破文作者 ] hqsfang
[ 作者邮箱 ] 408944770@qq.com
[ 作者主页 ] http://hi.baidu.com/hqsfang
[ 破解工具 ] Microsoft Visual C++ 7.0 Method2 [Debug]
[ 破解平台 ] Windows XP SP3
[ 软件名称 ] 破文生成器
[ 软件大小 ]
[ 原版下载 ] http://www.ojosoft.com/
[ 保护方式 ] 无壳
[ 软件简介 ] 方便生成破解文本
[ 破解声明 ] (*^__^*)!
-----------------------------------------------------
[ 破解过程 ]-----------------------------------------
运行软件,输入假码后有提示框出现,
运行下bp MessageBoxA断点,中断在
77D507EA USER3> 8BFF mov edi,edi
77D507EC /. 55 push ebp
77D507ED |. 8BEC mov ebp,esp
77D507EF |. 833D BC14D777 0>cmp dword ptr ds:[77D714BC],0
77D507F6 |. 74 24 je short USER32.77D5081C
取消断点,按Alt+F9返回
00401E27 . E8 52D30100 call <jmp.&MFC71.#4104> ; 提示错误窗口
00401E2C . 8D4C24 0C lea ecx,dword ptr ss:[esp+C]
00401E30 . FF15 C0414200 call dword ptr ds:[<&MFC71.#578>] ; MFC71.7C1771B1
00401E36 . 8D4C24 08 lea ecx,dword ptr ss:[esp+8]
00401E3A > FF15 C0414200 call dword ptr ds:[<&MFC71.#578>] ; MFC71.7C1771B1
向上找关键的跳转,找到
00401D4F . 8BCC mov ecx,esp
00401D51 . 896424 10 mov dword ptr ss:[esp+10],esp
00401D55 . 52 push edx
00401D56 . FF15 D8414200 call dword ptr ds:[<&MFC71.#297>] ; MFC71.7C14E575
00401D5C . 8B8E C8000000 mov ecx,dword ptr ds:[esi+C8]
00401D62 . FF15 28404200 call dword ptr ds:[<&Control.AVProxy::Registe>; Control.AVProxy::RegisteProduct//关键call,英语的意思好像是注册产品,进去看
看,来到
00401D68 . 85C0 test eax,eax
00401D6A . 8B86 CC000000 mov eax,dword ptr ds:[esi+CC]
00401D70 . 75 6A jnz short 3GPConve.00401DDC
00401D72 . 05 34010000 add eax,134
按回车进去看看
00386CD0 FF15 88503900 call dword ptr ds:[<&MFC71.#297>] ; MFC71.7C14E575
00386CD6 8D4C24 1C lea ecx,dword ptr ss:[esp+1C]
00386CDA 889C24 7C040000 mov byte ptr ss:[esp+47C],bl
00386CE1 E8 4AB60000 call Control.00392330 ; 关键call
00386CE6 0FB6C0 movzx eax,al
00386CE9 85C0 test eax,eax
00386CEB 0F84 38020000 je Control.00386F29 ; 不跳则注册成功(但我们不修改这里)我们进上的面00386CE1 call
00386CF1 8D4C24 1C lea ecx,dword ptr ss:[esp+1C]
00386CF5 FF15 98503900 call dword ptr ds:[<&MFC71.#310>] ; MFC71.7C173199
00386CFB 8D4C24 10 lea ecx,dword ptr ss:[esp+10]
00386CFF B3 05 mov bl,5
00386D01 51 push ecx
00386D02 889C24 78040000 mov byte ptr ss:[esp+478],bl
00386D09 E8 C2D1FFFF call Control.00383ED0
00386D0E 8BC8 mov ecx,eax
00386D10 E8 ABC2FFFF call Control.00382FC0
00386D15 8B10 mov edx,dword ptr ds:[eax]
00386D17 68 28543900 push Control.00395428 ; ASCII "config.ini"//写入信息
00386D1C 52 push edx
00386D1D 8D4424 24 lea eax,dword ptr ss:[esp+24]
00386D21 68 18543900 push Control.00395418 ; ASCII "%s\config\%s"
00386D26 50 push eax
00386D27 C68424 84040000 0>mov byte ptr ss:[esp+484],6
00386D2F FF15 B8503900 call dword ptr ds:[<&MFC71.#2322>] ; MFC71.7C146A9D
00386D35 83C4 10 add esp,10
00386D38 8D4C24 10 lea ecx,dword ptr ss:[esp+10]
00386D3C 889C24 74040000 mov byte ptr ss:[esp+474],bl
00386D43 FF15 94503900 call dword ptr ds:[<&MFC71.#578>] ; MFC71.7C1771B1
00386D49 8D4C24 18 lea ecx,dword ptr ss:[esp+18]
00386D4D E8 4CB80000 call <jmp.&Util.ProfileUtil:rofileUtil>
00386D52 51 push ecx
00386D53 8BCC mov ecx,esp
00386D55 896424 14 mov dword ptr ss:[esp+14],esp
00386D59 68 10543900 push Control.00395410 ; ASCII "RegPath"//注册路径
00386D5E C68424 7C040000 0>mov byte ptr ss:[esp+47C],7
00386D66 FF15 B0503900 call dword ptr ds:[<&MFC71.#304>] ; MFC71.7C16A59C
00386D6C 51 push ecx
00386D6D 8BCC mov ecx,esp
00386D6F 896424 40 mov dword ptr ss:[esp+40],esp
00386D73 68 08543900 push Control.00395408 ; ASCII "convert"
00386D78 C68424 80040000 0>mov byte ptr ss:[esp+480],8
00386D80 FF15 B0503900 call dword ptr ds:[<&MFC71.#304>] ; MFC71.7C16A59C
00386D86 51 push ecx
00386D87 8D5424 28 lea edx,dword ptr ss:[esp+28]
00386D8B 8BCC mov ecx,esp
00386D8D 896424 38 mov dword ptr ss:[esp+38],esp
00386D91 52 push edx
00386D92 C68424 84040000 0>mov byte ptr ss:[esp+484],9
00386D9A FF15 88503900 call dword ptr ds:[<&MFC71.#297>] ; MFC71.7C14E575
00386DA0 8D4424 34 lea eax,dword ptr ss:[esp+34]
00386DA4 50 push eax
00386DA5 8D4C24 28 lea ecx,dword ptr ss:[esp+28]
00386DA9 C68424 84040000 0>mov byte ptr ss:[esp+484],7
00386DB1 E8 24B80000 call <jmp.&Util.ProfileUtil::GetContentFromPr>
00386DB6 8D4C24 24 lea ecx,dword ptr ss:[esp+24]
00386DBA C68424 74040000 0>mov byte ptr ss:[esp+474],0A
00386DC2 E8 C5B70000 call <jmp.&Util.RegUtil::RegUtil>
00386DC7 33C0 xor eax,eax
00386DC9 B9 00010000 mov ecx,100
00386DCE 8D7C24 68 lea edi,dword ptr ss:[esp+68]
00386DD2 F3:AB rep stos dword ptr es:[edi]
00386DD4 8D4C24 68 lea ecx,dword ptr ss:[esp+68]
00386DD8 51 push ecx
00386DD9 8D8C24 80040000 lea ecx,dword ptr ss:[esp+480]
00386DE0 C68424 78040000 0>mov byte ptr ss:[esp+478],0B
00386DE8 FF15 A0503900 call dword ptr ds:[<&MFC71.#876>] ; MFC71.7C158BCD
00386DEE 50 push eax
00386DEF 8D4C24 1C lea ecx,dword ptr ss:[esp+1C]
00386DF3 E8 A8B30000 call Control.003921A0
00386DF8 8D5424 68 lea edx,dword ptr ss:[esp+68]
00386DFC 52 push edx
00386DFD 8D4C24 34 lea ecx,dword ptr ss:[esp+34]
00386E01 FF15 B0503900 call dword ptr ds:[<&MFC71.#304>] ; MFC71.7C16A59C
00386E07 51 push ecx
00386E08 8D4424 34 lea eax,dword ptr ss:[esp+34]
00386E0C 8BCC mov ecx,esp
00386E0E 896424 30 mov dword ptr ss:[esp+30],esp
00386E12 50 push eax
00386E13 C68424 7C040000 0>mov byte ptr ss:[esp+47C],0C
00386E1B FF15 88503900 call dword ptr ds:[<&MFC71.#297>] ; MFC71.7C14E575
00386E21 51 push ecx
00386E22 8BCC mov ecx,esp
00386E24 896424 40 mov dword ptr ss:[esp+40],esp
00386E28 68 E0553900 push Control.003955E0 ; ASCII "SerialCode"//注册码
00386E2D C68424 80040000 0>mov byte ptr ss:[esp+480],0D
00386E35 FF15 B0503900 call dword ptr ds:[<&MFC71.#304>] ; MFC71.7C16A59C
00386E3B 51 push ecx
00386E3C 8D5424 34 lea edx,dword ptr ss:[esp+34]
00386E40 8BCC mov ecx,esp
00386E42 896424 1C mov dword ptr ss:[esp+1C],esp
00386E46 52 push edx
00386E47 C68424 84040000 0>mov byte ptr ss:[esp+484],0E
进入00386CE1 call
00392371 FF15 88503900 call dword ptr ds:[<&MFC71.#297>] ; MFC71.7C14E575
00392377 8BCE mov ecx,esi
00392379 E8 32FCFFFF call Control.00391FB0
0039237E 84C0 test al,al//比较al的值
00392380 0F84 49010000 je Control.003924CF
00392386 8B2D 8C513900 mov ebp,dword ptr ds:[<&MSVCR71.toupper>] ; MSVCR71.toupper
0039238C 33DB xor ebx,ebx
0039238E 8D7424 68 lea esi,dword ptr ss:[esp+68]
中间略.....
003924C5 83C1 04 add ecx,4
003924C8 83F9 10 cmp ecx,10
003924CB ^ 7C C4 jl short Control.00392491
003924CD EB 02 jmp short Control.003924D1
003924CF 32DB xor bl,bl //清零bl的值
003924D1 8D8C24 D8000000 lea ecx,dword ptr ss:[esp+D8]
003924D8 FF15 94503900 call dword ptr ds:[<&MFC71.#578>] ; MFC71.7C1771B1
003924DE 8D8C24 DC000000 lea ecx,dword ptr ss:[esp+DC]
003924E5 FF15 94503900 call dword ptr ds:[<&MFC71.#578>] ; MFC71.7C1771B1
003924EB 8B8C24 C8000000 mov ecx,dword ptr ss:[esp+C8]
003924F2 5F pop edi
003924F3 5E pop esi
003924F4 5D pop ebp
003924F5 8AC3 mov al,bl//破解修改,把mov al,bl改为mov al,1.破解成功
003924F7 64:890D 00000000 mov dword ptr fs:[0],ecx
003924FE 5B pop ebx
003924FF 81C4 C4000000 add esp,0C4
00392505 C2 0800 retn 8
分析得不好,请大牛们指正
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
这个楼主恐怕不是PYG的那个吧??
