|
[求助]请高手帮忙看看UNLOCKv2Dash如何搞定
是不是你没脱壳?? |
|
[求助]三耳复读机不能爆破彻底
另外,一分钟的限制那里能贴一块代码出来看看吗? |
|
|
|
|
|
[求助]有人破过"VolleyMail8.8群发"嘛,请求给点提示,如何破200封限制
C8是200的十六进制表示。 楼上的兄弟是想让你在程序中寻找这个限制数字,并改得无限大,或者根据这个数值的地址找到关键跳转,并改掉。 |
|
[原创]太颓废了,不发水了,也来篇破文
用汇编写注册机……强就一个字! |
|
[讨论] 是我小人还是软件的作者小人??
做个虚拟机去玩儿它^_^ |
|
[讨论]新手发个破文给大家看看
不错,支持! |
|
[求助]请求破解 千千静听 的资源文件ttpres.dll自校验
你要做什么啊?千千本身就是免费的…… |
|
[求助]请求破解 千千静听 的资源文件ttpres.dll自校验
你要做什么啊?千千本身就是免费的…… |
|
[求助]遇到一个棘手的软件
你改的这个Add是不是只是控制了屏幕的显示?也就是说只是在屏幕上面显示的数字增加了而程序内部用于判断的数字并没有增加。 |
|
[求助]这样的循环在什么地方下断点
你是想知道软件的安装密码吗? 你给的压缩包运行后在临时目录下生成一个ae26907的子目录,这个目录下有一个setup.exe,才是真正包含安装密码验证的程序。 用OD载入,下bp MessageBoxA,随意输入注册码断下来(只要你输入的不是正确的)到这里: 0041A8E3 |. 50 push eax 0041A8E4 |. 68 A8B64500 push 0045B6A8 ; ASCII "pasha and andrey" 0041A8E9 |. 8D4D E4 lea ecx, dword ptr [ebp-1C] 0041A8EC |. E8 CFA0FEFF call 004049C0 0041A8F1 |. 50 push eax ; |Arg1 0041A8F2 |. E8 5FE4FEFF call 00408D56 ; \setup.00408D56 0041A8F7 |. 83C4 10 add esp, 10 0041A8FA |. 8845 E0 mov byte ptr [ebp-20], al 0041A8FD |. C645 FC 00 mov byte ptr [ebp-4], 0 0041A901 |. 8D4D C8 lea ecx, dword ptr [ebp-38] 0041A904 |. E8 B79FFEFF call 004048C0 0041A909 |. 8B4D E0 mov ecx, dword ptr [ebp-20] 0041A90C |. 81E1 FF000000 and ecx, 0FF 0041A912 |. 85C9 test ecx, ecx 0041A914 |. 0F85 94000000 jnz 0041A9AE 0041A91A |. 6A 10 push 10 0041A91C |. 6A 01 push 1 ; /Arg3 = 00000001 0041A91E |. 68 BCB64500 push 0045B6BC ; |Arg2 = 0045B6BC ASCII "IncorrectPasswordTitle" 0041A923 |. 8D55 B8 lea edx, dword ptr [ebp-48] ; | 0041A926 |. 52 push edx ; |Arg1 0041A927 |. 8B45 9C mov eax, dword ptr [ebp-64] ; | 0041A92A |. 8B48 10 mov ecx, dword ptr [eax+10] ; | 0041A92D |. E8 3EA60000 call 00424F70 ; \setup.00424F70 0041A932 |. 8945 8C mov dword ptr [ebp-74], eax 0041A935 |. 8B4D 8C mov ecx, dword ptr [ebp-74] 0041A938 |. 894D 88 mov dword ptr [ebp-78], ecx 0041A93B |. C645 FC 02 mov byte ptr [ebp-4], 2 0041A93F |. 8B4D 88 mov ecx, dword ptr [ebp-78] 0041A942 |. E8 79A0FEFF call 004049C0 0041A947 |. 50 push eax 0041A948 |. 6A 01 push 1 ; /Arg3 = 00000001 0041A94A |. 68 D4B64500 push 0045B6D4 ; |Arg2 = 0045B6D4 ASCII "IncorrectPassword" 0041A94F |. 8D55 A8 lea edx, dword ptr [ebp-58] ; | 0041A952 |. 52 push edx ; |Arg1 0041A953 |. 8B45 9C mov eax, dword ptr [ebp-64] ; | 0041A956 |. 8B48 10 mov ecx, dword ptr [eax+10] ; | 0041A959 |. E8 12A60000 call 00424F70 ; \setup.00424F70 0041A95E |. 8945 84 mov dword ptr [ebp-7C], eax 0041A961 |. 8B4D 84 mov ecx, dword ptr [ebp-7C] 0041A964 |. 894D 80 mov dword ptr [ebp-80], ecx 0041A967 |. C645 FC 03 mov byte ptr [ebp-4], 3 0041A96B |. 8B4D 80 mov ecx, dword ptr [ebp-80] 0041A96E |. E8 4DA0FEFF call 004049C0 0041A973 |. 50 push eax ; |Text 0041A974 |. 8B55 08 mov edx, dword ptr [ebp+8] ; | 0041A977 |. 52 push edx ; |hOwner 0041A978 |. FF15 4CF34400 call dword ptr [<&USER32.MessageBoxA>>; \MessageBoxA 0041A97E |. C645 FC 02 mov byte ptr [ebp-4], 2 0041A982 |. 8D4D A8 lea ecx, dword ptr [ebp-58] 0041A985 |. E8 369FFEFF call 004048C0 0041A98A |. C645 FC 00 mov byte ptr [ebp-4], 0 0041A98E |. 8D4D B8 lea ecx, dword ptr [ebp-48] 0041A991 |. E8 2A9FFEFF call 004048C0 0041A996 |. C645 A4 01 mov byte ptr [ebp-5C], 1 0041A99A |. C745 FC FFFFF>mov dword ptr [ebp-4], -1 0041A9A1 |. 8D4D E4 lea ecx, dword ptr [ebp-1C] 0041A9A4 |. E8 179FFEFF call 004048C0 0041A9A9 |. 8A45 A4 mov al, byte ptr [ebp-5C] 0041A9AC |. EB 29 jmp short 0041A9D7 0041A9AE |> 68 04040000 push 404 ; /Result = 404 (1028.) 看到0041A914处有一个jnz了吗?强行让它跳转安装程序就继续了。 |
|
[求助]这样的循环在什么地方下断点
没猜错的话,这里应该是程序的开始部分吧?那几个Kernel32的Call没有必要跟进去 |
|
|
|
[求助]三耳复读机不能爆破彻底
OD载入,下bp MessageBoxA,然后F9,输入注册码,按“确定”,断在这里: 00405A89 . E8 02C3FFFF call 00401D90 ; 弹出注册窗口 00405A8E . 8BCE mov ecx, esi 00405A90 . E8 CB5B0100 call 0041B660 00405A95 . 8BCE mov ecx, esi 00405A97 . E8 F4510100 call 0041AC90 ;关键Call 00405A9C 84C0 test al, al ;标志位比较(但是单纯修改这个还是不行) 00405A9E . 6A 00 push 0 00405AA0 . 68 8C684300 push 0043688C 00405AA5 75 10 jnz short 00405AB7 ;跳走则成功 我们跟入关键Call: 0041AC90 /$ 51 push ecx 0041AC91 |. 53 push ebx 0041AC92 |. 55 push ebp 0041AC93 |. 56 push esi 0041AC94 |. 57 push edi 0041AC95 |. 8BF9 mov edi, ecx 0041AC97 |. E8 240F0000 call 0041BBC0 ;利用Reg.dll取得硬盘信息并加以处理 0041AC9C |. 8BCF mov ecx, edi 0041AC9E |. E8 0D0F0000 call 0041BBB0 0041ACA3 |. 8BCF mov ecx, edi 0041ACA5 |. E8 A6080000 call 0041B550 0041ACAA |. 8B47 14 mov eax, dword ptr [edi+14] 0041ACAD |. 8D5F 14 lea ebx, dword ptr [edi+14] 0041ACB0 |. 8378 F8 08 cmp dword ptr [eax-8], 8 ;第一处比较 0041ACB4 74 08 je short 0041ACBE ;跳不走则失败 0041ACB6 |. 5F pop edi 0041ACB7 |. 5E pop esi 0041ACB8 |. 5D pop ebp 0041ACB9 |. 32C0 xor al, al 0041ACBB |. 5B pop ebx 0041ACBC |. 59 pop ecx 0041ACBD |. C3 retn 0041ACBE |> 8BCB mov ecx, ebx 0041ACC0 |. E8 59E40000 call <jmp.&MFC42.#4202_CString::MakeL> 0041ACC5 |. 8B77 18 mov esi, dword ptr [edi+18] 0041ACC8 |. 8B2B mov ebp, dword ptr [ebx] 0041ACCA |. 0FBE46 05 movsx eax, byte ptr [esi+5] 0041ACCE |. 0FBE16 movsx edx, byte ptr [esi] 0041ACD1 |. 8D0C40 lea ecx, dword ptr [eax+eax*2] 0041ACD4 |. 8D0488 lea eax, dword ptr [eax+ecx*4] 0041ACD7 |. 8BCA mov ecx, edx 0041ACD9 |. C1E1 05 shl ecx, 5 0041ACDC |. 03CA add ecx, edx 0041ACDE |. 8D0C49 lea ecx, dword ptr [ecx+ecx*2] 0041ACE1 |. 8D144A lea edx, dword ptr [edx+ecx*2] 0041ACE4 |. B9 24000000 mov ecx, 24 0041ACE9 |. 03C2 add eax, edx 0041ACEB |. 33D2 xor edx, edx 0041ACED |. F7F1 div ecx 0041ACEF |. 0FBE4D 00 movsx ecx, byte ptr [ebp] 0041ACF3 |. 8D41 D0 lea eax, dword ptr [ecx-30] ; Switch (cases 30..7A) 0041ACF6 |. 83F8 4A cmp eax, 4A 0041ACF9 |. 895424 10 mov dword ptr [esp+10], edx 0041ACFD |. 0F87 34010000 ja 0041AE37 0041AD03 |. 33D2 xor edx, edx 0041AD05 |. 8A90 F8B14100 mov dl, byte ptr [eax+41B1F8] 0041AD0B |. FF2495 64B141>jmp dword ptr [edx*4+41B164] 0041AD12 |> B8 13000000 mov eax, 13 ; Case 31 ('1') of switch 0041ACF3 0041AD17 |. E9 20010000 jmp 0041AE3C 0041AD1C |> B8 02000000 mov eax, 2 ; Case 32 ('2') of switch 0041ACF3 0041AD21 |. E9 16010000 jmp 0041AE3C 0041AD26 |> B8 01000000 mov eax, 1 ; Case 33 ('3') of switch 0041ACF3 0041AD2B |. E9 0C010000 jmp 0041AE3C 0041AD30 |> B8 07000000 mov eax, 7 ; Case 34 ('4') of switch 0041ACF3 0041AD35 |. E9 02010000 jmp 0041AE3C 0041AD3A |> B8 22000000 mov eax, 22 ; Case 35 ('5') of switch 0041ACF3 0041AD3F |. E9 F8000000 jmp 0041AE3C 0041AD44 |> B8 05000000 mov eax, 5 ; Case 36 ('6') of switch 0041ACF3 0041AD49 |. E9 EE000000 jmp 0041AE3C 0041AD4E |> B8 04000000 mov eax, 4 ; Case 37 ('7') of switch 0041ACF3 0041AD53 |. E9 E4000000 jmp 0041AE3C 0041AD58 |> B8 10000000 mov eax, 10 ; Case 38 ('8') of switch 0041ACF3 0041AD5D |. E9 DA000000 jmp 0041AE3C 0041AD62 |> 33C0 xor eax, eax ; Case 39 ('9') of switch 0041ACF3 0041AD64 |. E9 D3000000 jmp 0041AE3C 0041AD69 |> B8 11000000 mov eax, 11 ; Case 30 ('0') of switch 0041ACF3 0041AD6E |. E9 C9000000 jmp 0041AE3C 0041AD73 |> B8 1C000000 mov eax, 1C ; Case 61 ('a') of switch 0041ACF3 0041AD78 |. E9 BF000000 jmp 0041AE3C 0041AD7D |> B8 0C000000 mov eax, 0C ; Case 62 ('b') of switch 0041ACF3 0041AD82 |. E9 B5000000 jmp 0041AE3C 0041AD87 |> B8 14000000 mov eax, 14 ; Case 63 ('c') of switch 0041ACF3 0041AD8C |. E9 AB000000 jmp 0041AE3C 0041AD91 |> B8 0E000000 mov eax, 0E ; Case 64 ('d') of switch 0041ACF3 0041AD96 |. E9 A1000000 jmp 0041AE3C 0041AD9B |> B8 0D000000 mov eax, 0D ; Case 65 ('e') of switch 0041ACF3 0041ADA0 |. E9 97000000 jmp 0041AE3C 0041ADA5 |> B8 08000000 mov eax, 8 ; Case 66 ('f') of switch 0041ACF3 0041ADAA |. E9 8D000000 jmp 0041AE3C 0041ADAF |> B8 09000000 mov eax, 9 ; Case 67 ('g') of switch 0041ACF3 0041ADB4 |. E9 83000000 jmp 0041AE3C 0041ADB9 |> B8 12000000 mov eax, 12 ; Case 68 ('h') of switch 0041ACF3 0041ADBE |. EB 7C jmp short 0041AE3C 0041ADC0 |> B8 03000000 mov eax, 3 ; Case 69 ('i') of switch 0041ACF3 0041ADC5 |. EB 75 jmp short 0041AE3C 0041ADC7 |> B8 0F000000 mov eax, 0F ; Case 6A ('j') of switch 0041ACF3 0041ADCC |. EB 6E jmp short 0041AE3C 0041ADCE |> B8 15000000 mov eax, 15 ; Case 6B ('k') of switch 0041ACF3 0041ADD3 |. EB 67 jmp short 0041AE3C 0041ADD5 |> B8 1B000000 mov eax, 1B ; Case 6C ('l') of switch 0041ACF3 0041ADDA |. EB 60 jmp short 0041AE3C 0041ADDC |> B8 18000000 mov eax, 18 ; Case 6D ('m') of switch 0041ACF3 0041ADE1 |. EB 59 jmp short 0041AE3C 0041ADE3 |> B8 17000000 mov eax, 17 ; Case 6E ('n') of switch 0041ACF3 0041ADE8 |. EB 52 jmp short 0041AE3C 0041ADEA |> B8 21000000 mov eax, 21 ; Case 6F ('o') of switch 0041ACF3 0041ADEF |. EB 4B jmp short 0041AE3C 0041ADF1 |> B8 1A000000 mov eax, 1A ; Case 70 ('p') of switch 0041ACF3 0041ADF6 |. EB 44 jmp short 0041AE3C 0041ADF8 |> B8 16000000 mov eax, 16 ; Case 72 ('r') of switch 0041ACF3 0041ADFD |. EB 3D jmp short 0041AE3C 0041ADFF |> B8 1D000000 mov eax, 1D ; Case 73 ('s') of switch 0041ACF3 0041AE04 |. EB 36 jmp short 0041AE3C 0041AE06 |> B8 1E000000 mov eax, 1E ; Case 74 ('t') of switch 0041ACF3 0041AE0B |. EB 2F jmp short 0041AE3C 0041AE0D |> B8 23000000 mov eax, 23 ; Case 75 ('u') of switch 0041ACF3 0041AE12 |. EB 28 jmp short 0041AE3C 0041AE14 |> B8 20000000 mov eax, 20 ; Case 76 ('v') of switch 0041ACF3 0041AE19 |. EB 21 jmp short 0041AE3C 0041AE1B |> B8 19000000 mov eax, 19 ; Case 77 ('w') of switch 0041ACF3 0041AE20 |. EB 1A jmp short 0041AE3C 0041AE22 |> B8 06000000 mov eax, 6 ; Case 78 ('x') of switch 0041ACF3 0041AE27 |. EB 13 jmp short 0041AE3C 0041AE29 |> B8 1F000000 mov eax, 1F ; Case 79 ('y') of switch 0041ACF3 0041AE2E |. EB 0C jmp short 0041AE3C 0041AE30 |> B8 0A000000 mov eax, 0A ; Case 7A ('z') of switch 0041ACF3 0041AE35 |. EB 05 jmp short 0041AE3C 0041AE37 |> B8 0B000000 mov eax, 0B ; Default case of switch 0041ACF3 0041AE3C |> 394424 10 cmp dword ptr [esp+10], eax 0041AE40 74 0C je short 0041AE4E ;跳不走则失败 0041AE42 |. C647 0F 10 mov byte ptr [edi+F], 10 0041AE46 |. 5F pop edi 0041AE47 |. 5E pop esi 0041AE48 |. 5D pop ebp 0041AE49 |. 32C0 xor al, al 0041AE4B |. 5B pop ebx 0041AE4C |. 59 pop ecx 0041AE4D |. C3 retn 0041AE4E |> 0FBE46 01 movsx eax, byte ptr [esi+1] 0041AE52 |. 8D1440 lea edx, dword ptr [eax+eax*2] 0041AE55 |. 8D14D0 lea edx, dword ptr [eax+edx*8] 0041AE58 |. 8D1490 lea edx, dword ptr [eax+edx*4] 0041AE5B |. 8D0450 lea eax, dword ptr [eax+edx*2] 0041AE5E |. 8D1489 lea edx, dword ptr [ecx+ecx*4] 0041AE61 |. 8D0C51 lea ecx, dword ptr [ecx+edx*2] 0041AE64 |. 33D2 xor edx, edx 0041AE66 |. 03C1 add eax, ecx 0041AE68 |. B9 24000000 mov ecx, 24 0041AE6D |. F7F1 div ecx 0041AE6F |. 8BCF mov ecx, edi 0041AE71 |. 8BF2 mov esi, edx 0041AE73 |. 8A55 01 mov dl, byte ptr [ebp+1] 0041AE76 |. 885424 10 mov byte ptr [esp+10], dl 0041AE7A |. 8B4424 10 mov eax, dword ptr [esp+10] 0041AE7E |. 50 push eax 0041AE7F |. E8 DC080000 call 0041B760 0041AE84 |. 3BF0 cmp esi, eax 0041AE86 74 0C je short 0041AE94 ;跳不走则失败 0041AE88 |. C647 0F 10 mov byte ptr [edi+F], 10 0041AE8C |. 5F pop edi 0041AE8D |. 5E pop esi 0041AE8E |. 5D pop ebp 0041AE8F |. 32C0 xor al, al 0041AE91 |. 5B pop ebx 0041AE92 |. 59 pop ecx 0041AE93 |. C3 retn 0041AE94 |> 8B4F 18 mov ecx, dword ptr [edi+18] 0041AE97 |. 8B33 mov esi, dword ptr [ebx] 0041AE99 |. 0FBE49 02 movsx ecx, byte ptr [ecx+2] 0041AE9D |. 0FBE56 01 movsx edx, byte ptr [esi+1] 0041AEA1 |. 8BC1 mov eax, ecx 0041AEA3 |. C1E0 05 shl eax, 5 0041AEA6 |. 03C1 add eax, ecx 0041AEA8 |. 8BCA mov ecx, edx 0041AEAA |. C1E1 05 shl ecx, 5 0041AEAD |. 03CA add ecx, edx 0041AEAF |. 8D0440 lea eax, dword ptr [eax+eax*2] 0041AEB2 |. 8D0C49 lea ecx, dword ptr [ecx+ecx*2] 0041AEB5 |. 8D144A lea edx, dword ptr [edx+ecx*2] 0041AEB8 |. B9 24000000 mov ecx, 24 0041AEBD |. 03C2 add eax, edx 0041AEBF |. 33D2 xor edx, edx 0041AEC1 |. F7F1 div ecx 0041AEC3 |. 8BCF mov ecx, edi 0041AEC5 |. 8BEA mov ebp, edx 0041AEC7 |. 8A56 02 mov dl, byte ptr [esi+2] 0041AECA |. 885424 10 mov byte ptr [esp+10], dl 0041AECE |. 8B4424 10 mov eax, dword ptr [esp+10] 0041AED2 |. 50 push eax 0041AED3 |. E8 A80A0000 call 0041B980 0041AED8 |. 3BE8 cmp ebp, eax 0041AEDA 74 0C je short 0041AEE8 ;跳不走则失败 0041AEDC |. C647 0F 10 mov byte ptr [edi+F], 10 0041AEE0 |. 5F pop edi 0041AEE1 |. 5E pop esi 0041AEE2 |. 5D pop ebp 0041AEE3 |. 32C0 xor al, al 0041AEE5 |. 5B pop ebx 0041AEE6 |. 59 pop ecx 0041AEE7 |. C3 retn 0041AEE8 |> 8B77 18 mov esi, dword ptr [edi+18] 0041AEEB |. 8B2B mov ebp, dword ptr [ebx] 0041AEED |. 0FBE46 03 movsx eax, byte ptr [esi+3] 0041AEF1 |. 8D0CC0 lea ecx, dword ptr [eax+eax*8] 0041AEF4 |. 8D0448 lea eax, dword ptr [eax+ecx*2] 0041AEF7 |. 0FBE4D 02 movsx ecx, byte ptr [ebp+2] 0041AEFB |. 8BD1 mov edx, ecx 0041AEFD |. C1E2 05 shl edx, 5 0041AF00 |. 03D1 add edx, ecx 0041AF02 |. B9 24000000 mov ecx, 24 0041AF07 |. 03C2 add eax, edx 0041AF09 |. 33D2 xor edx, edx 0041AF0B |. F7F1 div ecx 0041AF0D |. 0FBE45 03 movsx eax, byte ptr [ebp+3] 0041AF11 |. 83C0 D0 add eax, -30 ; Switch (cases 30..7A) 0041AF14 |. 83F8 4A cmp eax, 4A 0041AF17 |. 0F87 34010000 ja 0041B051 0041AF1D |. 33C9 xor ecx, ecx 0041AF1F |. 8A88 D8B24100 mov cl, byte ptr [eax+41B2D8] 0041AF25 |. FF248D 44B241>jmp dword ptr [ecx*4+41B244] 0041AF2C |> B8 02000000 mov eax, 2 ; Case 31 ('1') of switch 0041AF11 0041AF31 |. E9 20010000 jmp 0041B056 0041AF36 |> B8 13000000 mov eax, 13 ; Case 32 ('2') of switch 0041AF11 0041AF3B |. E9 16010000 jmp 0041B056 0041AF40 |> B8 07000000 mov eax, 7 ; Case 33 ('3') of switch 0041AF11 0041AF45 |. E9 0C010000 jmp 0041B056 0041AF4A |> B8 01000000 mov eax, 1 ; Case 34 ('4') of switch 0041AF11 0041AF4F |. E9 02010000 jmp 0041B056 0041AF54 |> B8 05000000 mov eax, 5 ; Case 35 ('5') of switch 0041AF11 0041AF59 |. E9 F8000000 jmp 0041B056 0041AF5E |> B8 22000000 mov eax, 22 ; Case 36 ('6') of switch 0041AF11 0041AF63 |. E9 EE000000 jmp 0041B056 0041AF68 |> B8 10000000 mov eax, 10 ; Case 37 ('7') of switch 0041AF11 0041AF6D |. E9 E4000000 jmp 0041B056 0041AF72 |> B8 04000000 mov eax, 4 ; Case 38 ('8') of switch 0041AF11 0041AF77 |. E9 DA000000 jmp 0041B056 0041AF7C |> B8 11000000 mov eax, 11 ; Case 39 ('9') of switch 0041AF11 0041AF81 |. E9 D0000000 jmp 0041B056 0041AF86 |> 33C0 xor eax, eax ; Case 30 ('0') of switch 0041AF11 0041AF88 |. E9 C9000000 jmp 0041B056 0041AF8D |> B8 0C000000 mov eax, 0C ; Case 61 ('a') of switch 0041AF11 0041AF92 |. E9 BF000000 jmp 0041B056 0041AF97 |> B8 1C000000 mov eax, 1C ; Case 62 ('b') of switch 0041AF11 0041AF9C |. E9 B5000000 jmp 0041B056 0041AFA1 |> B8 0E000000 mov eax, 0E ; Case 63 ('c') of switch 0041AF11 0041AFA6 |. E9 AB000000 jmp 0041B056 0041AFAB |> B8 14000000 mov eax, 14 ; Case 64 ('d') of switch 0041AF11 0041AFB0 |. E9 A1000000 jmp 0041B056 0041AFB5 |> B8 08000000 mov eax, 8 ; Case 65 ('e') of switch 0041AF11 0041AFBA |. E9 97000000 jmp 0041B056 0041AFBF |> B8 0D000000 mov eax, 0D ; Case 66 ('f') of switch 0041AF11 0041AFC4 |. E9 8D000000 jmp 0041B056 0041AFC9 |> B8 12000000 mov eax, 12 ; Case 67 ('g') of switch 0041AF11 0041AFCE |. E9 83000000 jmp 0041B056 0041AFD3 |> B8 09000000 mov eax, 9 ; Case 68 ('h') of switch 0041AF11 0041AFD8 |. EB 7C jmp short 0041B056 0041AFDA |> B8 0F000000 mov eax, 0F ; Case 69 ('i') of switch 0041AF11 0041AFDF |. EB 75 jmp short 0041B056 0041AFE1 |> B8 03000000 mov eax, 3 ; Case 6A ('j') of switch 0041AF11 0041AFE6 |. EB 6E jmp short 0041B056 0041AFE8 |> B8 1B000000 mov eax, 1B ; Case 6B ('k') of switch 0041AF11 0041AFED |. EB 67 jmp short 0041B056 0041AFEF |> B8 15000000 mov eax, 15 ; Case 6C ('l') of switch 0041AF11 0041AFF4 |. EB 60 jmp short 0041B056 0041AFF6 |> B8 17000000 mov eax, 17 ; Case 6D ('m') of switch 0041AF11 0041AFFB |. EB 59 jmp short 0041B056 0041AFFD |> B8 18000000 mov eax, 18 ; Case 6E ('n') of switch 0041AF11 0041B002 |. EB 52 jmp short 0041B056 0041B004 |> B8 1A000000 mov eax, 1A ; Case 6F ('o') of switch 0041AF11 0041B009 |. EB 4B jmp short 0041B056 0041B00B |> B8 21000000 mov eax, 21 ; Case 70 ('p') of switch 0041AF11 0041B010 |. EB 44 jmp short 0041B056 0041B012 |> B8 16000000 mov eax, 16 ; Case 71 ('q') of switch 0041AF11 0041B017 |. EB 3D jmp short 0041B056 0041B019 |> B8 1E000000 mov eax, 1E ; Case 73 ('s') of switch 0041AF11 0041B01E |. EB 36 jmp short 0041B056 0041B020 |> B8 1D000000 mov eax, 1D ; Case 74 ('t') of switch 0041AF11 0041B025 |. EB 2F jmp short 0041B056 0041B027 |> B8 20000000 mov eax, 20 ; Case 75 ('u') of switch 0041AF11 0041B02C |. EB 28 jmp short 0041B056 0041B02E |> B8 23000000 mov eax, 23 ; Case 76 ('v') of switch 0041AF11 0041B033 |. EB 21 jmp short 0041B056 0041B035 |> B8 06000000 mov eax, 6 ; Case 77 ('w') of switch 0041AF11 0041B03A |. EB 1A jmp short 0041B056 0041B03C |> B8 19000000 mov eax, 19 ; Case 78 ('x') of switch 0041AF11 0041B041 |. EB 13 jmp short 0041B056 0041B043 |> B8 0A000000 mov eax, 0A ; Case 79 ('y') of switch 0041AF11 0041B048 |. EB 0C jmp short 0041B056 0041B04A |> B8 1F000000 mov eax, 1F ; Case 7A ('z') of switch 0041AF11 0041B04F |. EB 05 jmp short 0041B056 0041B051 |> B8 0B000000 mov eax, 0B ; Default case of switch 0041AF11 0041B056 |> 3BD0 cmp edx, eax 0041B058 74 0C je short 0041B066 ;跳不走则失败 0041B05A |. C647 0F 10 mov byte ptr [edi+F], 10 0041B05E |. 5F pop edi 0041B05F |. 5E pop esi 0041B060 |. 5D pop ebp 0041B061 |. 32C0 xor al, al 0041B063 |. 5B pop ebx 0041B064 |. 59 pop ecx 0041B065 |. C3 retn 0041B066 |> 0FBE46 01 movsx eax, byte ptr [esi+1] 0041B06A |. 8D1440 lea edx, dword ptr [eax+eax*2] 0041B06D |. 8D0CD0 lea ecx, dword ptr [eax+edx*8] 0041B070 |. 8D1488 lea edx, dword ptr [eax+ecx*4] 0041B073 |. 0FBE4E 02 movsx ecx, byte ptr [esi+2] 0041B077 |. 8D0450 lea eax, dword ptr [eax+edx*2] 0041B07A |. 8D1489 lea edx, dword ptr [ecx+ecx*4] 0041B07D |. 8D0C51 lea ecx, dword ptr [ecx+edx*2] 0041B080 |. 33D2 xor edx, edx 0041B082 |. 03C1 add eax, ecx 0041B084 |. B9 24000000 mov ecx, 24 0041B089 |. F7F1 div ecx 0041B08B |. 8BCF mov ecx, edi 0041B08D |. 8BF2 mov esi, edx 0041B08F |. 8A55 05 mov dl, byte ptr [ebp+5] 0041B092 |. 885424 10 mov byte ptr [esp+10], dl 0041B096 |. 8B4424 10 mov eax, dword ptr [esp+10] 0041B09A |. 50 push eax 0041B09B |. E8 C0060000 call 0041B760 0041B0A0 |. 3BF0 cmp esi, eax 0041B0A2 74 0C je short 0041B0B0 ;跳不走则失败 0041B0A4 |. C647 0F 10 mov byte ptr [edi+F], 10 0041B0A8 |. 5F pop edi 0041B0A9 |. 5E pop esi 0041B0AA |. 5D pop ebp 0041B0AB |. 32C0 xor al, al 0041B0AD |. 5B pop ebx 0041B0AE |. 59 pop ecx 0041B0AF |. C3 retn 0041B0B0 |> 8B57 18 mov edx, dword ptr [edi+18] 0041B0B3 |. C647 0C 01 mov byte ptr [edi+C], 1 0041B0B7 |. 0FBE4A 03 movsx ecx, byte ptr [edx+3] 0041B0BB |. 0FBE52 02 movsx edx, byte ptr [edx+2] 0041B0BF |. 8BC1 mov eax, ecx 0041B0C1 |. C1E0 05 shl eax, 5 0041B0C4 |. 03C1 add eax, ecx 0041B0C6 |. 8D0440 lea eax, dword ptr [eax+eax*2] 0041B0C9 |. 8D0441 lea eax, dword ptr [ecx+eax*2] 0041B0CC |. 8BCA mov ecx, edx 0041B0CE |. C1E1 05 shl ecx, 5 0041B0D1 |. 03CA add ecx, edx 0041B0D3 |. 33D2 xor edx, edx 0041B0D5 |. 8D0C49 lea ecx, dword ptr [ecx+ecx*2] 0041B0D8 |. 03C1 add eax, ecx 0041B0DA |. B9 24000000 mov ecx, 24 0041B0DF |. F7F1 div ecx 0041B0E1 |. 8BF2 mov esi, edx 0041B0E3 |. 8B13 mov edx, dword ptr [ebx] 0041B0E5 |. 8A42 06 mov al, byte ptr [edx+6] 0041B0E8 |. 884424 10 mov byte ptr [esp+10], al 0041B0EC |. 8B4C24 10 mov ecx, dword ptr [esp+10] 0041B0F0 |. 51 push ecx 0041B0F1 |. 8BCF mov ecx, edi 0041B0F3 |. E8 88080000 call 0041B980 0041B0F8 |. 3BF0 cmp esi, eax 0041B0FA 74 0C je short 0041B108 ;跳不走则失败 0041B0FC |. C647 0F 10 mov byte ptr [edi+F], 10 0041B100 |. 5F pop edi 0041B101 |. 5E pop esi 0041B102 |. 5D pop ebp 0041B103 |. 32C0 xor al, al 0041B105 |. 5B pop ebx 0041B106 |. 59 pop ecx 0041B107 |. C3 retn 0041B108 |> 8B4F 18 mov ecx, dword ptr [edi+18] 0041B10B |. C647 0D 01 mov byte ptr [edi+D], 1 0041B10F |. 0FBE51 05 movsx edx, byte ptr [ecx+5] 0041B113 |. 0FBE49 04 movsx ecx, byte ptr [ecx+4] 0041B117 |. 8BC2 mov eax, edx 0041B119 |. C1E0 05 shl eax, 5 0041B11C |. 03C2 add eax, edx 0041B11E |. 8D14C9 lea edx, dword ptr [ecx+ecx*8] 0041B121 |. 8D0C51 lea ecx, dword ptr [ecx+edx*2] 0041B124 |. 33D2 xor edx, edx 0041B126 |. 03C1 add eax, ecx 0041B128 |. B9 24000000 mov ecx, 24 0041B12D |. F7F1 div ecx 0041B12F |. 8BF2 mov esi, edx 0041B131 |. 8B13 mov edx, dword ptr [ebx] 0041B133 |. 8A42 07 mov al, byte ptr [edx+7] 0041B136 |. 884424 10 mov byte ptr [esp+10], al 0041B13A |. 8B4C24 10 mov ecx, dword ptr [esp+10] 0041B13E |. 51 push ecx 0041B13F |. 8BCF mov ecx, edi 0041B141 |. E8 EA010000 call 0041B330 0041B146 |. 3BF0 cmp esi, eax 0041B148 74 0C je short 0041B156 ;跳不走则失败 0041B14A |. C647 0F 10 mov byte ptr [edi+F], 10 0041B14E |. 5F pop edi 0041B14F |. 5E pop esi 0041B150 |. 5D pop ebp 0041B151 |. 32C0 xor al, al 0041B153 |. 5B pop ebx 0041B154 |. 59 pop ecx 0041B155 |. C3 retn 0041B156 |> C647 0F 13 mov byte ptr [edi+F], 13 ;这里是成功的标志位 0041B15A |. 5F pop edi 0041B15B |. 5E pop esi 0041B15C |. 5D pop ebp 0041B15D |. B0 01 mov al, 1 ;这里的al值用于关键Call后面的跳转 0041B15F |. 5B pop ebx 0041B160 |. 59 pop ecx 0041B161 \. C3 retn 经过分析,对判断流程大致了解,把所有带注释的je改成jmp即可完成爆破。 也可把关键Call的开头0041AC90那里改为 mov byte ptr [edi+F],13 mov al,1 retn 也可完成爆破。 我还是不能发附件,郁闷…… 你就到我网盘去下载破好了的主程序文件吧。 网盘地址:http://www.edisk.org/?zlm324 文件名:VoiceWriter_crack.rar |
|
[求助]这两个断有什么区别,菜鸟问题?
在程序里面的函数调用不一样,不同的程序可能用不同的函数弹出消息。 |
|
[求助]三耳复读机不能爆破彻底
那就是程序后面又对注册进行了检查,标志位之类的。 |
|
|
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值