【文章标题】: P3定胆杀码霸主 V1.9.6破解手记
【文章作者】: lj8888
【软件名称】: P3定胆杀码霸主 V1.9.6
【下载地址】: 自己搜索下载
【加壳方式】: ThemidaFiles+ASProtect
【保护方式】: 壳
【使用工具】: od+PEID
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
该软件 目前已经更新到9.5 以上了 破解1.9.6 应该没什么影响吧
PEID扫描 什么都没找到 [Overlay] *
直接od载入 随便走几步 看到类似与ThemidaFiles 加密方式代码 与asp sdk 标识
PEID asp 插件 Version: ASProtect 2.11 SKE build 03.13 Release [1]
故判断 加密方式 壳 ThemidaFiles+ASProtect(ThemidaFiles怎么判断的?我猜的不可以啊 ^_#)
od 跑起来 忽略所有异常 软件运行后 messageboxexa 断点
77D50510 /75 0A JNZ SHORT user32.77D5051C
77D50512 |C705 200BD777 0>MOV DWORD PTR DS:[77D70B20],1
77D5051C \6A 00 PUSH 0
77D5051E FF75 14 PUSH DWORD PTR SS:[EBP+14]
77D50521 FF75 10 PUSH DWORD PTR SS:[EBP+10]
77D50524 FF75 0C PUSH DWORD PTR SS:[EBP+C]
77D50527 FF75 08 PUSH DWORD PTR SS:[EBP+8]
77D5052A E8 2D000000 CALL user32.MessageBoxExA
77D5052F 5D POP EBP
77D50530 C2 1000 RETN 10
77D50533 90 NOP
77D50534 90 NOP
77D50535 90 NOP
77D50536 90 NOP
77D50537 90 NOP
77D50538 > 8BFF MOV EDI,EDI
77D5053A 55 PUSH EBP
77D5053B 8BEC MOV EBP,ESP
77D5053D 6A FF PUSH -1
77D5053F FF75 18 PUSH DWORD PTR SS:[EBP+18]
77D50542 FF75 14 PUSH DWORD PTR SS:[EBP+14]
77D50545 FF75 10 PUSH DWORD PTR SS:[EBP+10]
77D50548 FF75 0C PUSH DWORD PTR SS:[EBP+C]
77D5054B FF75 08 PUSH DWORD PTR SS:[EBP+8]
77D5054E E8 EE590100 CALL user32.MessageBoxTimeoutW
77D50553 5D POP EBP
77D50554 C2 1400 RETN 14
77D50557 90 NOP
77D50558 90 NOP
77D50559 90 NOP
77D5055A 90 NOP
77D5055B 90 NOP
77D5055C > 8BFF MOV EDI,EDI
断在这里
77D5055C > 8BFF MOV EDI,EDI
0012EA58 77D5052F /CALL 到 MessageBoxExA 来自 user32.77D5052A
0012EA5C 00080736 |hOwner = 00080736 (class='#32770',parent=000A0730)
0012EA60 010A8190 |Text = "未注册版本,只能分析预测10期!"
0012EA64 010A50C0 |Title = "3D、P3定胆杀码霸主 V1.9.6 Beta"
0012EA68 00000000 |Style = MB_OK|MB_APPLMODAL
0012EA6C 00000000 \LanguageID = 0 (LANG_NEUTRAL)
0012EA70 0012F5EC
0012EA74 005739E1 Main.005739E1
0012EA78 00080736
0012EA7C 010A8190
0012EA80 010A50C0
0012EA84 00000000
0012EA88 0160722C
0012EA8C 0042795A 返回到 Main.0042795A 来自 Main.005739B3
004278A4 /0F85 27010000 JNZ Main.004279D1
004278AA |8B85 A0FDFFFF MOV EAX,DWORD PTR SS:[EBP-260]
004278B0 |2B85 E4FCFFFF SUB EAX,DWORD PTR SS:[EBP-31C]
004278B6 |83F8 0A CMP EAX,0A
004278B9 |0F8E 12010000 JLE Main.004279D1
004278BF |68 A8FC5B00 PUSH Main.005BFCA8
004278C4 |8D8D 80FCFFFF LEA ECX,DWORD PTR SS:[EBP-380]
004278CA |E8 A1A1FDFF CALL Main.00401A70
004278CF |8D8D 80FCFFFF LEA ECX,DWORD PTR SS:[EBP-380]
004278D5 |C645 FC 03 MOV BYTE PTR SS:[EBP-4],3
004278D9 |C785 C4FDFFFF 0>MOV DWORD PTR SS:[EBP-23C],0
004278E3 |E8 389EFDFF CALL Main.00401720
004278E8 |85C0 TEST EAX,EAX
004278EA |7E 57 JLE SHORT Main.00427943
004278EC |8D6424 00 LEA ESP,DWORD PTR SS:[ESP]
004278F0 |8B95 C4FDFFFF MOV EDX,DWORD PTR SS:[EBP-23C]
004278F6 |52 PUSH EDX
004278F7 |8D8D 80FCFFFF LEA ECX,DWORD PTR SS:[EBP-380]
004278FD |E8 AEF9FDFF CALL Main.004072B0
00427902 |8B8D C4FDFFFF MOV ECX,DWORD PTR SS:[EBP-23C]
00427908 |34 77 XOR AL,77
0042790A |8885 74FCFFFF MOV BYTE PTR SS:[EBP-38C],AL
00427910 |8B85 74FCFFFF MOV EAX,DWORD PTR SS:[EBP-38C]
00427916 |50 PUSH EAX
00427917 |51 PUSH ECX
00427918 |8D8D 80FCFFFF LEA ECX,DWORD PTR SS:[EBP-380]
0042791E |E8 BDF9FDFF CALL Main.004072E0
00427923 |8B95 C4FDFFFF MOV EDX,DWORD PTR SS:[EBP-23C]
00427929 |42 INC EDX
0042792A |8D8D 80FCFFFF LEA ECX,DWORD PTR SS:[EBP-380]
00427930 |8995 C4FDFFFF MOV DWORD PTR SS:[EBP-23C],EDX
00427936 |E8 E59DFDFF CALL Main.00401720
0042793B |3985 C4FDFFFF CMP DWORD PTR SS:[EBP-23C],EAX
00427941 ^|7C AD JL SHORT Main.004278F0
00427943 |6A 00 PUSH 0
00427945 |6A 00 PUSH 0
00427947 |8D8D 80FCFFFF LEA ECX,DWORD PTR SS:[EBP-380]
0042794D |E8 8EA1FDFF CALL Main.00401AE0
00427952 |50 PUSH EAX
00427953 |8BCF MOV ECX,EDI
00427955 |E8 59C01400 CALL Main.005739B3
0042795A |8BCE MOV ECX,ESI
0042795C |E8 2F0DFFFF CALL Main.00418690
00427961 |83E8 0D SUB EAX,0D
00427964 |50 PUSH EAX
00427965 |8BCE MOV ECX,ESI
00427967 |E8 2483FEFF CALL Main.0040FC90
0042796C |8BCB MOV ECX,EBX
0042796E |E8 1D0DFFFF CALL Main.00418690
00427973 |83E8 03 SUB EAX,3
00427976 |50 PUSH EAX
00427977 |8BCB MOV ECX,EBX
00427979 |E8 1283FEFF CALL Main.0040FC90
0042797E |8BCE MOV ECX,ESI
00427980 |E8 EB82FEFF CALL Main.0040FC70
00427985 |8BCB MOV ECX,EBX
00427987 |8985 E4FCFFFF MOV DWORD PTR SS:[EBP-31C],EAX
0042798D |E8 DE82FEFF CALL Main.0040FC70
00427992 |8D95 6CFDFFFF LEA EDX,DWORD PTR SS:[EBP-294]
00427998 |8985 A0FDFFFF MOV DWORD PTR SS:[EBP-260],EAX
0042799E |8B85 E4FCFFFF MOV EAX,DWORD PTR SS:[EBP-31C]
004279A4 |52 PUSH EDX
004279A5 |50 PUSH EAX
004279A6 |8BCE MOV ECX,ESI
004279A8 |E8 A2091600 CALL Main.0058834F
来到
0042795A 8BCE MOV ECX,ESI
剩下的简单了吧 随便改个 关键跳转 做个内存补丁 其他功能类似
--------------------------------------------------------------------------------
【经验总结】
caierhuan
看雪第一女流氓
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2007年03月18日 上午 07:23:08
破解文件下载
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)