-----------------------------------------------------
--版权所有 Sone
-----------------------------------------------------
[ 破文标题 ] 游戏双开大师破解
[ 破文作者 ] 逆流
[ 作者邮箱 ]
[ 作者主页 ]
[ 破解工具 ]
[ 破解平台 ]
[ 软件名称 ] 游戏双开大师
[ 软件大小 ]
[ 原版下载 ]
[ 保护方式 ] ASPack 2.12
[ 软件简介 ] 游戏双开器
[ 破解声明 ] 纯粹练手 菜鸟一个 别骂..
-----------------------------------------------------
[ 破解过程 ]-----------------------------------------
用PEID查壳 是ASPack 2.12 -> Alexey Solodovnikov
直接ESP定律 秒脱之.
用OD载入脱壳后的程序 查字符串 看看 是不是什么提示都有.. 不过 这些东东改了也没用.. 是个重启验证的程序.. 虽然有点假. 追码都没用!!!
先讲讲追码. 这个明码比较的 很简单
查找字符串中的注册成功 在代码头下断 运行程序 随便输入假码
0040AA40 56 push esi ; 123.00439D30 断在这里.
0040AA41 8BF1 mov esi,ecx
0040AA43 6A 01 push 1
0040AA45 E8 56880200 call <jmp.&MFC42.#6334>
0040AA4A 8B86 E8050000 mov eax,dword ptr ds:[esi+5E8]
0040AA50 8B48 F8 mov ecx,dword ptr ds:[eax-8]
0040AA53 85C9 test ecx,ecx
0040AA55 74 5D je short 123.0040AAB4
0040AA57 8BCE mov ecx,esi
0040AA59 E8 72000000 call 123.0040AAD0
0040AA5E 85C0 test eax,eax
0040AA60 74 3D je short 123.0040AA9F
0040AA62 57 push edi
0040AA63 8BBE E8050000 mov edi,dword ptr ds:[esi+5E8]
0040AA69 E8 DE870200 call <jmp.&MFC42.#1168>
0040AA6E 8B40 04 mov eax,dword ptr ds:[eax+4]
0040AA71 57 push edi
0040AA72 68 1C184400 push 123.0044181C ; rigistercode
0040AA77 68 08184400 push 123.00441808 ; rigistersettings
0040AA7C 8BC8 mov ecx,eax
0040AA7E E8 038A0200 call <jmp.&MFC42.#6403>
0040AA83 6A 00 push 0
0040AA85 68 04154400 push 123.00441504 ; 游戏双开大师
0040AA8A 68 88254400 push 123.00442588 ; 注册成功,请退出软件后重新打开本软件!
0040AA8F 8BCE mov ecx,esi
0040AA91 E8 04880200 call <jmp.&MFC42.#4224>
0040AA96 6A 00 push 0
0040AA98 FF15 00874300 call dword ptr ds:[<&MSVCRT.exit>] ; msvcrt.exit
0040AA9E 5F pop edi
0040AA9F 6A 00 push 0
0040AAA1 68 04154400 push 123.00441504 ; 游戏双开大师
0040AAA6 68 74254400 push 123.00442574 ; 请填入合法注册码!
0040AAAB 8BCE mov ecx,esi
0040AAAD E8 E8870200 call <jmp.&MFC42.#4224>
0040AAB2 5E pop esi
0040AAB3 C3 retn
0040AAB4 6A 00 push 0
0040AAB6 68 04154400 push 123.00441504 ; 游戏双开大师
0040AABB 68 5C254400 push 123.0044255C ; 注册码为空,请重新填写!
0040AAC0 8BCE mov ecx,esi
0040AAC2 E8 D3870200 call <jmp.&MFC42.#4224>
0040AAC7 5E pop esi
0040AAC8 C3 retn
往下走
0040AA59 E8 72000000 call 123.0040AAD0 这个是关键CALL F7进入
0040AA5E 85C0 test eax,eax
0040AA60 74 3D je short 123.0040AA9F 这个为关键跳
进入CALL后的代码
0040AAD0 6A FF push -1
0040AAD2 68 C0554300 push 123.004355C0
0040AAD7 64:A1 00000000 mov eax,dword ptr fs:[0]
0040AADD 50 push eax
0040AADE 64:8925 00000000 mov dword ptr fs:[0],esp
0040AAE5 83EC 14 sub esp,14
0040AAE8 53 push ebx
0040AAE9 55 push ebp
0040AAEA 56 push esi
0040AAEB 57 push edi
0040AAEC 8BF1 mov esi,ecx
0040AAEE 6A 01 push 1
0040AAF0 E8 AB870200 call <jmp.&MFC42.#6334>
0040AAF5 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
0040AAF9 E8 D22C0000 call 123.0040D7D0
0040AAFE 8D4C24 10 lea ecx,dword ptr ss:[esp+10]
0040AB02 C74424 2C 00000000 mov dword ptr ss:[esp+2C],0
0040AB0A E8 4F870200 call <jmp.&MFC42.#540>
0040AB0F A1 00434400 mov eax,dword ptr ds:[444300]
0040AB14 8D4C24 10 lea ecx,dword ptr ss:[esp+10]
0040AB18 50 push eax
0040AB19 68 04184400 push 123.00441804 ; @%s
0040AB1E 51 push ecx
0040AB1F C64424 38 01 mov byte ptr ss:[esp+38],1
0040AB24 E8 1F880200 call <jmp.&MFC42.#2818>
0040AB29 83C4 0C add esp,0C
0040AB2C 81C6 E8050000 add esi,5E8
0040AB32 8BCE mov ecx,esi
0040AB34 6A 00 push 0
0040AB36 68 FC174400 push 123.004417FC ; game
0040AB3B E8 7A880200 call <jmp.&MFC42.#6663>
0040AB40 83CD FF or ebp,FFFFFFFF
0040AB43 3BC5 cmp eax,ebp
0040AB45 0F84 D8000000 je 123.0040AC23
0040AB4B 6A 0C push 0C
0040AB4D 8D5424 20 lea edx,dword ptr ss:[esp+20]
0040AB51 6A 00 push 0
0040AB53 52 push edx
0040AB54 51 push ecx
0040AB55 8D4424 20 lea eax,dword ptr ss:[esp+20]
0040AB59 8BCC mov ecx,esp
0040AB5B 896424 30 mov dword ptr ss:[esp+30],esp
0040AB5F 50 push eax
0040AB60 E8 43880200 call <jmp.&MFC42.#535>
0040AB65 8D4C24 30 lea ecx,dword ptr ss:[esp+30]
0040AB69 51 push ecx
0040AB6A E8 A12C0000 call 123.0040D810
0040AB6F 83C4 08 add esp,8
0040AB72 8BC8 mov ecx,eax
0040AB74 C64424 38 02 mov byte ptr ss:[esp+38],2
0040AB79 E8 54880200 call <jmp.&MFC42.#4278>
0040AB7E 8BF8 mov edi,eax
0040AB80 6A 0C push 0C
0040AB82 8D5424 1C lea edx,dword ptr ss:[esp+1C]
0040AB86 6A 00 push 0
0040AB88 52 push edx
0040AB89 8BCE mov ecx,esi
0040AB8B C64424 38 03 mov byte ptr ss:[esp+38],3
0040AB90 E8 3D880200 call <jmp.&MFC42.#4278>
0040AB95 8B3F mov edi,dword ptr ds:[edi]
0040AB97 8B00 mov eax,dword ptr ds:[eax]
0040AB99 57 push edi
0040AB9A 8B3D F4864300 mov edi,dword ptr ds:[<&MSVCRT._mbscmp>] ; msvcrt._mbscmp
0040ABA0 50 push eax
0040ABA1 FFD7 call edi
0040ABA3 83C4 08 add esp,8
0040ABA6 8D4C24 18 lea ecx,dword ptr ss:[esp+18]
0040ABAA 85C0 test eax,eax
0040ABAC 0F94C3 sete bl
0040ABAF E8 B0860200 call <jmp.&MFC42.#800>
0040ABB4 8D4C24 1C lea ecx,dword ptr ss:[esp+1C]
0040ABB8 C64424 2C 02 mov byte ptr ss:[esp+2C],2
0040ABBD E8 A2860200 call <jmp.&MFC42.#800>
0040ABC2 8D4C24 20 lea ecx,dword ptr ss:[esp+20]
0040ABC6 C64424 2C 01 mov byte ptr ss:[esp+2C],1
0040ABCB E8 94860200 call <jmp.&MFC42.#800>
0040ABD0 84DB test bl,bl
0040ABD2 74 0B je short 123.0040ABDF
0040ABD4 C64424 2C 00 mov byte ptr ss:[esp+2C],0
0040ABD9 8D4C24 10 lea ecx,dword ptr ss:[esp+10]
0040ABDD EB 1A jmp short 123.0040ABF9
0040ABDF 8B36 mov esi,dword ptr ds:[esi]
0040ABE1 68 B0254400 push 123.004425B0 ; 1026351e161cgame
0040ABE6 56 push esi
0040ABE7 FFD7 call edi
0040ABE9 83C4 08 add esp,8
0040ABEC C64424 2C 00 mov byte ptr ss:[esp+2C],0
0040ABF1 85C0 test eax,eax
0040ABF3 8D4C24 10 lea ecx,dword ptr ss:[esp+10]
0040ABF7 75 33 jnz short 123.0040AC2C
0040ABF9 E8 66860200 call <jmp.&MFC42.#800>
0040ABFE 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
0040AC02 896C24 2C mov dword ptr ss:[esp+2C],ebp
0040AC06 E8 F52B0000 call 123.0040D800
0040AC0B B8 01000000 mov eax,1
0040AC10 8B4C24 24 mov ecx,dword ptr ss:[esp+24]
0040AC14 64:890D 00000000 mov dword ptr fs:[0],ecx
0040AC1B 5F pop edi
0040AC1C 5E pop esi
0040AC1D 5D pop ebp
0040AC1E 5B pop ebx
0040AC1F 83C4 20 add esp,20
0040AC22 C3 retn
0040AB45 /0F84 D8000000 je 123.0040AC23 这个跳转 不能跳 我不会算法分析 所以 不能给你们讲为什么.
0040ABE1 68 B0254400 push 123.004425B0 ; 1026351e161cgame
0040ABE6 56 push esi
0040ABE7 FFD7 call edi ; msvcrt._mbscmp 这里就出现了注册码..
004425B0=123.004425B0 (ASCII "1026351E161CGame") 注册码为1026351E161CGame
0040ABE7 FFD7 call edi ; msvcrt._mbscmp 进这个CALL看看
77C01881 > 8BFF mov edi,edi ; msvcrt._mbscmp
77C01883 55 push ebp
77C01884 8BEC mov ebp,esp
77C01886 56 push esi
77C01887 E8 99860000 call msvcrt.77C09F25
77C0188C 8B70 60 mov esi,dword ptr ds:[eax+60]
77C0188F 3B35 4425C377 cmp esi,dword ptr ds:[77C32544]
77C01895 74 07 je short msvcrt.77C0189E
77C01897 E8 91EDFFFF call msvcrt.77C0062D
77C0189C 8BF0 mov esi,eax
77C0189E 837E 08 00 cmp dword ptr ds:[esi+8],0
77C018A2 75 2F jnz short msvcrt.77C018D3
77C018A4 8B75 0C mov esi,dword ptr ss:[ebp+C]
77C018A7 8B45 08 mov eax,dword ptr ss:[ebp+8]
77C018AA 8A10 mov dl,byte ptr ds:[eax]
77C018AC 8ACA mov cl,dl
77C018AE 3A16 cmp dl,byte ptr ds:[esi]
77C018B0 75 1A jnz short msvcrt.77C018CC
77C018B2 84C9 test cl,cl
77C018B4 74 12 je short msvcrt.77C018C8
77C018B6 8A50 01 mov dl,byte ptr ds:[eax+1]
77C018B9 8ACA mov cl,dl
77C018BB 3A56 01 cmp dl,byte ptr ds:[esi+1]
77C018BE 75 0C jnz short msvcrt.77C018CC
77C018C0 40 inc eax
77C018C1 40 inc eax
77C018C2 46 inc esi
77C018C3 46 inc esi
77C018C4 84C9 test cl,cl
77C018C6 ^ 75 E2 jnz short msvcrt.77C018AA
77C018C8 33C0 xor eax,eax
77C018CA EB 68 jmp short msvcrt.77C01934
77C018CC 1BC0 sbb eax,eax
77C018CE 83D8 FF sbb eax,-1
77C018D1 EB 61 jmp short msvcrt.77C01934
77C018D3 57 push edi
77C018D4 8B7D 0C mov edi,dword ptr ss:[ebp+C]
77C018D7 53 push ebx
77C018D8 8B45 08 mov eax,dword ptr ss:[ebp+8]
77C018DB 66:0FB600 movzx ax,byte ptr ds:[eax]
77C018DF FF45 08 inc dword ptr ss:[ebp+8]
77C018E2 0FB6C8 movzx ecx,al
77C018E5 F64431 1D 04 test byte ptr ds:[ecx+esi+1D],4
77C018EA 74 18 je short msvcrt.77C01904
77C018EC 8B4D 08 mov ecx,dword ptr ss:[ebp+8]
77C018EF 8A09 mov cl,byte ptr ds:[ecx]
77C018F1 84C9 test cl,cl
77C018F3 75 04 jnz short msvcrt.77C018F9
77C018F5 33C0 xor eax,eax
77C018F7 EB 0B jmp short msvcrt.77C01904
77C018F9 33D2 xor edx,edx
77C018FB FF45 08 inc dword ptr ss:[ebp+8]
77C018FE 8AF0 mov dh,al
77C01900 8AD1 mov dl,cl
77C01902 8BC2 mov eax,edx
77C01904 66:0FB60F movzx cx,byte ptr ds:[edi]
77C01908 0FB6D1 movzx edx,cl
77C0190B 47 inc edi
77C0190C F64432 1D 04 test byte ptr ds:[edx+esi+1D],4
77C01911 74 13 je short msvcrt.77C01926
77C01913 8A17 mov dl,byte ptr ds:[edi]
77C01915 84D2 test dl,dl
77C01917 75 04 jnz short msvcrt.77C0191D
77C01919 33C9 xor ecx,ecx
77C0191B EB 09 jmp short msvcrt.77C01926
77C0191D 33DB xor ebx,ebx
77C0191F 8AF9 mov bh,cl
77C01921 47 inc edi
77C01922 8ADA mov bl,dl
77C01924 8BCB mov ecx,ebx
77C01926 66:3BC8 cmp cx,ax
77C01929 75 0C jnz short msvcrt.77C01937
77C0192B 66:85C0 test ax,ax
77C0192E ^ 75 A8 jnz short msvcrt.77C018D8
77C01930 33C0 xor eax,eax
77C01932 5B pop ebx
77C01933 5F pop edi
77C01934 5E pop esi
77C01935 5D pop ebp
77C01936 C3 retn
这里我就不说了 真假注册码比较
把注册码拿去注册一下.. 成功了 但是重启软件后 还是没有注册...
下面 就不需要注册 直接爆破他的错误提示
用bp MessageBoxExA 下断 运行程序 断下了 看堆栈
0012A28C 77D505CF /CALL 到 MessageBoxExA 来自 USER32.77D505CA
0012A290 000B10EA |hOwner = 000B10EA ('游戏双开大师4.0 For Windows 2...',class='#32770')
0012A294 0044179C |Text = "请先付费注册,感谢支持与理解!"
0012A298 00441504 |Title = "游戏双开大师"
0012A29C 00000030 |Style = MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL
0012A2A0 00000000 \LanguageID = 0 (LANG_NEUTRAL)
有错误提示 取消断点 返回
00405649 |. E8 4CDC0200 call <jmp.&MFC42.#4224> 这个为错误CALL
分析代码
00405639 |. /EB 1C jmp short 123.00405657
0040563B |> |6A 30 push 30
0040563D |. |68 04154400 push 123.00441504
00405642 |. |68 9C174400 push 123.0044179C
00405647 |. |8BCF mov ecx,edi
00405649 |. |E8 4CDC0200 call <jmp.&MFC42.#4224>
0040564E |. |6A 08 push 8
00405650 |. |8BCF mov ecx,edi
00405652 |. |E8 49EAFFFF call 123.004040A0
00405657 |> \8D4C24 28 lea ecx,dword ptr ss:[esp+28]
0040563B |> |6A 30 push 30 看这个地址 有个跳转跳到这
0040541B |. /0F84 1A020000 je 123.0040563B 这个跳转跳向错误提示
这就简单了.. 能直接改掉最好 但是还是不行的. 提示错误...
0040540C |. A1 04434400 mov eax,dword ptr ds:[444304]
看这里. 这里的赋值为0
在这里数据窗口跟随 下内存访问断点
重新载入程序 运行 断在了
0040374A . /0F84 B3000000 je 123.00403803
0040373E . E8 7D230000 call 123.00405AC0
00403743 . 85C0 test eax,eax
00403745 . A3 04434400 mov dword ptr ds:[444304],eax
0040374A . 0F84 B3000000 je 123.00403803
注意看00403745 . A3 04434400 mov dword ptr ds:[444304],eax 这里赋值为0 . 那么上面的CALL 就很可疑 在0040373E . E8 7D230000 call 123.00405AC0下断 重新来过 F7步入分析一下
00405AC0 /$ 6A FF push -1
00405AC2 |. 68 904C4300 push 123.00434C90 ; SE 句柄安装
00405AC7 |. 64:A1 00000000 mov eax,dword ptr fs:[0]
00405ACD |. 50 push eax
00405ACE |. 64:8925 00000000 mov dword ptr fs:[0],esp
00405AD5 |. 83EC 18 sub esp,18
00405AD8 |. 53 push ebx
00405AD9 |. 56 push esi
00405ADA |. 6A 01 push 1
00405ADC |. E8 BFD70200 call <jmp.&MFC42.#6334>
00405AE1 |. 8D4C24 08 lea ecx,dword ptr ss:[esp+8]
00405AE5 |. E8 74D70200 call <jmp.&MFC42.#540>
00405AEA |. 8D4C24 0C lea ecx,dword ptr ss:[esp+C]
00405AEE |. C74424 28 00000000 mov dword ptr ss:[esp+28],0
00405AF6 |. E8 63D70200 call <jmp.&MFC42.#540>
00405AFB |. C64424 28 01 mov byte ptr ss:[esp+28],1
00405B00 |. E8 47D70200 call <jmp.&MFC42.#1168>
00405B05 |. 8B40 04 mov eax,dword ptr ds:[eax+4]
00405B08 |. 6A 00 push 0
00405B0A |. 68 1C184400 push 123.0044181C ; ASCII "rigistercode"
00405B0F |. 8D4C24 1C lea ecx,dword ptr ss:[esp+1C]
00405B13 |. 68 08184400 push 123.00441808 ; ASCII "RigisterSettings"
00405B18 |. 51 push ecx
00405B19 |. 8BC8 mov ecx,eax
00405B1B |. E8 B8D80200 call <jmp.&MFC42.#3522>
00405B20 |. 50 push eax
00405B21 |. 8D4C24 0C lea ecx,dword ptr ss:[esp+C]
00405B25 |. C64424 2C 02 mov byte ptr ss:[esp+2C],2
00405B2A |. E8 0DD80200 call <jmp.&MFC42.#858>
00405B2F |. 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
00405B33 |. C64424 28 01 mov byte ptr ss:[esp+28],1
00405B38 |. E8 27D70200 call <jmp.&MFC42.#800>
00405B3D |. 8B15 00434400 mov edx,dword ptr ds:[444300]
00405B43 |. 8D4424 0C lea eax,dword ptr ss:[esp+C]
00405B47 |. 52 push edx
00405B48 |. 68 04184400 push 123.00441804 ; ASCII "@%s"
00405B4D |. 50 push eax
00405B4E |. E8 F5D70200 call <jmp.&MFC42.#2818>
00405B53 |. 83C4 0C add esp,0C
00405B56 |. 8D4C24 10 lea ecx,dword ptr ss:[esp+10]
00405B5A |. E8 717C0000 call 123.0040D7D0
00405B5F |. 6A 00 push 0
00405B61 |. 68 FC174400 push 123.004417FC ; ASCII "Game"
00405B66 |. 8D4C24 10 lea ecx,dword ptr ss:[esp+10]
00405B6A |. C64424 30 03 mov byte ptr ss:[esp+30],3
00405B6F |. E8 46D80200 call <jmp.&MFC42.#6663>
00405B74 |. 83F8 FF cmp eax,-1
00405B77 |. 0F84 CC000000 je 123.00405C49
00405B7D |. 6A 06 push 6
00405B7F |. 8D4C24 1C lea ecx,dword ptr ss:[esp+1C]
00405B83 |. 6A 00 push 0
00405B85 |. 51 push ecx
00405B86 |. 51 push ecx
00405B87 |. 8D5424 1C lea edx,dword ptr ss:[esp+1C]
00405B8B |. 8BCC mov ecx,esp
00405B8D |. 896424 2C mov dword ptr ss:[esp+2C],esp
00405B91 |. 52 push edx
00405B92 |. E8 11D80200 call <jmp.&MFC42.#535>
00405B97 |. 8D4424 2C lea eax,dword ptr ss:[esp+2C]
00405B9B |. 50 push eax
00405B9C |. E8 6F7C0000 call 123.0040D810
00405BA1 |. 83C4 08 add esp,8
00405BA4 |. 8BC8 mov ecx,eax
00405BA6 |. C64424 34 04 mov byte ptr ss:[esp+34],4
00405BAB |. E8 22D80200 call <jmp.&MFC42.#4278>
00405BB0 |. 8BF0 mov esi,eax
00405BB2 |. 6A 06 push 6
00405BB4 |. 8D4C24 18 lea ecx,dword ptr ss:[esp+18]
00405BB8 |. 6A 00 push 0
00405BBA |. 51 push ecx
00405BBB |. 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
00405BBF |. C64424 34 05 mov byte ptr ss:[esp+34],5
00405BC4 |. E8 09D80200 call <jmp.&MFC42.#4278>
00405BC9 |. 8B36 mov esi,dword ptr ds:[esi]
00405BCB |. 8B00 mov eax,dword ptr ds:[eax]
00405BCD |. 56 push esi ; /s2
00405BCE |. 50 push eax ; |s1
00405BCF |. FF15 F4864300 call dword ptr ds:[<&MSVCRT._mbscmp>] ; \_mbscmp
00405BD5 |. 83C4 08 add esp,8
00405BD8 |. 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
00405BDC |. 85C0 test eax,eax
00405BDE |. 0F94C3 sete bl
00405BE1 |. E8 7ED60200 call <jmp.&MFC42.#800>
00405BE6 |. 8D4C24 18 lea ecx,dword ptr ss:[esp+18]
00405BEA |. C64424 28 04 mov byte ptr ss:[esp+28],4
00405BEF |. E8 70D60200 call <jmp.&MFC42.#800>
00405BF4 |. 8D4C24 1C lea ecx,dword ptr ss:[esp+1C]
00405BF8 |. C64424 28 03 mov byte ptr ss:[esp+28],3
00405BFD |. E8 62D60200 call <jmp.&MFC42.#800>
00405C02 |. 84DB test bl,bl
00405C04 |. C64424 28 01 mov byte ptr ss:[esp+28],1
00405C09 |. 8D4C24 10 lea ecx,dword ptr ss:[esp+10]
00405C0D |. 74 43 je short 123.00405C52
00405C0F |. E8 EC7B0000 call 123.0040D800
00405C14 |. 8D4C24 0C lea ecx,dword ptr ss:[esp+C]
00405C18 |. C64424 28 00 mov byte ptr ss:[esp+28],0
00405C1D |. E8 42D60200 call <jmp.&MFC42.#800>
00405C22 |. 8D4C24 08 lea ecx,dword ptr ss:[esp+8]
00405C26 |. C74424 28 FFFFFFFF mov dword ptr ss:[esp+28],-1
00405C2E |. E8 31D60200 call <jmp.&MFC42.#800>
00405C33 |. B8 01000000 mov eax,1
00405C38 |. 8B4C24 20 mov ecx,dword ptr ss:[esp+20]
00405C3C |. 64:890D 00000000 mov dword ptr fs:[0],ecx
00405C43 |. 5E pop esi
00405C44 |. 5B pop ebx
00405C45 |. 83C4 24 add esp,24
00405C48 |. C3 retn
00405C49 |> C64424 28 01 mov byte ptr ss:[esp+28],1
00405C4E |. 8D4C24 10 lea ecx,dword ptr ss:[esp+10]
00405C52 |> E8 A97B0000 call 123.0040D800
00405C57 |. 8D4C24 0C lea ecx,dword ptr ss:[esp+C]
00405C5B |. C64424 28 00 mov byte ptr ss:[esp+28],0
00405C60 |. E8 FFD50200 call <jmp.&MFC42.#800>
00405C65 |. 8D4C24 08 lea ecx,dword ptr ss:[esp+8]
00405C69 |. C74424 28 FFFFFFFF mov dword ptr ss:[esp+28],-1
00405C71 |. E8 EED50200 call <jmp.&MFC42.#800>
00405C76 |. 8B4C24 20 mov ecx,dword ptr ss:[esp+20]
00405C7A |. 5E pop esi
00405C7B |. 33C0 xor eax,eax
00405C7D |. 64:890D 00000000 mov dword ptr fs:[0],ecx
00405C84 |. 5B pop ebx
00405C85 |. 83C4 24 add esp,24
00405C88 \. C3 retn
刚入CALL的时候 EAX还为1 自己分析一下在哪里EAX清零了
00405C65 |. 8D4C24 08 lea ecx,dword ptr ss:[esp+8]
在这里 EAX为0
那么 改一下下面的代码
00405C7B 33C0 xor eax,eax
这段代码改为 mov al,1
EAX为1 运行.. 成功了 破解完成
[ 破解总结 ]-----------------------------------------
感谢优子大姐的细心指导 ^_^
-----------------------------------------------------
[ 版权声明 ] 逆流练手程序
-----------------------------------------------------
[课程]Linux pwn 探索篇!