楚汉棋缘1.47版暴力破解!!!!
http://download.it168.com/06/0605/7491/7491_4.shtml
仅是我学习的历程,不建议使用该软件,因为他捆绑了8个垃圾软件
!!!
我还是很菜的鸟,只会简单的W32Dasm
查无壳,用W32Dasm反汇编得,找到注册字符串
* Possible StringData Ref from Data Obj ->"1F3662FAA8E266F962E0F02439186AC00561"
|
:00443FCA 687E905000 push 0050907E
:00443FCF E8ECDEFFFF call 00441EC0
:00443FD4 83C408 add esp, 00000008
:00443FD7 8D9520FFFFFF lea edx, dword ptr [ebp+FFFFFF20]
:00443FDD 52 push edx
:00443FDE 8B8D30FFFFFF mov ecx, dword ptr [ebp+FFFFFF30]
:00443FE4 51 push ecx
:00443FE5 8B852CFFFFFF mov eax, dword ptr [ebp+FFFFFF2C]
:00443FEB 50 push eax
:00443FEC 8B9528FFFFFF mov edx, dword ptr [ebp+FFFFFF28]
:00443FF2 52 push edx
:00443FF3 E840D0FFFF call 00441038
:00443FF8 83C410 add esp, 00000010
:00443FFB 8D8D24FFFFFF lea ecx, dword ptr [ebp+FFFFFF24]
:00444001 51 push ecx
:00444002 8D850CFFFFFF lea eax, dword ptr [ebp+FFFFFF0C]
:00444008 50 push eax
:00444009 E8B2DEFFFF call 00441EC0
:0044400E 83C408 add esp, 00000008
:00444011 8B9520FFFFFF mov edx, dword ptr [ebp+FFFFFF20]
:00444017 52 push edx
:00444018 8B8D24FFFFFF mov ecx, dword ptr [ebp+FFFFFF24]
:0044401E 51 push ecx
:0044401F E874B1FFFF call 0043F198
:00444024 83C408 add esp, 00000008
:00444027 85C0 test eax, eax
:00444029 7415 je 00444040
:0044402B 8B854CFFFFFF mov eax, dword ptr [ebp+FFFFFF4C]
:00444031 50 push eax
:00444032 E851E6FFFF call 00442688
:00444037 59 pop ecx
:00444038 84C0 test al, al
:0044403A 0F8422010000 je 00444162
(关键跳转,我把他改为NOP或JNE,那么在注册时随便输入,都可以成功注册)
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00444029(C)
|
* Reference To: chess._ChessForm
|
:00444040 8B15B8EB5000 mov edx, dword ptr [0050EBB8]
:00444046 33C0 xor eax, eax
:00444048 8DBD94FEFFFF lea edi, dword ptr [ebp+FFFFFE94]
:0044404E 8B0A mov ecx, dword ptr [edx]
:00444050 81C1B1210000 add ecx, 000021B1
:00444056 8BF1 mov esi, ecx
:00444058 83C9FF or ecx, FFFFFFFF
:0044405B F2 repnz
:0044405C AE scasb
:0044405D F7D1 not ecx
:0044405F 2BF9 sub edi, ecx
:00444061 8BD1 mov edx, ecx
:00444063 87F7 xchg edi, esi
:00444065 C1E902 shr ecx, 02
:00444068 8BC7 mov eax, edi
:0044406A F3 repz
:0044406B A5 movsd
:0044406C 8BCA mov ecx, edx
:0044406E 83E103 and ecx, 00000003
:00444071 F3 repz
:00444072 A4 movsb
:00444073 A1B8EB5000 mov eax, dword ptr [0050EBB8]
:00444078 8DBDA8FEFFFF lea edi, dword ptr [ebp+FFFFFEA8]
:0044407E 8B10 mov edx, dword ptr [eax]
:00444080 33C0 xor eax, eax
:00444082 81C2CA210000 add edx, 000021CA
:00444088 83C9FF or ecx, FFFFFFFF
:0044408B F2 repnz
:0044408C AE scasb
:0044408D F7D1 not ecx
:0044408F 2BF9 sub edi, ecx
:00444091 8BF2 mov esi, edx
:00444093 87F7 xchg edi, esi
:00444095 8BD1 mov edx, ecx
:00444097 8BC7 mov eax, edi
:00444099 C1E902 shr ecx, 02
:0044409C F3 repz
:0044409D A5 movsd
:0044409E 8BCA mov ecx, edx
:004440A0 83E103 and ecx, 00000003
:004440A3 F3 repz
:004440A4 A4 movsb
:004440A5 A1B8EB5000 mov eax, dword ptr [0050EBB8]
:004440AA 8B10 mov edx, dword ptr [eax]
:004440AC C6820122000001 mov byte ptr [edx+00002201], 01
:004440B3 33DB xor ebx, ebx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004440E6(C)
|
:004440B5 E8DAC40800 call 004D0594
:004440BA 99 cdq
* Possible Reference to String Resource ID=00050:
"NNNNNHNNNNNNIN7NNNNN7NGHFNNN2NNNNNNNNNGNNNNNNNNNNNNNNN7NNNNK"
|
:004440BB B932000000 mov ecx, 00000032
:004440C0 F7F9 idiv ecx
:004440C2 8D049B lea eax, dword ptr [ebx+4*ebx]
:004440C5 80C265 add dl, 65
* Reference To: chess._ChessForm
|
:004440C8 8B0DB8EB5000 mov ecx, dword ptr [0050EBB8]
:004440CE 8D0443 lea eax, dword ptr [ebx+2*eax]
:004440D1 C1E003 shl eax, 03
:004440D4 2BC3 sub eax, ebx
:004440D6 8B09 mov ecx, dword ptr [ecx]
:004440D8 8D0483 lea eax, dword ptr [ebx+4*eax]
:004440DB 889481EA0A0000 mov byte ptr [ecx+4*eax+00000AEA], dl
:004440E2 43 inc ebx
:004440E3 83FB05 cmp ebx, 00000005
:004440E6 7CCD jl 004440B5
:004440E8 66C78560FFFFFF8801 mov word ptr [ebp+FFFFFF60], 0188
* Possible StringData Ref from Data Obj ->"注册成功!"
|
:004440F1 BAA3905000 mov edx, 005090A3
:004440F6 8D4580 lea eax, dword ptr [ebp-80]
:004440F9 E86E360900 call 004D776C
:004440FE FF856CFFFFFF inc dword ptr [ebp+FFFFFF6C]
:00444104 8B00 mov eax, dword ptr [eax]
:00444106 33D2 xor edx, edx
:00444108 89957CFFFFFF mov dword ptr [ebp+FFFFFF7C], edx
:0044410E 8D957CFFFFFF lea edx, dword ptr [ebp+FFFFFF7C]
:00444114 FF856CFFFFFF inc dword ptr [ebp+FFFFFF6C]
:0044411A E8A136FEFF call 004277C0
:0044411F 8D857CFFFFFF lea eax, dword ptr [ebp+FFFFFF7C]
:00444125 8B00 mov eax, dword ptr [eax]
:00444127 E8A47C0400 call 0048BDD0
:0044412C FF8D6CFFFFFF dec dword ptr [ebp+FFFFFF6C]
:00444132 8D857CFFFFFF lea eax, dword ptr [ebp+FFFFFF7C]
* Possible Reference to String Resource ID=00002:
"NNNHNINNNNNNNHNNNNNNNNNNN1NNNNNNNNNNNNNNNNNN1NNNNNNNNNENNNNN"
|
:00444138 BA02000000 mov edx, 00000002
:0044413D E882370900 call 004D78C4
:00444142 FF8D6CFFFFFF dec dword ptr [ebp+FFFFFF6C]
:00444148 8D4580 lea eax, dword ptr [ebp-80]
* Possible Reference to String Resource ID=00002:
"NNNHNINNNNNNNHNNNNNNNNNNN1NNNNNNNNNNNNNNNNNN1NNNNNNNNNENNNNN"
|
:0044414B BA02000000 mov edx, 00000002
:00444150 E86F370900 call 004D78C4
:00444155 8B854CFFFFFF mov eax, dword ptr [ebp+FFFFFF4C]
:0044415B E87CBD0300 call 0047FEDC
:00444160 EB73 jmp 004441D5
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0044403A(C)
|
:00444162 66C78560FFFFFF9401 mov word ptr [ebp+FFFFFF60], 0194
* Possible StringData Ref from Data Obj ->"注册名或注册码输入不对,其中注意1(数字)、I(大"
->"写字母)l(L的小写)、0(数字)、o(小写字母)"
->"、O(大写字母)等的区别!"
|
:0044416B BAAE905000 mov edx, 005090AE
:00444170 8D8578FFFFFF lea eax, dword ptr [ebp+FFFFFF78]
:00444176 E8F1350900 call 004D776C
:0044417B FF856CFFFFFF inc dword ptr [ebp+FFFFFF6C]
:00444181 8B00 mov eax, dword ptr [eax]
:00444183 33D2 xor edx, edx
:00444185 899574FFFFFF mov dword ptr [ebp+FFFFFF74], edx
:0044418B 8D9574FFFFFF lea edx, dword ptr [ebp+FFFFFF74]
:00444191 FF856CFFFFFF inc dword ptr [ebp+FFFFFF6C]
:00444197 E82436FEFF call 004277C0
:0044419C 8D8574FFFFFF lea eax, dword ptr [ebp+FFFFFF74]
:004441A2 8B00 mov eax, dword ptr [eax]
:004441A4 E8277C0400 call 0048BDD0
:004441A9 FF8D6CFFFFFF dec dword ptr [ebp+FFFFFF6C]
:004441AF 8D8574FFFFFF lea eax, dword ptr [ebp+FFFFFF74]
* Possible Reference to String Resource ID=00002:
"NNNHNINNNNNNNHNNNNNNNNNNN1NNNNNNNNNNNNNNNNNN1NNNNNNNNNENNNNN"
|
:004441B5 BA02000000 mov edx, 00000002
:004441BA E805370900 call 004D78C4
:004441BF FF8D6CFFFFFF dec dword ptr [ebp+FFFFFF6C]
:004441C5 8D8578FFFFFF lea eax, dword ptr [ebp+FFFFFF78]
* Possible Reference to String Resource ID=00002:
"NNNHNINNNNNNNHNNNNNNNNNNN1NNNNNNNNNNNNNNNNNN1NNNNNNNNNENNNNN"
|
:004441CB BA02000000 mov edx, 00000002
:004441D0 E8EF360900 call 004D78C4
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00444160(U)
|
:004441D5 FF8D6CFFFFFF dec dword ptr [ebp+FFFFFF6C]
:004441DB 8D45D8 lea eax, dword ptr [ebp-28]
* Possible Reference to String Resource ID=00002:
"NNNHNINNNNNNNHNNNNNNNNNNN1NNNNNNNNNNNNNNNNNN1NNNNNNNNNENNNNN"
|
:004441DE BA02000000 mov edx, 00000002
:004441E3 E8DC360900 call 004D78C4
:004441E8 FF8D6CFFFFFF dec dword ptr [ebp+FFFFFF6C]
:004441EE 8D45DC lea eax, dword ptr [ebp-24]
* Possible Reference to String Resource ID=00002:
"NNNHNINNNNNNNHNNNNNNNNNNN1NNNNNNNNNNNNNNNNNN1NNNNNNNNNENNNNN"
|
:004441F1 BA02000000 mov edx, 00000002
:004441F6 E8C9360900 call 004D78C4
:004441FB FF8D6CFFFFFF dec dword ptr [ebp+FFFFFF6C]
:00444201 8D45E0 lea eax, dword ptr [ebp-20]
[课程]Android-CTF解题方法汇总!