作者:GoOdLeiSuRe
时间:2004-8-30
由于本文简单,适合刚学破解的,高手就不要看了。
本人水平较菜,难免出错,肯请提出。
DynaDoc Reader(V 4.25S)是用来阅读WDL资料的,可网上下的一些WDL资料可能要输密码。虽然我不知道这个密码有什么用处,但是一打开就要显示输密码的窗口,随便改改,让输入错误之后的出错窗口显示正确的密码吧。
00445D50 /. 55 PUSH EBP
00445D51 |. 8BEC MOV EBP,ESP
00445D53 |. 6A FF PUSH -1
00445D55 |. 68 BC4D5100 PUSH Dlview32.00514DBC ; SE handler installation
00445D5A |. 64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
00445D60 |. 50 PUSH EAX
00445D61 |. 64:8925 00000>MOV DWORD PTR FS:[0],ESP
00445D68 |. 83EC 60 SUB ESP,60
00445D6B |. 894D 98 MOV DWORD PTR SS:[EBP-68],ECX
00445D6E |. 68 E8030000 PUSH 3E8
00445D73 |. 8B4D 98 MOV ECX,DWORD PTR SS:[EBP-68]
00445D76 |. E8 656D0A00 CALL Dlview32.004ECAE0
00445D7B |. 8945 B4 MOV DWORD PTR SS:[EBP-4C],EAX
00445D7E |. 68 EA030000 PUSH 3EA
00445D83 |. 8B4D 98 MOV ECX,DWORD PTR SS:[EBP-68]
00445D86 |. E8 556D0A00 CALL Dlview32.004ECAE0
00445D8B |. 8945 9C MOV DWORD PTR SS:[EBP-64],EAX
00445D8E |. 6A 09 PUSH 9
00445D90 |. 8D45 A4 LEA EAX,DWORD PTR SS:[EBP-5C]
00445D93 |. 50 PUSH EAX
00445D94 |. 8B4D B4 MOV ECX,DWORD PTR SS:[EBP-4C]
00445D97 |. E8 C16E0A00 CALL Dlview32.004ECC5D
00445D9C |. 8945 A0 MOV DWORD PTR SS:[EBP-60],EAX
00445D9F |. 8B4D 98 MOV ECX,DWORD PTR SS:[EBP-68]
00445DA2 |. 0FBF51 6C MOVSX EDX,WORD PTR DS:[ECX+6C]
00445DA6 |. 83FA 03 CMP EDX,3
00445DA9 |. 7C 08 JL SHORT Dlview32.00445DB3
00445DAB |. 8B4D 98 MOV ECX,DWORD PTR SS:[EBP-68]
00445DAE |. E8 DBC20A00 CALL Dlview32.004F208E
00445DB3 |> 8B45 98 MOV EAX,DWORD PTR SS:[EBP-68]
00445DB6 |. 8B48 68 MOV ECX,DWORD PTR DS:[EAX+68]
00445DB9 |. 894D 94 MOV DWORD PTR SS:[EBP-6C],ECX
00445DBC |. 837D 94 03 CMP DWORD PTR SS:[EBP-6C],3
00445DC0 |. 74 0E JE SHORT Dlview32.00445DD0
00445DC2 |. 837D 94 04 CMP DWORD PTR SS:[EBP-6C],4
00445DC6 |. 74 2A JE SHORT Dlview32.00445DF2
00445DC8 |. 837D 94 0A CMP DWORD PTR SS:[EBP-6C],0A
00445DCC |. 74 02 JE SHORT Dlview32.00445DD0
00445DCE |. EB 42 JMP SHORT Dlview32.00445E12
00445DD0 |> 8D55 A4 LEA EDX,DWORD PTR SS:[EBP-5C]
00445DD3 |. 52 PUSH EDX ; /Arg1
00445DD4 |. 8B4D 98 MOV ECX,DWORD PTR SS:[EBP-68] ; |
00445DD7 |. 83C1 5C ADD ECX,5C ; |
00445DDA |. E8 B1D3FCFF CALL Dlview32.00413190 ; \Dlview32.00413190
00445DDF |. 85C0 TEST EAX,EAX
00445DE1 |. 75 0D JNZ SHORT Dlview32.00445DF0
00445DE3 |. 8B4D 98 MOV ECX,DWORD PTR SS:[EBP-68]
00445DE6 |. E8 8AC20A00 CALL Dlview32.004F2075
00445DEB |. E9 D4000000 JMP Dlview32.00445EC4
00445DF0 |> EB 20 JMP SHORT Dlview32.00445E12
00445DF2 |> 8D45 A4 LEA EAX,DWORD PTR SS:[EBP-5C] //输入的密码
00445DF5 |. 50 PUSH EAX
00445DF6 |. 8B4D 98 MOV ECX,DWORD PTR SS:[EBP-68]
00445DF9 |. 83C1 60 ADD ECX,60 //ECX+60之后就是存放密码的地址
00445DFC |. E8 8FD3FCFF CALL Dlview32.00413190
00445E01 |. 85C0 TEST EAX,EAX
00445E03 |. 75 0D JNZ SHORT Dlview32.00445E12 //这里是关键跳,改为9090之后就无需输入正确的密码了
00445E05 |. 8B4D 98 MOV ECX,DWORD PTR SS:[EBP-68]
00445E08 |. E8 68C20A00 CALL Dlview32.004F2075
00445E0D |. E9 B2000000 JMP Dlview32.00445EC4
//让出错窗体内输出正确的密码
//更改为下面代码就可以了
//00445E12 8B4D 98 MOV ECX,DWORD PTR SS:[EBP-68]
//00445E15 83C1 60 ADD ECX,60
//00445E18 8B01 MOV EAX,DWORD PTR DS:[ECX]
//00445E1A EB 6A JMP SHORT Dlview32.00445E86
00445E12 |. 6A 3C PUSH 3C
00445E14 |. 6A 00 PUSH 0
00445E16 |. 8D4D B8 LEA ECX,DWORD PTR SS:[EBP-48]
00445E19 |. 51 PUSH ECX
00445E1A |. E8 81130900 CALL Dlview32.004D71A0
00445E1F |. 83C4 0C ADD ESP,0C
00445E22 |. 8B55 98 MOV EDX,DWORD PTR SS:[EBP-68]
00445E25 |. 66:8B42 6C MOV AX,WORD PTR DS:[EDX+6C]
00445E29 |. 66:05 0100 ADD AX,1
00445E2D |. 8B4D 98 MOV ECX,DWORD PTR SS:[EBP-68]
00445E30 |. 66:8941 6C MOV WORD PTR DS:[ECX+6C],AX
00445E34 |. 8B55 98 MOV EDX,DWORD PTR SS:[EBP-68]
00445E37 |. 0FBF42 6C MOVSX EAX,WORD PTR DS:[EDX+6C]
00445E3B |. 83F8 03 CMP EAX,3
00445E3E |. 7C 0A JL SHORT Dlview32.00445E4A
00445E40 |. 8B4D 98 MOV ECX,DWORD PTR SS:[EBP-68]
00445E43 |. E8 46C20A00 CALL Dlview32.004F208E
00445E48 |. EB 7A JMP SHORT Dlview32.00445EC4
00445E4A |> 8D4D B0 LEA ECX,DWORD PTR SS:[EBP-50]
00445E4D |. E8 80620A00 CALL Dlview32.004EC0D2
00445E52 |. C745 FC 00000>MOV DWORD PTR SS:[EBP-4],0
00445E59 |. 68 2AEF0000 PUSH 0EF2A ; /Arg1 = 0000EF2A
00445E5E |. 8D4D B0 LEA ECX,DWORD PTR SS:[EBP-50] ; |
00445E61 |. E8 0E6B0A00 CALL Dlview32.004EC974 ; \Dlview32.004EC974
00445E66 |. 8B4D 98 MOV ECX,DWORD PTR SS:[EBP-68]
00445E69 |. 0FBF51 6C MOVSX EDX,WORD PTR DS:[ECX+6C]
00445E6D |. B8 03000000 MOV EAX,3
00445E72 |. 2BC2 SUB EAX,EDX
00445E74 |. 50 PUSH EAX
00445E75 |. 8D4D B0 LEA ECX,DWORD PTR SS:[EBP-50]
00445E78 |. E8 D3D2FCFF CALL Dlview32.00413150
00445E7D |. 50 PUSH EAX
00445E7E |. 8D4D B0 LEA ECX,DWORD PTR SS:[EBP-50]
00445E81 |. E8 D5670A00 CALL Dlview32.004EC65B
00445E86 |. 50 PUSH EAX ; |Format = "错误!剩下%d次机会!"
00445E87 |. 8D4D B8 LEA ECX,DWORD PTR SS:[EBP-48] ; |
00445E8A |. 51 PUSH ECX ; |s
00445E8B |. FF15 F8D65100 CALL DWORD PTR DS:[<&USER32.wsprintfA>] ; \wsprintfA
00445E91 |. 83C4 0C ADD ESP,0C
00445E94 |. 8D55 B8 LEA EDX,DWORD PTR SS:[EBP-48]
00445E97 |. 52 PUSH EDX
00445E98 |. 8B4D 9C MOV ECX,DWORD PTR SS:[EBP-64]
00445E9B |. E8 966D0A00 CALL Dlview32.004ECC36
00445EA0 |. 68 6CF95400 PUSH Dlview32.0054F96C
00445EA5 |. 8B4D B4 MOV ECX,DWORD PTR SS:[EBP-4C]
00445EA8 |. E8 896D0A00 CALL Dlview32.004ECC36
00445EAD |. 8B4D B4 MOV ECX,DWORD PTR SS:[EBP-4C]
00445EB0 |. E8 2F6F0A00 CALL Dlview32.004ECDE4
00445EB5 |. C745 FC FFFFF>MOV DWORD PTR SS:[EBP-4],-1
00445EBC |. 8D4D B0 LEA ECX,DWORD PTR SS:[EBP-50]
00445EBF |. E8 59630A00 CALL Dlview32.004EC21D
00445EC4 |> 8B4D F4 MOV ECX,DWORD PTR SS:[EBP-C]
00445EC7 |. 64:890D 00000>MOV DWORD PTR FS:[0],ECX
00445ECE |. 8BE5 MOV ESP,EBP
00445ED0 |. 5D POP EBP
00445ED1 \. C3 RETN
有了正确的密码,就可以取消文档的密码(设空密码)了。
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
