . E8 6BECFBFF call 00416720 00457AB5 . 8D45 F8 lea eax, dword ptr [ebp-8] 00457AB8 . 50 push eax 00457AB9 . 6A 00 push 0 00457ABB . 6A 00 push 0 00457ABD . 68 03800000 push 8003 00457AC2 . 8B45 F0 mov eax, dword ptr [ebp-10] 00457AC5 . 50 push eax 00457AC6 . E8 BDF0FFFF call <jmp.&advapi32.CryptCreateHash> 00457ACB . 6A 00 push 0 00457ACD . 8B45 E4 mov eax, dword ptr [ebp-1C] 00457AD0 . E8 CFCBFAFF call 004046A4 00457AD5 . 50 push eax 00457AD6 . 8B45 E4 mov eax, dword ptr [ebp-1C] 00457AD9 . E8 C6CDFAFF call 004048A4 00457ADE . 50 push eax 00457ADF . 8B45 F8 mov eax, dword ptr [ebp-8] 00457AE2 . 50 push eax 00457AE3 . E8 A8F0FFFF call <jmp.&advapi32.CryptHashData> 00457AE8 . 8D45 F4 lea eax, dword ptr [ebp-C] 00457AEB . 50 push eax 00457AEC . 6A 00 push 0 00457AEE . 6A 00 push 0 00457AF0 . 8B45 E8 mov eax, dword ptr [ebp-18] 00457AF3 . 8B10 mov edx, dword ptr [eax] 00457AF5 . FF12 call dword ptr [edx] 00457AF7 . 50 push eax 00457AF8 . 8B45 E8 mov eax, dword ptr [ebp-18] 00457AFB . 8B40 04 mov eax, dword ptr [eax+4] 00457AFE . 50 push eax 00457AFF . 8B45 F0 mov eax, dword ptr [ebp-10] 00457B02 . 50 push eax 00457B03 . E8 70F0FFFF call <jmp.&advapi32.CryptImportKey> 00457B08 . 6A 00 push 0 00457B0A . 6A 00 push 0 00457B0C . 8B45 F4 mov eax, dword ptr [ebp-C] 00457B0F . 50 push eax 00457B10 . 8B45 EC mov eax, dword ptr [ebp-14] 00457B13 . 8B10 mov edx, dword ptr [eax] 00457B15 . FF12 call dword ptr [edx] 00457B17 . 50 push eax 00457B18 . 8B45 EC mov eax, dword ptr [ebp-14] 00457B1B . 8B40 04 mov eax, dword ptr [eax+4] 00457B1E . 50 push eax 00457B1F . 8B45 F8 mov eax, dword ptr [ebp-8] 00457B22 . 50 push eax 00457B23 . E8 78F0FFFF call <jmp.&advapi32.CryptVerifySignat> 00457B28 . 83F8 01 cmp eax, 1 00457B2B . 1BC0 sbb eax, eax 00457B2D . 40 inc eax 00457B2E . 8845 FF mov byte ptr [ebp-1], al 00457B31 . 33C0 xor eax, eax 00457B33 . 5A pop edx 00457B34 . 59 pop ecx 00457B35 . 59 pop ecx 00457B36 . 64:8910 mov dword ptr fs:[eax], edx 00457B39 . 68 737B4500 push 00457B73 00457B3E > 8B45 F8 mov eax, dword ptr [ebp-8] 00457B41 . 50 push eax 00457B42 . E8 51F0FFFF call <jmp.&advapi32.CryptDestroyHash> 00457B47 . 8B45 F4 mov eax, dword ptr [ebp-C] 00457B4A . 50 push eax 00457B4B . E8 18F0FFFF call <jmp.&advapi32.CryptDestroyKey> 00457B50 . 8B45 EC mov eax, dword ptr [ebp-14] 00457B53 . E8 00BBFAFF call 00403658 00457B58 . 8B45 E8 mov eax, dword ptr [ebp-18] 00457B5B . E8 F8BAFAFF call 00403658 00457B60 . 6A 00 push 0 00457B62 . 8B45 F0 mov eax, dword ptr [ebp-10] 00457B65 . 50 push eax 00457B66 . E8 EDEFFFFF call <jmp.&advapi32.CryptReleaseConte> 00457B6B . C3 retn 我是在00457B62这改为 mov al,1 这样启动后没弹出注册框,但开始游戏时那个记牌器还是写着“未注册”只能记两次牌。 下面是安装目录中的FGSJ.dll判断注册码字段: * Referenced by a CALL at Address: |:0144ABE4 | :0144AB10 53 push ebx :0144AB11 56 push esi :0144AB12 8BF0 mov esi, eax :0144AB14 33DB xor ebx, ebx :0144AB16 33C0 xor eax, eax :0144AB18 E81BD4FFFF call 01447F38 :0144AB1D 84C0 test al, al :0144AB1F 7439 je 0144AB5A * Possible StringData Ref from Code Obj ->"感谢您注册本软件。" | :0144AB21 BA68AB4401 mov edx, 0144AB68 :0144AB26 8B8638030000 mov eax, dword ptr [esi+00000338] :0144AB2C E8FF17FFFF call 0143C330 * Possible StringData Ref from Code Obj ->"软件已注册" | :0144AB31 BA84AB4401 mov edx, 0144AB84 :0144AB36 8B8614030000 mov eax, dword ptr [esi+00000314] :0144AB3C E8EF17FFFF call 0143C330 :0144AB41 33D2 xor edx, edx :0144AB43 8B863C030000 mov eax, dword ptr [esi+0000033C] :0144AB49 E8D216FFFF call 0143C220 :0144AB4E C705E8F144010CFEFFFF mov dword ptr [0144F1E8], FFFFFE0C :0144AB58 B301 mov bl, 01 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0144AB1F(C) | :0144AB5A 8BC3 mov eax, ebx :0144AB5C 5E pop esi :0144AB5D 5B pop ebx :0144AB5E C3 ret 但郁闷的是这个DLL文件不能动,因为EXE中有它的MD5比较! 004594DC |. 8B45 E4 mov eax, dword ptr [ebp-1C] 004594DF |. 8D4D E8 lea ecx, dword ptr [ebp-18] 004594E2 |. BA 44954500 mov edx, 00459544 ; ASCII "5V+lKydkJ5cdtWXiuOBXAw==" 004594E7 |. E8 80E9FFFF call 00457E6C 004594EC |. 8B55 E8 mov edx, dword ptr [ebp-18] <----取原DLL文件MD5 004594EF |. 8B45 FC mov eax, dword ptr [ebp-4] <----取现在DLL文件MD5 004594F2 |. E8 D5EDFAFF call 004082CC 004594F7 |. 84C0 test al, al 004594F9 |. 74 02 je short 004594FD <----不等就出错 004594FB |. B3 01 mov bl, 1 004594FD |> 33C0 xor eax, eax 如果也把上面的也爆破了,是可以修改DLL文件了,但游戏却运行不了,就算是开着的,只要一运行记牌器就会把它关掉,两者只能开一个!我找了好久都没找到其中的关键,望楼主研究一下,再教教小弟! |
|
[原创]QQ斗地主助手V3.85注册算法研究
爆破这里不行的,要爆那个DLL才行,但改了DLL文件游戏不能运行。望楼主再深入研究! |
|
[求助]有关DLL文件破解
谢谢楼上的指点,在OD中找到了DLL文件的领空了,但是下的断点都拦截不了!望再指点! |
|
[求助]脱壳后再加壳出错
最初由 fly 发布 stripper_v207f论坛里没有,只有Stripper 2.11 RC2,但是脱不了壳。用Aspackdie1.41脱壳后加壳运行良好。 |
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值