【破解作者】 lee
【作者邮箱】 cracker_lee@126.com
【使用工具】 PEID、flyODBG修改版
【破解平台】 winXPSP1
【软件名称】 Windows美化大师 1.79
【软件简介】 是否厌倦了Windows一成不变的界面?是否对苹果电脑美观精巧的界面羡慕不已?Windows美化大师给您解决之道,它是一款美化您的Windows的软件,让您的Windows从此更漂亮、更个性化!本软件功能强大,能完全改变您的Windows界面。从外观风格到动态桌面;从开机画面到登录画面;从系统图标到鼠标指针;Windows美化大师给您完全的解决方案!本软件内附带大量界面资源,并且还能到官方网站下载更多界面资源。本软件内置还原功能,免除您的后顾之忧;界面美观大方、操作简单方便、电脑新手也能轻松打造出漂亮、个性化的Windows!更重要的是它不占用系统资源、更不会影响电脑运行速度!
【加壳方式】 ASPack 2.12
【破解声明】 我是一只小菜鸟,偶得一点心得,愿与大家分享:)
----------------------------------------------------------------------
【破解内容】
0073F001 C> 60 pushad
0073F002 E8 03000000 call CoolWin3.0073F00A //一看就知道是变形CALL,跟进
0073F007 - E9 EB045D45 jmp 45D0F4F7
0073F00C 55 push ebp
0073F00D C3 retn
0073F00A 5D pop ebp //到这里
0073F00B 45 inc ebp
0073F00C 55 push ebp
0073F00D C3 retn //返回到73F008处
0073F00E E8 01000000 call CoolWin3.0073F014
0073F013 EB 5D jmp short CoolWin3.0073F072
0073F008 /EB 04 jmp short CoolWin3.0073F00E //到这里
0073F00A |5D pop ebp
0073F00B |45 inc ebp
0073F00C |55 push ebp
0073F00D |C3 retn
0073F00E \E8 01000000 call CoolWin3.0073F014 //跳到这里,变形CALL,跟进
0073F013 EB 5D jmp short CoolWin3.0073F072
0073F014 5D pop ebp //到这里
0073F015 BB EDFFFFFF mov ebx,-13
0073F01A 03DD add ebx,ebp
0073F01C 81EB 00F03300 sub ebx,33F000
0073F022 83BD 22040000>cmp dword ptr ss:[ebp+422],0
0073F029 899D 22040000 mov dword ptr ss:[ebp+422],ebx
0073F02F 0F85 65030000 jnz CoolWin3.0073F39A
0073F035 8D85 2E040000 lea eax,dword ptr ss:[ebp+42E]
0073F03B 50 push eax
0073F03C FF95 4D0F0000 call dword ptr ss:[ebp+F4D]
0073F042 8985 26040000 mov dword ptr ss:[ebp+426],eax
0073F048 8BF8 mov edi,eax
0073F04A 8D5D 5E lea ebx,dword ptr ss:[ebp+5E]
0073F04D 53 push ebx
0073F04E 50 push eax
0073F04F FF95 490F0000 call dword ptr ss:[ebp+F49]
0073F055 8985 4D050000 mov dword ptr ss:[ebp+54D],eax
0073F05B 8D5D 6B lea ebx,dword ptr ss:[ebp+6B]
0073F05E 53 push ebx
0073F05F 57 push edi
0073F060 FF95 490F0000 call dword ptr ss:[ebp+F49]
0073F066 8985 51050000 mov dword ptr ss:[ebp+551],eax
0073F06C 8D45 77 lea eax,dword ptr ss:[ebp+77]
0073F06F FFE0 jmp eax //F4直接到这里,接下来跳到0073F08A
0073F08A 8B9D 31050000 mov ebx,dword ptr ss:[ebp+531] //到这里
0073F090 0BDB or ebx,ebx
0073F092 74 0A je short CoolWin3.0073F09E //跳
0073F094 8B03 mov eax,dword ptr ds:[ebx]
0073F096 8785 35050000 xchg dword ptr ss:[ebp+535],eax
0073F09C 8903 mov dword ptr ds:[ebx],eax
0073F09E 8DB5 69050000 lea esi,dword ptr ss:[ebp+569] //到这里
0073F0A4 833E 00 cmp dword ptr ds:[esi],0
0073F0A7 0F84 21010000 je CoolWin3.0073F1CE
0073F0AD 6A 04 push 4
0073F0AF 68 00100000 push 1000
0073F0B4 68 00180000 push 1800
0073F0B9 6A 00 push 0
0073F0BB FF95 4D050000 call dword ptr ss:[ebp+54D]
0073F0BB FF95 4D050000 call dword ptr ss:[ebp+54D]
0073F0C1 8985 56010000 mov dword ptr ss:[ebp+156],eax
0073F0C7 8B46 04 mov eax,dword ptr ds:[esi+4]
0073F0CA 05 0E010000 add eax,10E
0073F0CF 6A 04 push 4
0073F0D1 68 00100000 push 1000
0073F0D6 50 push eax
0073F0D7 6A 00 push 0
0073F0D9 FF95 4D050000 call dword ptr ss:[ebp+54D]
0073F0DF 8985 52010000 mov dword ptr ss:[ebp+152],eax
0073F0E5 56 push esi
0073F0E6 8B1E mov ebx,dword ptr ds:[esi]
0073F0E8 039D 22040000 add ebx,dword ptr ss:[ebp+422]
0073F0EE FFB5 56010000 push dword ptr ss:[ebp+156]
0073F0F4 FF76 04 push dword ptr ds:[esi+4]
0073F0F7 50 push eax
0073F0F8 53 push ebx
0073F0F9 E8 6E050000 call CoolWin3.0073F66C
0073F0FE B3 00 mov bl,0
0073F100 80FB 00 cmp bl,0
0073F103 75 5E jnz short CoolWin3.0073F163 //F4到这里
0073F103 /75 5E jnz short CoolWin3.0073F163
0073F105 |FE85 EC000000 inc byte ptr ss:[ebp+EC]
0073F10B |8B3E mov edi,dword ptr ds:[esi]
0073F10D |03BD 22040000 add edi,dword ptr ss:[ebp+422]
0073F113 |FF37 push dword ptr ds:[edi]
0073F115 |C607 C3 mov byte ptr ds:[edi],0C3
0073F118 |FFD7 call edi
0073F11A |8F07 pop dword ptr ds:[edi]
0073F11C |50 push eax
0073F11D |51 push ecx
0073F11E |56 push esi
0073F11F |53 push ebx
0073F120 |8BC8 mov ecx,eax
0073F122 |83E9 06 sub ecx,6
0073F125 |8BB5 52010000 mov esi,dword ptr ss:[ebp+152]
0073F12B |33DB xor ebx,ebx
0073F12D |0BC9 or ecx,ecx
0073F12F |74 2E je short CoolWin3.0073F15F
0073F12F /74 2E je short CoolWin3.0073F15F
0073F131 |78 2C js short CoolWin3.0073F15F
0073F133 |AC lods byte ptr ds:[esi]
0073F134 |3C E8 cmp al,0E8
0073F136 |74 0A je short CoolWin3.0073F142
0073F138 |EB 00 jmp short CoolWin3.0073F13A //跳
0073F13A |3C E9 cmp al,0E9 //到这里
0073F13C |74 04 je short CoolWin3.0073F142
0073F13E |43 inc ebx
0073F13F |49 dec ecx
0073F140 ^\EB EB jmp short CoolWin3.0073F12D //要往回跳
0073F142 8B06 mov eax,dword ptr ds:[esi] //F4下来
0073F144 EB 00 jmp short CoolWin3.0073F146 //跳
0073F146 803E 26 cmp byte ptr ds:[esi],26 //到这里
0073F149 ^ 75 F3 jnz short CoolWin3.0073F13E //要往回跳
0073F14B 24 00 and al,0 //F4到这里
0073F14D C1C0 18 rol eax,18
0073F150 2BC3 sub eax,ebx
0073F152 8906 mov dword ptr ds:[esi],eax
0073F154 83C3 05 add ebx,5
0073F157 83C6 04 add esi,4
0073F15A 83E9 05 sub ecx,5
0073F15D ^ EB CE jmp short CoolWin3.0073F12D //要往回跳
0073F15F 5B pop ebx //F4到这里
0073F160 5E pop esi
0073F161 59 pop ecx
0073F162 58 pop eax
0073F163 EB 08 jmp short CoolWin3.0073F16D //跳
0073F165 0000 add byte ptr ds:[eax],al
0073F16D 8BC8 mov ecx,eax //到这里
0073F16F 8B3E mov edi,dword ptr ds:[esi]
0073F171 03BD 22040000 add edi,dword ptr ss:[ebp+422]
0073F177 8BB5 52010000 mov esi,dword ptr ss:[ebp+152]
0073F17D C1F9 02 sar ecx,2
0073F180 F3:A5 rep movs dword ptr es:[edi],dword >
0073F182 8BC8 mov ecx,eax
0073F184 83E1 03 and ecx,3
0073F187 F3:A4 rep movs byte ptr es:[edi],byte pt>
0073F189 5E pop esi
0073F18A 68 00800000 push 8000
0073F18F 6A 00 push 0
0073F191 FFB5 52010000 push dword ptr ss:[ebp+152]
0073F197 FF95 51050000 call dword ptr ss:[ebp+551]
0073F19D 83C6 08 add esi,8
0073F1A0 833E 00 cmp dword ptr ds:[esi],0
0073F1A3 ^ 0F85 1EFFFFFF jnz CoolWin3.0073F0C7 //望回跳
0073F1A9 68 00800000 push 8000 //F4到这里
0073F1AE 6A 00 push 0
0073F1B0 FFB5 56010000 push dword ptr ss:[ebp+156]
0073F1B6 FF95 51050000 call dword ptr ss:[ebp+551]
0073F1B6 FF95 51050000 call dword ptr ss:[ebp+551] ; kernel32.VirtualFree
0073F1BC 8B9D 31050000 mov ebx,dword ptr ss:[ebp+531]
0073F1C2 0BDB or ebx,ebx
0073F1C4 74 08 je short CoolWin3.0073F1CE //跳
0073F1C6 8B03 mov eax,dword ptr ds:[ebx]
0073F1C8 8785 35050000 xchg dword ptr ss:[ebp+535],eax
0073F1CE 8B95 22040000 mov edx,dword ptr ss:[ebp+422] //到这里
0073F1D4 8B85 2D050000 mov eax,dword ptr ss:[ebp+52D]
0073F1DA 2BD0 sub edx,eax
0073F1DC /74 79 je short CoolWin3.0073F257 //跳
0073F257 8B95 22040000 mov edx,dword ptr ss:[ebp+422] //到这里
0073F25D 8BB5 41050000 mov esi,dword ptr ss:[ebp+541]
0073F263 0BF6 or esi,esi
0073F265 74 11 je short CoolWin3.0073F278 //跳
0073F267 03F2 add esi,edx
0073F269 AD lods dword ptr ds:[esi]
0073F26A 0BC0 or eax,eax
0073F26C 74 0A je short CoolWin3.0073F278
0073F26E 03C2 add eax,edx
0073F270 8BF8 mov edi,eax
0073F272 66:AD lods word ptr ds:[esi]
0073F274 66:AB stos word ptr es:[edi]
0073F276 ^ EB F1 jmp short CoolWin3.0073F269
0073F278 BE 00301100 mov esi,113000 //到这里
0073F27D 8B95 22040000 mov edx,dword ptr ss:[ebp+422]
0073F283 03F2 add esi,edx ; CoolWin3.00400000
0073F285 8B46 0C mov eax,dword ptr ds:[esi+C]
0073F288 85C0 test eax,eax
0073F28A 0F84 0A010000 je CoolWin3.0073F39A
0073F290 03C2 add eax,edx
0073F292 8BD8 mov ebx,eax
0073F294 50 push eax
0073F295 FF95 4D0F0000 call dword ptr ss:[ebp+F4D] ; kernel32.GetModuleHandleA
0073F29B 85C0 test eax,eax
0073F29D 75 07 jnz short CoolWin3.0073F2A6 //跳
0073F29F 53 push ebx
0073F2A0 FF95 510F0000 call dword ptr ss:[ebp+F51]
0073F2A6 8985 45050000 mov dword ptr ss:[ebp+545],eax //到这里
0073F2AC C785 49050000>mov dword ptr ss:[ebp+549],0
0073F2B6 8B95 22040000 mov edx,dword ptr ss:[ebp+422]
0073F2BC 8B06 mov eax,dword ptr ds:[esi]
0073F2BE 85C0 test eax,eax
0073F2C0 75 03 jnz short CoolWin3.0073F2C5
0073F2C2 8B46 10 mov eax,dword ptr ds:[esi+10]
0073F2C5 03C2 add eax,edx
0073F2C7 0385 49050000 add eax,dword ptr ss:[ebp+549]
0073F2CD 8B18 mov ebx,dword ptr ds:[eax]
0073F2CF 8B7E 10 mov edi,dword ptr ds:[esi+10]
0073F2D2 03FA add edi,edx
0073F2D4 03BD 49050000 add edi,dword ptr ss:[ebp+549]
0073F2DA 85DB test ebx,ebx
0073F2DC 0F84 A2000000 je CoolWin3.0073F384
0073F2E2 F7C3 00000080 test ebx,80000000
0073F2E8 75 04 jnz short CoolWin3.0073F2EE
0073F2EA 03DA add ebx,edx
0073F2EC 43 inc ebx ; CoolWin3.005139AA
0073F2ED 43 inc ebx
0073F2EE 53 push ebx
0073F2EF 81E3 FFFFFF7F and ebx,7FFFFFFF
0073F2F5 53 push ebx
0073F2F6 FFB5 45050000 push dword ptr ss:[ebp+545]
0073F2FC FF95 490F0000 call dword ptr ss:[ebp+F49]
0073F302 85C0 test eax,eax
0073F304 5B pop ebx //F4到这里
0073F305 75 6F jnz short CoolWin3.0073F376 //跳
0073F376 8907 mov dword ptr ds:[edi],eax //到这里
0073F378 8385 49050000>add dword ptr ss:[ebp+549],4
0073F37F ^ E9 32FFFFFF jmp CoolWin3.0073F2B6 //往回跳
0073F384 8906 mov dword ptr ds:[esi],eax //F4下来
0073F386 8946 0C mov dword ptr ds:[esi+C],eax
0073F389 8946 10 mov dword ptr ds:[esi+10],eax
0073F38C 83C6 14 add esi,14
0073F38F 8B95 22040000 mov edx,dword ptr ss:[ebp+422]
0073F395 ^ E9 EBFEFFFF jmp CoolWin3.0073F285 //往回跳
0073F39A B8 20410F00 mov eax,0F4120 //F4下来
0073F39F 50 push eax
0073F3A0 0385 22040000 add eax,dword ptr ss:[ebp+422]
0073F3A6 59 pop ecx
0073F3A7 0BC9 or ecx,ecx
0073F3A9 8985 A8030000 mov dword ptr ss:[ebp+3A8],eax
0073F3AF 61 popad //关键标志
0073F3B0 75 08 jnz short CoolWin3.0073F3BA //跳
0073F3B2 B8 01000000 mov eax,1
0073F3B7 C2 0C00 retn 0C
0073F3BA 68 20414F00 push CoolWin3.004F4120 //到这里
0073F3BF C3 retn //返回后就是入口点
004F4120 55 push ebp //入口点,用第一种方法脱壳后可以直接运行,发现是Delphi编的
004F4121 8BEC mov ebp,esp
004F4123 83C4 EC add esp,-14
004F4126 33C0 xor eax,eax
004F4128 8945 EC mov dword ptr ss:[ebp-14],eax
004F412B B8 B83C4F00 mov eax,CoolWin3.004F3CB8
004F4130 E8 172DF1FF call CoolWin3.00406E4C
004F4135 33C0 xor eax,eax
004F4137 55 push ebp
004F4138 68 24424F00 push CoolWin3.004F4224
004F413D 64:FF30 push dword ptr fs:[eax]
004F4140 64:8920 mov dword ptr fs:[eax],esp
004F4143 6A 00 push 0
004F4145 68 30424F00 push CoolWin3.004F4230 ; ASCII "h2q3c9l6win"
004F414A E8 5D35F1FF call CoolWin3.004076AC ; jmp to user32.FindWindowA
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法