【文章标题】: 另类破解XX酷图+去除注册检验
【文章作者】: wuhanqi[LCG]
【作者主页】: http://hi.baidu.com/wuhanqi
【作者QQ号】: 459478830
【下载地址】: 自己搜索下载
【操作平台】: XP
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
废话不多说,直接进入正题、
程序无壳,Delphi编写,未注册有注册提示窗体、不是MessageBox、遂下bp ShowWindow、
一边F9一边观察堆栈,发现成功断下:
0012F7BC 0048F97F /CALL to ShowWindow from yfClPic.0048F97A
0012F7C0 001A05C0 |hWnd = 001A05C0 ('用户注册',class='TForm32',parent=001A043E)
0012F7C4 00000001 \ShowState = SW_SHOWNORMAL
0012F7C8 0012F7D4 Pointer to next SEH record
0012F7CC 0048FAA1 SE handler
0012F7D0 0012F7F4
0012F7BC 0048F97F /CALL to ShowWindow from yfClPic.0048F97A
0012F7C0 001A05C0 |hWnd = 001A05C0 ('用户注册',class='TForm32',parent=001A043E)
0012F7C4 00000001 \ShowState = SW_SHOWNORMAL
省略N多代码................
0012FB68 |0048C61C yfClPic.0048C61C
0012FB6C |01099EF0
0012FB70 |0048FD98 RETURN to yfClPic.0048FD98 from yfClPic.0048C878
0012FB74 |00FA3D44
0012FB78 |005FDAD1 RETURN to yfClPic.005FDAD1 from yfClPic.0048FD8C
0012FB7C ]0012FBC4
0012FB80 |005FE971 RETURN to yfClPic.005FE971 from yfClPic.005FDAAC ★
0012FB84 |00190642
005FE954 . 803D 9CB96B00>CMP BYTE PTR DS:[6BB99C],0
005FE95B . 75 14 JNZ SHORT 005FE971 ; jmp 掉就没提示框了
005FE95D . 6A 00 PUSH 0
005FE95F . 6A 00 PUSH 0
005FE961 . 6A 00 PUSH 0
005FE963 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
005FE966 . E8 F1A8E7FF CALL 0047925C
005FE96B . 50 PUSH EAX
005FE96C . E8 3BF1FFFF CALL 005FDAAC ; 弹注册窗口
005FE971 > 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00457784 . 53 PUSH EBX
00457785 . 56 PUSH ESI
00457786 . 57 PUSH EDI
00457787 . 8BD8 MOV EBX,EAX
00457789 . F643 1C 10 TEST BYTE PTR DS:[EBX+1C],10
0045778D . 75 37 JNZ SHORT 004577C6
0045778F . 8BBB 78010000 MOV EDI,DWORD PTR DS:[EBX+178]
00457795 . 85FF TEST EDI,EDI
00457797 . 74 06 JE SHORT 0045779F
00457799 . 807F 61 00 CMP BYTE PTR DS:[EDI+61],0
0045779D . 75 09 JNZ SHORT 004577A8
0045779F > 83BB 74010000>CMP DWORD PTR DS:[EBX+174],0
004577A6 74 1E JE SHORT 004577C6
004577A8 > 83BB 84010000>CMP DWORD PTR DS:[EBX+184],0
004577AF . 74 15 JE SHORT 004577C6
004577B1 . 8BD3 MOV EDX,EBX
004577B3 . 8B83 84010000 MOV EAX,DWORD PTR DS:[EBX+184]
004577B9 . 66:BE B2FF MOV SI,0FFB2
004577BD . E8 4EC4FAFF CALL 00403C10 ; 源程序是执行到这里的,但修改后的程序上面的跳转就会跳过去,于是乎修改跳转
004577C2 . 84C0 TEST AL,AL
004577C4 75 04 JNZ SHORT 004577CA
004577C6 > 33C0 XOR EAX,EAX
004577C8 . EB 02 JMP SHORT 004577CC
004577CA > B0 01 MOV AL,1
004577CC > 5F POP EDI
004577CD . 5E POP ESI
004577CE . 5B POP EBX
004577CF . C3 RETN
00403C10 $ 50 PUSH EAX
00403C11 . 51 PUSH ECX
00403C12 . 8B00 MOV EAX,DWORD PTR DS:[EAX]
00403C14 . E8 C7FFFFFF CALL 00403BE0
00403C19 . 59 POP ECX
....省略部分代码.....
0045B720 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0045B723 . C680 C8020000>MOV BYTE PTR DS:[EAX+2C8],0
0045B72A . 33D2 XOR EDX,EDX
0045B72C . 55 PUSH EBP
0045B72D . 68 05BA4500 PUSH 0045BA05
0045B732 . 64:FF32 PUSH DWORD PTR FS:[EDX]
0045B735 . 64:8922 MOV DWORD PTR FS:[EDX],ESP
0045B738 . 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
0045B73B . 8B80 78010000 MOV EAX,DWORD PTR DS:[EAX+178] ; EAX+178的值为零,而在源程序里面是0x0109166C
0045B741 . 85C0 TEST EAX,EAX
0045B743 74 0E JE SHORT 0045B753 ; 发现修改过后的程序这里跳转了
0045B745 . 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]
0045B748 . 8982 CC020000 MOV DWORD PTR DS:[EDX+2CC],EAX
0045B74E . E9 0D010000 JMP 0045B860
0045B753 > 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
0045B756 . 8B80 74010000 MOV EAX,DWORD PTR DS:[EAX+174]
0045B75C . 85C0 TEST EAX,EAX
0045B75E . 0F84 F2000000 JE 0045B856
0045B764 . 8B10 MOV EDX,DWORD PTR DS:[EAX]
0045B766 . FF52 44 CALL DWORD PTR DS:[EDX+44]
0045B769 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0045B76C . E8 E7FEFFFF CALL 0045B658
0045B771 . 8B4D FC MOV ECX,DWORD PTR SS:[EBP-4]
0045B774 . B2 01 MOV DL,1
0045B776 . A1 701E4800 MOV EAX,DWORD PTR DS:[481E70]
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
