-
-
[旧帖] 大家看看我这个爆破方法有什么错误之处? 0.00雪花
-
发表于: 2011-6-3 12:23
-
在关键CALL的地方改了6处
,爆破后无法运行了,提示程序异常
1 为什么我改关键跳,提示注册成功后,点注册框还能注册(假注册)
2 改了关键CALL后,跳到注册正确处,弹出提示框,但是上面什么也没提示,点注册框注册框已变为灰色,保存后不能运行,提是某某内存地址有异常,OD也不能调试此文件。
关键的地方
004A5291 |. E8 22F8F5FF call 00404AB8 关键CALL,返回值为ZF
004A5296 |. 0F85 A8010000 jnz 004A5444 关键跳ZF=0;注册失败
004A529C |. 8D95 60FEFFFF lea edx, dword ptr [ebp-1A0]
004A52A2 |. A1 9C9B4A00 mov eax, dword ptr [4A9B9C]
004A52A7 |. 8B00 mov eax, dword ptr [eax]
004A52A9 |. E8 2AA4FBFF call 0045F6D8
004A52AE |. 8B85 60FEFFFF mov eax, dword ptr [ebp-1A0]
004A52B4 |. 8D95 64FEFFFF lea edx, dword ptr [ebp-19C]
004A52BA |. E8 1D3FF6FF call 004091DC
004A52BF |. 8B85 64FEFFFF mov eax, dword ptr [ebp-19C]
004A52C5 |. 8D55 FC lea edx, dword ptr [ebp-4]
004A52C8 |. E8 CF37F6FF call 00408A9C
004A52CD |. 8D85 5CFEFFFF lea eax, dword ptr [ebp-1A4]
004A52D3 |. B9 4C554A00 mov ecx, 004A554C data3 保存注册信息
004A52D8 |. 8B55 FC mov edx, dword ptr [ebp-4]
004A52DB |. E8 E0F6F5FF call 004049C0
004A52E0 |. 8B95 5CFEFFFF mov edx, dword ptr [ebp-1A4]
004A52E6 |. 8D85 84FEFFFF lea eax, dword ptr [ebp-17C]
004A52EC |. E8 C3DAF5FF call 00402DB4
004A52F1 |. BA 25000000 mov edx, 25
004A52F6 |. 8D85 84FEFFFF lea eax, dword ptr [ebp-17C]
004A52FC |. E8 FBDEF5FF call 004031FC
004A5301 |. E8 86D5F5FF call 0040288C
004A5306 |. 8D95 54FDFFFF lea edx, dword ptr [ebp-2AC]
004A530C |. 8B83 FC060000 mov eax, dword ptr [ebx+6FC]
004A5312 |. E8 B19FF9FF call 0043F2C8
004A5317 |. 8B85 54FDFFFF mov eax, dword ptr [ebp-2AC]
004A531D |. 8D95 58FDFFFF lea edx, dword ptr [ebp-2A8]
004A5323 |. E8 7437F6FF call 00408A9C
004A5328 |. 8B95 58FDFFFF mov edx, dword ptr [ebp-2A8]
004A532E |. 8D85 5CFDFFFF lea eax, dword ptr [ebp-2A4]
004A5334 |. B9 FF000000 mov ecx, 0FF
004A5339 |. E8 12F6F5FF call 00404950
004A533E |. 8D95 5CFDFFFF lea edx, dword ptr [ebp-2A4]
004A5344 |. 8D45 D3 lea eax, dword ptr [ebp-2D]
004A5347 |. B1 0D mov cl, 0D
004A5349 |. E8 C2DBF5FF call 00402F10
004A534E |. 8D95 4CFDFFFF lea edx, dword ptr [ebp-2B4]
004A5354 |. 8B83 18070000 mov eax, dword ptr [ebx+718]
004A535A |. E8 699FF9FF call 0043F2C8
004A535F |. 8B85 4CFDFFFF mov eax, dword ptr [ebp-2B4]
004A5365 |. 8D95 50FDFFFF lea edx, dword ptr [ebp-2B0]
004A536B |. E8 2C37F6FF call 00408A9C
004A5370 |. 8B95 50FDFFFF mov edx, dword ptr [ebp-2B0]
004A5376 |. 8D85 5CFDFFFF lea eax, dword ptr [ebp-2A4]
004A537C |. B9 FF000000 mov ecx, 0FF
004A5381 |. E8 CAF5F5FF call 00404950
004A5386 |. 8D95 5CFDFFFF lea edx, dword ptr [ebp-2A4]
004A538C |. 8D45 E1 lea eax, dword ptr [ebp-1F]
004A538F |. B1 09 mov cl, 9
004A5391 |. E8 7ADBF5FF call 00402F10
004A5396 |. 8D95 44FDFFFF lea edx, dword ptr [ebp-2BC]
004A539C |. 8B83 1C070000 mov eax, dword ptr [ebx+71C]
004A53A2 |. E8 219FF9FF call 0043F2C8
004A53A7 |. 8B85 44FDFFFF mov eax, dword ptr [ebp-2BC]
004A53AD |. 8D95 48FDFFFF lea edx, dword ptr [ebp-2B8]
004A53B3 |. E8 E436F6FF call 00408A9C
004A53B8 |. 8B95 48FDFFFF mov edx, dword ptr [ebp-2B8]
004A53BE |. 8D85 5CFDFFFF lea eax, dword ptr [ebp-2A4]
004A53C4 |. B9 FF000000 mov ecx, 0FF
004A53C9 |. E8 82F5F5FF call 00404950
004A53CE |. 8D95 5CFDFFFF lea edx, dword ptr [ebp-2A4]
004A53D4 |. 8D45 EB lea eax, dword ptr [ebp-15]
004A53D7 |. B1 0C mov cl, 0C
004A53D9 |. E8 32DBF5FF call 00402F10
004A53DE |. 8D55 D3 lea edx, dword ptr [ebp-2D]
004A53E1 |. 8D85 84FEFFFF lea eax, dword ptr [ebp-17C]
004A53E7 |. E8 1CDFF5FF call 00403308
004A53EC |. E8 9BD4F5FF call 0040288C
004A53F1 |. 8D85 84FEFFFF lea eax, dword ptr [ebp-17C]
004A53F7 |. E8 80DAF5FF call 00402E7C
004A53FC |. E8 8BD4F5FF call 0040288C
004A5401 |. 33D2 xor edx, edx
004A5403 |. 8B83 18070000 mov eax, dword ptr [ebx+718]
004A5409 |. 8B08 mov ecx, dword ptr [eax]
004A540B |. FF51 64 call dword ptr [ecx+64]
004A540E |. 33D2 xor edx, edx
004A5410 |. 8B83 1C070000 mov eax, dword ptr [ebx+71C]
004A5416 |. 8B08 mov ecx, dword ptr [eax]
004A5418 |. FF51 64 call dword ptr [ecx+64]
004A541B |. 33D2 xor edx, edx
004A541D |. 8B83 20070000 mov eax, dword ptr [ebx+720]
004A5423 |. 8B08 mov ecx, dword ptr [eax]
004A5425 |. FF51 64 call dword ptr [ecx+64]
004A5428 |. BA 5C554A00 mov edx, 004A555C ; 你已注册成功!
004A542D |. 8B83 20070000 mov eax, dword ptr [ebx+720]
004A5433 |. E8 C09EF9FF call 0043F2F8
004A5438 |. B8 74554A00 mov eax, 004A5574 ; 注册成功,谢谢你对本软件的支持!
004A543D |. E8 A230F9FF call 004384E4
004A5442 |. EB 41 jmp short 004A5485
004A5444 |> B2 01 mov dl, 1
004A5446 |. 8B83 18070000 mov eax, dword ptr [ebx+718]
004A544C |. 8B08 mov ecx, dword ptr [eax]
004A544E |. FF51 64 call dword ptr [ecx+64]
004A5451 |. B2 01 mov dl, 1
004A5453 |. 8B83 1C070000 mov eax, dword ptr [ebx+71C]
004A5459 |. 8B08 mov ecx, dword ptr [eax]
004A545B |. FF51 64 call dword ptr [ecx+64]
004A545E |. B2 01 mov dl, 1
004A5460 |. 8B83 20070000 mov eax, dword ptr [ebx+720]
004A5466 |. 8B08 mov ecx, dword ptr [eax]
004A5468 |. FF51 64 call dword ptr [ecx+64]
004A546B |. BA A0554A00 mov edx, 004A55A0 ; 验证软件注册信息
004A5470 |. 8B83 20070000 mov eax, dword ptr [ebx+720]
004A5476 |. E8 7D9EF9FF call 0043F2F8
004A547B |. B8 BC554A00 mov eax, 004A55BC ; 注册失败!
004A5480 |. E8 5F30F9FF call 004384E4
关键CALL的代码
00404AB8 /$ 53 push ebx
00404AB9 |. 56 push esi
00404ABA |. 57 push edi
00404ABB |. 89C6 mov esi, eax
00404ABD |. 89D7 mov edi, edx
00404ABF |. 39D0 cmp eax, edx
00404AC1 |. 0F84 8F000000 je 00404B56
00404AC7 |. 85F6 test esi, esi
00404AC9 |. 74 68 je short 00404B33
00404ACB |. 85FF test edi, edi
00404ACD |. 74 6B je short 00404B3A
00404ACF |. 8B46 FC mov eax, dword ptr [esi-4]
00404AD2 |. 8B57 FC mov edx, dword ptr [edi-4]
00404AD5 |. 29D0 sub eax, edx
00404AD7 |. 77 02 ja short 00404ADB
00404AD9 |. 01C2 add edx, eax
00404ADB |> 52 push edx
00404ADC |. C1EA 02 shr edx, 2
00404ADF |. 74 26 je short 00404B07
00404AE1 |> 8B0E /mov ecx, dword ptr [esi]
00404AE3 |. 8B1F |mov ebx, dword ptr [edi]
00404AE5 |. 39D9 |cmp ecx, ebx
00404AE7 |. 75 58 |jnz short 00404B41 跳到了有颜色标记处
00404AE9 |. 4A |dec edx
00404AEA |. 74 15 |je short 00404B01
00404AEC |. 8B4E 04 |mov ecx, dword ptr [esi+4]
00404AEF |. 8B5F 04 |mov ebx, dword ptr [edi+4]
00404AF2 |. 39D9 |cmp ecx, ebx
00404AF4 |. 75 4B |jnz short 00404B41 ;
00404AF6 |. 83C6 08 |add esi, 8
00404AF9 |. 83C7 08 |add edi, 8
00404AFC |. 4A |dec edx
00404AFD |.^ 75 E2 \jnz short 00404AE1
00404AFF |. EB 06 jmp short 00404B07
00404B01 |> 83C6 04 add esi, 4
00404B04 |. 83C7 04 add edi, 4
00404B07 |> 5A pop edx
00404B08 |. 83E2 03 and edx, 3
00404B0B |. 74 22 je short 00404B2F
00404B0D |. 8B0E mov ecx, dword ptr [esi]
00404B0F |. 8B1F mov ebx, dword ptr [edi]
00404B11 |. 38D9 cmp cl, bl
00404B13 |. 75 41 jnz short 00404B56 ;
00404B15 |. 4A dec edx
00404B16 |. 74 17 je short 00404B2F
00404B18 |. 38FD cmp ch, bh
00404B1A |. 75 3A jnz short 00404B56
00404B1C |. 4A dec edx
00404B1D |. 74 10 je short 00404B2F
00404B1F |. 81E3 0000FF00 and ebx, 0FF0000
00404B25 |. 81E1 0000FF00 and ecx, 0FF0000
00404B2B |. 39D9 cmp ecx, ebx
00404B2D |. 75 27 jnz short 00404B56
00404B2F |> 01C0 add eax, eax
00404B31 |. EB 23 jmp short 00404B56
00404B33 |> 8B57 FC mov edx, dword ptr [edi-4]
00404B36 |. 29D0 sub eax, edx
00404B38 |. EB 1C jmp short 00404B56
00404B3A |> 8B46 FC mov eax, dword ptr [esi-4]
00404B3D |. 29D0 sub eax, edx
00404B3F |. EB 15 jmp short 00404B56 ;
00404B41 |> 5A pop edx,
00404B42 38D9 cmp cl, bl ; 改为 mov cl,bl
00404B44 75 10 jnz short 00404B56 改为jz
00404B46 38FD cmp ch, bh 改为 mov ch,bh
00404B48 75 0C jnz short 00404B56 ; 改为JZ
00404B4A C1E9 10 shr ecx, 10 改为nop
00404B4D C1EB 10 shr ebx, 10 改为nop
00404B50 38D9 cmp cl, bl
00404B52 75 02 jnz short 00404B56 不会跳
00404B54 38FD cmp ch, bh ;此时标志位ZF=1
00404B56 |> 5F pop edi
00404B57 |. 5E pop esi
00404B58 |. 5B pop ebx
00404B59 \. C3 retn 返回ZF=1;
有兴趣的高手可以玩玩,请下载附件,我怀疑这是重启验证型,注册信息保存在dat3文件里,aspack壳ESP定律可以很容易脱掉的
,爆破后无法运行了,提示程序异常1 为什么我改关键跳,提示注册成功后,点注册框还能注册(假注册)
2 改了关键CALL后,跳到注册正确处,弹出提示框,但是上面什么也没提示,点注册框注册框已变为灰色,保存后不能运行,提是某某内存地址有异常,OD也不能调试此文件。
关键的地方
004A5291 |. E8 22F8F5FF call 00404AB8 关键CALL,返回值为ZF
004A5296 |. 0F85 A8010000 jnz 004A5444 关键跳ZF=0;注册失败
004A529C |. 8D95 60FEFFFF lea edx, dword ptr [ebp-1A0]
004A52A2 |. A1 9C9B4A00 mov eax, dword ptr [4A9B9C]
004A52A7 |. 8B00 mov eax, dword ptr [eax]
004A52A9 |. E8 2AA4FBFF call 0045F6D8
004A52AE |. 8B85 60FEFFFF mov eax, dword ptr [ebp-1A0]
004A52B4 |. 8D95 64FEFFFF lea edx, dword ptr [ebp-19C]
004A52BA |. E8 1D3FF6FF call 004091DC
004A52BF |. 8B85 64FEFFFF mov eax, dword ptr [ebp-19C]
004A52C5 |. 8D55 FC lea edx, dword ptr [ebp-4]
004A52C8 |. E8 CF37F6FF call 00408A9C
004A52CD |. 8D85 5CFEFFFF lea eax, dword ptr [ebp-1A4]
004A52D3 |. B9 4C554A00 mov ecx, 004A554C data3 保存注册信息
004A52D8 |. 8B55 FC mov edx, dword ptr [ebp-4]
004A52DB |. E8 E0F6F5FF call 004049C0
004A52E0 |. 8B95 5CFEFFFF mov edx, dword ptr [ebp-1A4]
004A52E6 |. 8D85 84FEFFFF lea eax, dword ptr [ebp-17C]
004A52EC |. E8 C3DAF5FF call 00402DB4
004A52F1 |. BA 25000000 mov edx, 25
004A52F6 |. 8D85 84FEFFFF lea eax, dword ptr [ebp-17C]
004A52FC |. E8 FBDEF5FF call 004031FC
004A5301 |. E8 86D5F5FF call 0040288C
004A5306 |. 8D95 54FDFFFF lea edx, dword ptr [ebp-2AC]
004A530C |. 8B83 FC060000 mov eax, dword ptr [ebx+6FC]
004A5312 |. E8 B19FF9FF call 0043F2C8
004A5317 |. 8B85 54FDFFFF mov eax, dword ptr [ebp-2AC]
004A531D |. 8D95 58FDFFFF lea edx, dword ptr [ebp-2A8]
004A5323 |. E8 7437F6FF call 00408A9C
004A5328 |. 8B95 58FDFFFF mov edx, dword ptr [ebp-2A8]
004A532E |. 8D85 5CFDFFFF lea eax, dword ptr [ebp-2A4]
004A5334 |. B9 FF000000 mov ecx, 0FF
004A5339 |. E8 12F6F5FF call 00404950
004A533E |. 8D95 5CFDFFFF lea edx, dword ptr [ebp-2A4]
004A5344 |. 8D45 D3 lea eax, dword ptr [ebp-2D]
004A5347 |. B1 0D mov cl, 0D
004A5349 |. E8 C2DBF5FF call 00402F10
004A534E |. 8D95 4CFDFFFF lea edx, dword ptr [ebp-2B4]
004A5354 |. 8B83 18070000 mov eax, dword ptr [ebx+718]
004A535A |. E8 699FF9FF call 0043F2C8
004A535F |. 8B85 4CFDFFFF mov eax, dword ptr [ebp-2B4]
004A5365 |. 8D95 50FDFFFF lea edx, dword ptr [ebp-2B0]
004A536B |. E8 2C37F6FF call 00408A9C
004A5370 |. 8B95 50FDFFFF mov edx, dword ptr [ebp-2B0]
004A5376 |. 8D85 5CFDFFFF lea eax, dword ptr [ebp-2A4]
004A537C |. B9 FF000000 mov ecx, 0FF
004A5381 |. E8 CAF5F5FF call 00404950
004A5386 |. 8D95 5CFDFFFF lea edx, dword ptr [ebp-2A4]
004A538C |. 8D45 E1 lea eax, dword ptr [ebp-1F]
004A538F |. B1 09 mov cl, 9
004A5391 |. E8 7ADBF5FF call 00402F10
004A5396 |. 8D95 44FDFFFF lea edx, dword ptr [ebp-2BC]
004A539C |. 8B83 1C070000 mov eax, dword ptr [ebx+71C]
004A53A2 |. E8 219FF9FF call 0043F2C8
004A53A7 |. 8B85 44FDFFFF mov eax, dword ptr [ebp-2BC]
004A53AD |. 8D95 48FDFFFF lea edx, dword ptr [ebp-2B8]
004A53B3 |. E8 E436F6FF call 00408A9C
004A53B8 |. 8B95 48FDFFFF mov edx, dword ptr [ebp-2B8]
004A53BE |. 8D85 5CFDFFFF lea eax, dword ptr [ebp-2A4]
004A53C4 |. B9 FF000000 mov ecx, 0FF
004A53C9 |. E8 82F5F5FF call 00404950
004A53CE |. 8D95 5CFDFFFF lea edx, dword ptr [ebp-2A4]
004A53D4 |. 8D45 EB lea eax, dword ptr [ebp-15]
004A53D7 |. B1 0C mov cl, 0C
004A53D9 |. E8 32DBF5FF call 00402F10
004A53DE |. 8D55 D3 lea edx, dword ptr [ebp-2D]
004A53E1 |. 8D85 84FEFFFF lea eax, dword ptr [ebp-17C]
004A53E7 |. E8 1CDFF5FF call 00403308
004A53EC |. E8 9BD4F5FF call 0040288C
004A53F1 |. 8D85 84FEFFFF lea eax, dword ptr [ebp-17C]
004A53F7 |. E8 80DAF5FF call 00402E7C
004A53FC |. E8 8BD4F5FF call 0040288C
004A5401 |. 33D2 xor edx, edx
004A5403 |. 8B83 18070000 mov eax, dword ptr [ebx+718]
004A5409 |. 8B08 mov ecx, dword ptr [eax]
004A540B |. FF51 64 call dword ptr [ecx+64]
004A540E |. 33D2 xor edx, edx
004A5410 |. 8B83 1C070000 mov eax, dword ptr [ebx+71C]
004A5416 |. 8B08 mov ecx, dword ptr [eax]
004A5418 |. FF51 64 call dword ptr [ecx+64]
004A541B |. 33D2 xor edx, edx
004A541D |. 8B83 20070000 mov eax, dword ptr [ebx+720]
004A5423 |. 8B08 mov ecx, dword ptr [eax]
004A5425 |. FF51 64 call dword ptr [ecx+64]
004A5428 |. BA 5C554A00 mov edx, 004A555C ; 你已注册成功!
004A542D |. 8B83 20070000 mov eax, dword ptr [ebx+720]
004A5433 |. E8 C09EF9FF call 0043F2F8
004A5438 |. B8 74554A00 mov eax, 004A5574 ; 注册成功,谢谢你对本软件的支持!
004A543D |. E8 A230F9FF call 004384E4
004A5442 |. EB 41 jmp short 004A5485
004A5444 |> B2 01 mov dl, 1
004A5446 |. 8B83 18070000 mov eax, dword ptr [ebx+718]
004A544C |. 8B08 mov ecx, dword ptr [eax]
004A544E |. FF51 64 call dword ptr [ecx+64]
004A5451 |. B2 01 mov dl, 1
004A5453 |. 8B83 1C070000 mov eax, dword ptr [ebx+71C]
004A5459 |. 8B08 mov ecx, dword ptr [eax]
004A545B |. FF51 64 call dword ptr [ecx+64]
004A545E |. B2 01 mov dl, 1
004A5460 |. 8B83 20070000 mov eax, dword ptr [ebx+720]
004A5466 |. 8B08 mov ecx, dword ptr [eax]
004A5468 |. FF51 64 call dword ptr [ecx+64]
004A546B |. BA A0554A00 mov edx, 004A55A0 ; 验证软件注册信息
004A5470 |. 8B83 20070000 mov eax, dword ptr [ebx+720]
004A5476 |. E8 7D9EF9FF call 0043F2F8
004A547B |. B8 BC554A00 mov eax, 004A55BC ; 注册失败!
004A5480 |. E8 5F30F9FF call 004384E4
关键CALL的代码
00404AB8 /$ 53 push ebx
00404AB9 |. 56 push esi
00404ABA |. 57 push edi
00404ABB |. 89C6 mov esi, eax
00404ABD |. 89D7 mov edi, edx
00404ABF |. 39D0 cmp eax, edx
00404AC1 |. 0F84 8F000000 je 00404B56
00404AC7 |. 85F6 test esi, esi
00404AC9 |. 74 68 je short 00404B33
00404ACB |. 85FF test edi, edi
00404ACD |. 74 6B je short 00404B3A
00404ACF |. 8B46 FC mov eax, dword ptr [esi-4]
00404AD2 |. 8B57 FC mov edx, dword ptr [edi-4]
00404AD5 |. 29D0 sub eax, edx
00404AD7 |. 77 02 ja short 00404ADB
00404AD9 |. 01C2 add edx, eax
00404ADB |> 52 push edx
00404ADC |. C1EA 02 shr edx, 2
00404ADF |. 74 26 je short 00404B07
00404AE1 |> 8B0E /mov ecx, dword ptr [esi]
00404AE3 |. 8B1F |mov ebx, dword ptr [edi]
00404AE5 |. 39D9 |cmp ecx, ebx
00404AE7 |. 75 58 |jnz short 00404B41 跳到了有颜色标记处
00404AE9 |. 4A |dec edx
00404AEA |. 74 15 |je short 00404B01
00404AEC |. 8B4E 04 |mov ecx, dword ptr [esi+4]
00404AEF |. 8B5F 04 |mov ebx, dword ptr [edi+4]
00404AF2 |. 39D9 |cmp ecx, ebx
00404AF4 |. 75 4B |jnz short 00404B41 ;
00404AF6 |. 83C6 08 |add esi, 8
00404AF9 |. 83C7 08 |add edi, 8
00404AFC |. 4A |dec edx
00404AFD |.^ 75 E2 \jnz short 00404AE1
00404AFF |. EB 06 jmp short 00404B07
00404B01 |> 83C6 04 add esi, 4
00404B04 |. 83C7 04 add edi, 4
00404B07 |> 5A pop edx
00404B08 |. 83E2 03 and edx, 3
00404B0B |. 74 22 je short 00404B2F
00404B0D |. 8B0E mov ecx, dword ptr [esi]
00404B0F |. 8B1F mov ebx, dword ptr [edi]
00404B11 |. 38D9 cmp cl, bl
00404B13 |. 75 41 jnz short 00404B56 ;
00404B15 |. 4A dec edx
00404B16 |. 74 17 je short 00404B2F
00404B18 |. 38FD cmp ch, bh
00404B1A |. 75 3A jnz short 00404B56
00404B1C |. 4A dec edx
00404B1D |. 74 10 je short 00404B2F
00404B1F |. 81E3 0000FF00 and ebx, 0FF0000
00404B25 |. 81E1 0000FF00 and ecx, 0FF0000
00404B2B |. 39D9 cmp ecx, ebx
00404B2D |. 75 27 jnz short 00404B56
00404B2F |> 01C0 add eax, eax
00404B31 |. EB 23 jmp short 00404B56
00404B33 |> 8B57 FC mov edx, dword ptr [edi-4]
00404B36 |. 29D0 sub eax, edx
00404B38 |. EB 1C jmp short 00404B56
00404B3A |> 8B46 FC mov eax, dword ptr [esi-4]
00404B3D |. 29D0 sub eax, edx
00404B3F |. EB 15 jmp short 00404B56 ;
00404B41 |> 5A pop edx,
00404B42 38D9 cmp cl, bl ; 改为 mov cl,bl
00404B44 75 10 jnz short 00404B56 改为jz
00404B46 38FD cmp ch, bh 改为 mov ch,bh
00404B48 75 0C jnz short 00404B56 ; 改为JZ
00404B4A C1E9 10 shr ecx, 10 改为nop
00404B4D C1EB 10 shr ebx, 10 改为nop
00404B50 38D9 cmp cl, bl
00404B52 75 02 jnz short 00404B56 不会跳
00404B54 38FD cmp ch, bh ;此时标志位ZF=1
00404B56 |> 5F pop edi
00404B57 |. 5E pop esi
00404B58 |. 5B pop ebx
00404B59 \. C3 retn 返回ZF=1;
有兴趣的高手可以玩玩,请下载附件,我怀疑这是重启验证型,注册信息保存在dat3文件里,aspack壳ESP定律可以很容易脱掉的
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SMC是个不错的办法
|
|
|
|
|
|
好复杂
|
|
|
|
|
|
|
|
|
|
