【文章标题】: 定式详解 V2.0[围棋]去功能限制及爆破注册――菜鸟教学【2】
【作 者】: laoqian[FCG]
【邮 箱】: -
【主 页】: www.fcgchina.com
【QQ 号】: -
【软件名称】: 定式详解 V2.0 [繁体版]
【下载地址】: http://www.lshuzhi.com,但是作者已经不提供此版本下载,有需要的告诉我!
【加壳方式】: 无
【编写语言】: delphi
【工 具】: OllyDbg1.10 fly, W32DSM
【操作平台】: windows系列
【软件介绍】: 定式详解包含了几乎所有常用定式,带有详细的解说。有了它,查询定式、学习定式将不再是麻烦事。你只要走一手,计算机就会告诉你下一步所有可能的应法,包括不正确的应法(解说中告诉你不正确的原因)。你也可以随时进入研究模式自己再琢磨新的走法,研究时进退自如,免除在传统棋盘上反复移挪棋子之苦。
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
狗年就不打狗了,我们再来一个简单的爆破教学吧!
本文只适合初学者,高手略过!
前两天下了几次围棋,老是输,主要是定式都不会了,开局就落后!搞的人比较烦,我遂在网上找定式的软件,但都是一些试用功能不全的,比如http://www.lshuzhi.com/joseki.htm上的定式详解 V3.0,使用起来倒是很方便,只是代码不全,无法看到所有定式!
忽然想起在好4、5年前 ,有人给过我他的繁体英文版,要我破解,据说里面是全的,当时我初入破解,没有搞定,就放下了,没想到一搜硬盘,居然还找到了,那就干他,都是5年前的东西了,lshuzhi不会找我的茬吧?!
版本是 定式详解 V2.0,其实比3.0差不了许多,围棋定式几百年也变化不了多少,呵呵!
但他有限制,主要是下面几个:
1.必须在繁体中文或者英文操作系统下使用![显示繁体乱码,别扭吧!]
2.不注册,无法使用全部,但代码是全的!
由于分析得知,有代码的,。那我们就来爆破他实现,工作很简单,我只是说一下如何入手。其实对于新手破解时最困难的是如何入手,
如何快速的分析,如何最恰当的下断点!
:00484916 8BC0 mov eax, eax
:00484918 55 push ebp
:00484919 8BEC mov ebp, esp
:0048491B B91C000000 mov ecx, 0000001C
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00484925(C)
|
:00484920 6A00 push 00000000
:00484922 6A00 push 00000000
:00484924 49 dec ecx
:00484925 75F9 jne 00484920
:00484927 51 push ecx
:00484928 53 push ebx
:00484929 56 push esi
:0048492A 8BD8 mov ebx, eax
:0048492C 33C0 xor eax, eax
:0048492E 55 push ebp
:0048492F 68BF4D4800 push 00484DBF
:00484934 64FF30 push dword ptr fs:[eax]
:00484937 648920 mov dword ptr fs:[eax], esp
* Reference To: kernel32.GetSystemDefaultLangID, Ord:0000h ;判断操作系统语言版本的API
|
:0048493A E89921F8FF Call 00406AD8
:0048493F 8BD0 mov edx, eax ;我们简体版返回是eax=0804,繁体是0404了
:00484941 6683E23F and dx, 003F ;dx=4
:00484945 0FB7F0 movzx esi, ax ;传0804
:00484948 C1EE0A shr esi, 0A ;si=2
:0048494B 6683FA04 cmp dx, 0004 ;比较 4是中文简体或繁体版,其余还是其他系统
:0048494F 7506 jne 00484957 ;中文版相等不跳
:00484951 6683FE01 cmp si, 0001 ;比较2是简体,1是繁体
:00484955 7404 je 0048495B ;相等跳
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0048494F(C)
|
:00484957 33C0 xor eax, eax ;标志置0。来这里是非中文版,即英语版,但是解说是乱码!
:00484959 EB02 jmp 0048495D ;跳到标志位A
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00484955(U)
|
:0048495B B001 mov al, 01 ;标志置1 繁体版
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00484959(U)
|
:0048495D 88832C030000 mov byte ptr [ebx+0000032C], al ;标志A !!我们这里al=0
:00484963 6683FA04 cmp dx, 0004 ;比较 4是中文简体或繁体版,其余还是其他系统
:00484967 7506 jne 0048496F ;中文版相等不跳
:00484969 6683FE02 cmp si, 0002 ;比较2是简体,1是繁体
:0048496D 7404 je 00484973 ;相等跳
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00484967(C)
|
:0048496F 33C0 xor eax, eax ;标志置0。来这里是非中文版,即英语版,但是解说是乱码!
:00484971 EB02 jmp 00484975 ;跳到标志位B
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0048496D(C)
|
:00484973 B001 mov al, 01 ;标志置1 简体版
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00484971(U)
|
:00484975 88832D030000 mov byte ptr [ebx+0000032D], al ;标志B !简体版我们这里al=1
:0048497B 84C0 test al, al ;关键比较,
:0048497D 7416 je 00484995 ;al=0才跳 !我们强制jmp EB16
* Possible StringData Ref from Code Obj ->"该版本不是简体版,简体版请到http://www.lshuzhi"
->".com下载"
|;向上看避过这里吧!
:0048497F B8D44D4800 mov eax, 00484DD4
:00484984 E887CDFCFF call 00451710
:00484989 A11C924900 mov eax, dword ptr [0049921C]
:0048498E 8B00 mov eax, dword ptr [eax]
:00484990 E8E76AFCFF call 0044B47C ;出错提示,*进去看是调用user32.PostQuitMessage
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0048497D(U)
|
:00484995 80BB2D03000000 cmp byte ptr [ebx+0000032D], 00 ;这里=1
:0048499C 750D jne 004849AB ;跳了!!
:0048499E 80BB2C03000000 cmp byte ptr [ebx+0000032C], 00
:004849A5 7504 jne 004849AB
:004849A7 33C0 xor eax, eax
:004849A9 EB02 jmp 004849AD
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0048499C(C), :004849A5(C)
|
:004849AB B001 mov al, 01
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004849A9(U)
|
:004849AD 88832E030000 mov byte ptr [ebx+0000032E], al ;标志C !我们这里al=1
:004849B3 B205 mov dl, 05
:004849B5 8B83D4020000 mov eax, dword ptr [ebx+000002D4] ;一路走下去出错提示消失
:004849BB E8D871FAFF call 0042BB98
:004849C0 B201 mov dl, 01
:004849C2 8B83D8020000 mov eax, dword ptr [ebx+000002D8]
:004849C8 E8CB7AFAFF call 0042C498
:004849CD 33D2 xor edx, edx
:004849CF 8B8324030000 mov eax, dword ptr [ebx+00000324]
:004849D5 E8BE7AFAFF call 0042C498
:004849DA B205 mov dl, 05
:004849DC 8B83D8020000 mov eax, dword ptr [ebx+000002D8]
:004849E2 E8B171FAFF call 0042BB98
:004849E7 B201 mov dl, 01
* Possible StringData Ref from Code Obj ->"DA"
|
:004849E9 A1C4DF4000 mov eax, dword ptr [0040DFC4]
:004849EE E825E5F7FF call 00402F18
:004849F3 898330030000 mov dword ptr [ebx+00000330], eax
:004849F9 C78564FFFFFF94000000 mov dword ptr [ebp+FFFFFF64], 00000094
:00484A03 8D8564FFFFFF lea eax, dword ptr [ebp+FFFFFF64]
:00484A09 50 push eax
* Reference To: kernel32.GetVersionExA, Ord:0000h
|
:00484A0A E8F120F8FF Call 00406B00
:00484A0F 83BD74FFFFFF02 cmp dword ptr [ebp+FFFFFF74], 00000002
:00484A16 0F94C0 sete al
:00484A19 888334030000 mov byte ptr [ebx+00000334], al
:00484A1F 80BB2E03000000 cmp byte ptr [ebx+0000032E], 00
:00484A26 0F84E3010000 je 00484C0F ;不跳,一路走下去退出!!呵呵,还有暗桩!
:00484A2C 8D8D60FFFFFF lea ecx, dword ptr [ebp+FFFFFF60]
* Referenced by a CALL at Addresses:
|:00448263 , :00484990 , :00485034 ;发现有3处调用这里,我们一一进去看看!
|
:0044B47C E86303FCFF call 0040B7E4
:0044B481 84C0 test al, al
:0044B483 7407 je 0044B48C
:0044B485 6A00 push 00000000
* Reference To: user32.PostQuitMessage, Ord:0000h
|
:0044B487 E864BDFBFF Call 004071F0
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0044B483(C)
|
:0044B48C C3 ret
在第三处我们看到了:
:00485014 803D648F490000 cmp byte ptr [00498F64], 00
:0048501B 741C je 00485039
:0048501D C605648F490000 mov byte ptr [00498F64], 00
:00485024 80B82D03000000 cmp byte ptr [eax+0000032D], 00 ;就是这里,我们前面简体版标志为1,当然下面不跳!!
:0048502B 740C je 00485039 ;我们当然要强制跳!改为jmp
:0048502D A11C924900 mov eax, dword ptr [0049921C]
:00485032 8B00 mov eax, dword ptr [eax]
:00485034 E84364FCFF call 0044B47C ; 调用user32.PostQuitMessage的地方
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0048501B(C), :0048502B(U)
|
:00485039 C3 ret
:0048503A 8BC0 mov eax, eax
:004849F9 C78564FFFFFF94000000 mov dword ptr [ebp+FFFFFF64], 00000094
:00484A03 8D8564FFFFFF lea eax, dword ptr [ebp+FFFFFF64]
:00484A09 50 push eax
* Reference To: kernel32.GetVersionExA, Ord:0000h
|
:00484A0A E8F120F8FF Call 00406B00
:00484A0F 83BD74FFFFFF02 cmp dword ptr [ebp+FFFFFF74], 00000002
:00484A16 0F94C0 sete al
:00484A19 888334030000 mov byte ptr [ebx+00000334], al
:00484A1F 80BB2E03000000 cmp byte ptr [ebx+0000032E], 00
:00484A26 0F84E3010000 je 00484C0F ;不跳,一路走下去退出!!呵呵,还有暗桩!
:00484A2C 8D8D60FFFFFF lea ecx, dword ptr [ebp+FFFFFF60]
* Possible StringData Ref from Code Obj ->"定式详解"
|
:00484A32 BA144E4800 mov edx, 00484E14 ;就是这些地方!明明看到的都是简体的字符串啊!存edx=00484E14
:00484A37 8BC3 mov eax, ebx
:00484A39 E892FAFFFF call 004844D0 ;看来是这里可疑,我们进去看看吧!
:00484A3E 8B9560FFFFFF mov edx, dword ptr [ebp+FFFFFF60]
:00484A44 8BC3 mov eax, ebx
:00484A46 E8657BFAFF call 0042C5B0
:00484A4B 8D8D5CFFFFFF lea ecx, dword ptr [ebp+FFFFFF5C]
* Possible StringData Ref from Code Obj ->"请单击A、B、C等点"
|
:00484A51 BA284E4800 mov edx, 00484E28 ;就是这些地方!明明看到的都是简体的字符串啊!
:00484A56 8BC3 mov eax, ebx
:00484A58 E873FAFFFF call 004844D0 ;看来是这里可疑,
:00484A5D 8B955CFFFFFF mov edx, dword ptr [ebp+FFFFFF5C]
:00484A63 8B83F0020000 mov eax, dword ptr [ebx+000002F0]
:00484A69 E8427BFAFF call 0042C5B0
:00484A6E 8D8D58FFFFFF lea ecx, dword ptr [ebp+FFFFFF58]
* Possible StringData Ref from Code Obj ->"解说"
|
:00484A74 BA444E4800 mov edx, 00484E44 ;就是这些地方!明明看到的都是简体的字符串啊!
:00484A79 8BC3 mov eax, ebx
:00484A7B E850FAFFFF call 004844D0 ;看来是这里可疑,
:00484A80 8B9558FFFFFF mov edx, dword ptr [ebp+FFFFFF58]
:00484A86 8B8320030000 mov eax, dword ptr [ebx+00000320]
:00484A8C E81F7BFAFF call 0042C5B0
:00484A91 8D8D54FFFFFF lea ecx, dword ptr [ebp+FFFFFF54]
* Referenced by a CALL at Addresses:
|:00482A8C , :00482AAA , :00482ACC , :00482B13 , :00482B57
|:0048309B , :004830B9 , :004839E5 , :00483A03 , :00483A25
|:00483A47 , :00483A69 , :00483CB8 , :00483D03 , :00484A39
|:00484A58 , :00484A7B , :00484A9E , :00484AC1 , :00484AE4
|:00484B07 , :00484B2A , :00484B4D , :00484B73 , :00484B96
|:00484BC8 , :00484BF9 , :004852FD , :0048543A , :0048589C
|:00485A51 , :00485B70 , :0048639B , :0048673F , :00486766
|
:004844D0 53 push ebx
:004844D1 56 push esi
:004844D2 57 push edi
:004844D3 8BF9 mov edi, ecx
:004844D5 8BF2 mov esi, edx ;明明看到的都是简体的字符串啊!
:004844D7 8BD8 mov ebx, eax
:004844D9 8BCF mov ecx, edi
:004844DB 8BD6 mov edx, esi ;下d edx,看到"定式详解"
:004844DD 8B8318030000 mov eax, dword ptr [ebx+00000318]
:004844E3 E878D2FFFF call 00481760 ;看来是这里可疑,我们进去看看吧!
:004844E8 5F pop edi
:004844E9 5E pop esi
:004844EA 5B pop ebx
:004844EB C3 ret
[招生]系统0day安全班,企业级设备固件漏洞挖掘,Linux平台漏洞挖掘!