-
-
[旧帖] [原创]破解**王(邀请码已发) 0.00雪花
-
发表于: 2009-10-6 20:05
-
大家好!我新手,今天给大家破解**王软件,第一次发帖,请原谅! (http://www.microsword.net/下载地址)
按网上步骤,1.查壳
ASPack 2.12 -> Alexey Solodovnikov
2.用OD载入脱壳
005AC001 > 60 PUSHAD
005AC002 E8 03000000 CALL cpw.005AC00A
005AC007 - E9 EB045D45 JMP 45B7C4F7
对于ASP壳,注意第一个CALL ,F8往下步,在005AC007行按F4运行到所选,得如下:
005AC3B0 /75 08 JNZ SHORT cpw.005AC3BA
005AC3B2 |B8 01000000 MOV EAX,1
005AC3B7 |C2 0C00 RETN 0C
005AC3BA \68 48195100 PUSH cpw.00511948
005AC3BF C3 RETN
F8步过,执行到005AC3BF 处第一个返回来到入口点(原因不太清楚,我是菜)
00511948 55 PUSH EBP
00511949 8BEC MOV EBP,ESP
0051194B 83C4 F0 ADD ESP,-10
0051194E 53 PUSH EBX
0051194F B8 50155100 MOV EAX,cpw.00511550
00511954 E8 0B55EFFF CALL cpw.00406E64
00511959 8B1D C0645100 MOV EBX,DWORD PTR DS:[5164C0] ; cpw.00517C34
0051195F 8B03 MOV EAX,DWORD PTR DS:[EBX]
然后在00511948 处直接DUMP
然后再查壳Borland Delphi 6.0 - 7.0,再运行正常。
3:OD 载入。先ASCII超级字符串参考得如下
0050DEF6 MOV EDX,dfsdfds.0050DF94 RegUser
0050DF13 MOV EDX,dfsdfds.0050DFA4 RegNo
0050DF28 MOV ECX,dfsdfds.0050DFAC 提示
0050DF2D MOV EDX,dfsdfds.0050DFB4 注册完成,请重新运行程序!
0050E9DE MOV EDX,dfsdfds.0050EACC Software\cpw
0050E9ED MOV EDX,dfsdfds.0050EAE4 RegUser
0050EA09 MOV EDX,dfsdfds.0050EAF4 RegNo
0050EA1C MOV EDX,dfsdfds.0050EB04 cpwChina
0050EA5D MOV EDX,dfsdfds.0050EB18 - 未购买用户
0050EBD4 PUSH dfsdfds.0050ED68 cpw
0050EBE9 PUSH dfsdfds.0050ED74 -
0050EBFE PUSH dfsdfds.0050ED80 t
0050EC23 PUSH dfsdfds.0050ED68 cpw
0050EC38 PUSH dfsdfds.0050ED74 -
0050ECB0 MOV EDX,dfsdfds.0050ED8C 期别
0050EE1D PUSH dfsdfds.0050EE8C begin:
0050EE2F PUSH dfsdfds.0050EE9C ;result:
0050F6D7 MOV ECX,dfsdfds.0050F708 提示
0050F6DC MOV EDX,dfsdfds.0050F710 该功能目前仅限注册用户使用!您现在要注册吗?
0050F74B MOV ECX,dfsdfds.0050F77C 提示
0050F750 MOV EDX,dfsdfds.0050F784 该功能目前仅限注册用户使用!您现在要注册吗?
0050DF13 |. BA A4DF5000 MOV EDX,dfsdfds.0050DFA4 ; RegNo
0050DF18 |. 8BC3 MOV EAX,EBX
0050DF1A |. E8 A9D5F7FF CALL dfsdfds.0048B4C8
0050DF1F |. 8BC3 MOV EAX,EBX
0050DF21 |. E8 465CEFFF CALL dfsdfds.00403B6C
0050DF26 |. 6A 40 PUSH 40
0050DF28 |. B9 ACDF5000 MOV ECX,dfsdfds.0050DFAC ; 提示
0050DF2D |. BA B4DF5000 MOV EDX,dfsdfds.0050DFB4 ; 注册完成,请重新运行程序!
0050DF32 |. A1 C0645100 MOV EAX,DWORD PTR DS:[5164C0]
0050DF37 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
0050DF39 |. E8 067EF5FF CALL dfsdfds.00465D44
0050DF3E |. A1 C0645100 MOV EAX,DWORD PTR DS:[5164C0]
0050DF43 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
0050DF45 |. E8 567DF5FF CALL dfsdfds.00465CA0
0050DF4A |. 33C0 XOR EAX,EAX
0050DF4C |. 5A POP EDX
0050DF4D |. 59 POP ECX
0050DF4E |. 59 POP ECX
0050DF4F |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
往下走
在双击0050DF13按断点,运行程序 注册后断下(注册名987654321,注册码1111)
0050DEF6 |. BA 94DF5000 MOV EDX,dfsdfds.0050DF94 ; RegUser
0050DEFB |. 8BC3 MOV EAX,EBX
0050DEFD |. E8 C6D5F7FF CALL dfsdfds.0048B4C8
0050DF02 |. 8D55 F8 LEA EDX,DWORD PTR SS:[EBP-8]
0050DF05 |. 8B86 3C030000 MOV EAX,DWORD PTR DS:[ESI+33C]
0050DF0B |. E8 F07AF3FF CALL dfsdfds.00445A00
0050DF10 |. 8B4D F8 MOV ECX,DWORD PTR SS:[EBP-8]
0050DF13 |. BA A4DF5000 MOV EDX,dfsdfds.0050DFA4 ; RegNo
0050DF18 |. 8BC3 MOV EAX,EBX
0050DF1A |. E8 A9D5F7FF CALL dfsdfds.0048B4C8
0050DF1F |. 8BC3 MOV EAX,EBX
0050DF21 |. E8 465CEFFF CALL dfsdfds.00403B6C
0050DF26 |. 6A 40 PUSH 40
0050DF28 |. B9 ACDF5000 MOV ECX,dfsdfds.0050DFAC ; 提示
0050DF2D |. BA B4DF5000 MOV EDX,dfsdfds.0050DFB4 ; 注册完成,请重新运行程序!
F8步下到0050DF2D程序重启
现在双击0050EA09断重启后的注册地方
0050E9ED MOV EDX,dfsdfds.0050EAE4 RegUser
0050EA09 MOV EDX,dfsdfds.0050EAF4 RegNo
0050EA1C MOV EDX,dfsdfds.0050EB04 cpwChina
0050EA5D MOV EDX,dfsdfds.0050EB18 - 未购买用户
0050E9ED |. BA E4EA5000 MOV EDX,dfsdfds.0050EAE4 ; RegUser
0050E9F2 |. 8BC6 MOV EAX,ESI
0050E9F4 |. E8 FBCAF7FF CALL dfsdfds.0048B4F4
0050E9F9 |. 8B55 E4 MOV EDX,DWORD PTR SS:[EBP-1C]
0050E9FC |. B8 08895100 MOV EAX,dfsdfds.00518908
0050EA01 |. E8 465FEFFF CALL dfsdfds.0040494C
0050EA06 |. 8D4D E0 LEA ECX,DWORD PTR SS:[EBP-20]
0050EA09 |. BA F4EA5000 MOV EDX,dfsdfds.0050EAF4 ; RegNo
0050EA0E |. 8BC6 MOV EAX,ESI
0050EA10 |. E8 DFCAF7FF CALL dfsdfds.0048B4F4
0050EA15 |. 8B45 E0 MOV EAX,DWORD PTR SS:[EBP-20]
0050EA18 |. 50 PUSH EAX
0050EA19 |. 8D4D DC LEA ECX,DWORD PTR SS:[EBP-24]
0050EA1C |. BA 04EB5000 MOV EDX,dfsdfds.0050EB04 ; cpwChina
0050EA21 |. A1 08895100 MOV EAX,DWORD PTR DS:[518908]
0050EA26 |. E8 ADBFFDFF CALL dfsdfds.004EA9D8
0050EA2B |. 8B55 DC MOV EDX,DWORD PTR SS:[EBP-24]
0050EA2E |. 58 POP EAX
0050EA2F |. E8 C062EFFF CALL dfsdfds.00404CF4
0050EA34 |. 75 07 JNZ SHORT dfsdfds.0050EA3D
在0050E9ED处断下F8下走
0050EA2B |. 8B55 DC MOV EDX,DWORD PTR SS:[EBP-24]
在这栏出现堆栈 SS:[0012FDF4]=00F82B14, (ASCII "ED092B33A15A5A482E28A7E0A1C38ED5")
EDX=00F826B4, (ASCII "987654321")
先记下
再往下走0050EA2F |. E8 C062EFFF CALL dfsdfds.00404CF4
0050EA34 |. 75 07 JNZ SHORT dfsdfds.0050EA3D
关键CALL,不等就死(FPU也有显示EAX 00F887DC ASCII "1111"
ECX 00000002
EDX 00F82B14 ASCII "ED092B33A15A5A482E28A7E0A1C38ED5")
好了,到现在注册码出现 NOP 掉或者改为 JZ
把真注册码轸入试试
显示注册成功
,最后由于第一次发帜,可能表述不明白,请原谅
,也希望斑主给个邀请码(绝对自己原创)
谢谢大家!
按网上步骤,1.查壳
ASPack 2.12 -> Alexey Solodovnikov
2.用OD载入脱壳
005AC001 > 60 PUSHAD
005AC002 E8 03000000 CALL cpw.005AC00A
005AC007 - E9 EB045D45 JMP 45B7C4F7
对于ASP壳,注意第一个CALL ,F8往下步,在005AC007行按F4运行到所选,得如下:
005AC3B0 /75 08 JNZ SHORT cpw.005AC3BA
005AC3B2 |B8 01000000 MOV EAX,1
005AC3B7 |C2 0C00 RETN 0C
005AC3BA \68 48195100 PUSH cpw.00511948
005AC3BF C3 RETN
F8步过,执行到005AC3BF 处第一个返回来到入口点(原因不太清楚,我是菜)
00511948 55 PUSH EBP
00511949 8BEC MOV EBP,ESP
0051194B 83C4 F0 ADD ESP,-10
0051194E 53 PUSH EBX
0051194F B8 50155100 MOV EAX,cpw.00511550
00511954 E8 0B55EFFF CALL cpw.00406E64
00511959 8B1D C0645100 MOV EBX,DWORD PTR DS:[5164C0] ; cpw.00517C34
0051195F 8B03 MOV EAX,DWORD PTR DS:[EBX]
然后在00511948 处直接DUMP
然后再查壳Borland Delphi 6.0 - 7.0,再运行正常。
3:OD 载入。先ASCII超级字符串参考得如下
0050DEF6 MOV EDX,dfsdfds.0050DF94 RegUser
0050DF13 MOV EDX,dfsdfds.0050DFA4 RegNo
0050DF28 MOV ECX,dfsdfds.0050DFAC 提示
0050DF2D MOV EDX,dfsdfds.0050DFB4 注册完成,请重新运行程序!
0050E9DE MOV EDX,dfsdfds.0050EACC Software\cpw
0050E9ED MOV EDX,dfsdfds.0050EAE4 RegUser
0050EA09 MOV EDX,dfsdfds.0050EAF4 RegNo
0050EA1C MOV EDX,dfsdfds.0050EB04 cpwChina
0050EA5D MOV EDX,dfsdfds.0050EB18 - 未购买用户
0050EBD4 PUSH dfsdfds.0050ED68 cpw
0050EBE9 PUSH dfsdfds.0050ED74 -
0050EBFE PUSH dfsdfds.0050ED80 t
0050EC23 PUSH dfsdfds.0050ED68 cpw
0050EC38 PUSH dfsdfds.0050ED74 -
0050ECB0 MOV EDX,dfsdfds.0050ED8C 期别
0050EE1D PUSH dfsdfds.0050EE8C begin:
0050EE2F PUSH dfsdfds.0050EE9C ;result:
0050F6D7 MOV ECX,dfsdfds.0050F708 提示
0050F6DC MOV EDX,dfsdfds.0050F710 该功能目前仅限注册用户使用!您现在要注册吗?
0050F74B MOV ECX,dfsdfds.0050F77C 提示
0050F750 MOV EDX,dfsdfds.0050F784 该功能目前仅限注册用户使用!您现在要注册吗?
0050DF13 |. BA A4DF5000 MOV EDX,dfsdfds.0050DFA4 ; RegNo
0050DF18 |. 8BC3 MOV EAX,EBX
0050DF1A |. E8 A9D5F7FF CALL dfsdfds.0048B4C8
0050DF1F |. 8BC3 MOV EAX,EBX
0050DF21 |. E8 465CEFFF CALL dfsdfds.00403B6C
0050DF26 |. 6A 40 PUSH 40
0050DF28 |. B9 ACDF5000 MOV ECX,dfsdfds.0050DFAC ; 提示
0050DF2D |. BA B4DF5000 MOV EDX,dfsdfds.0050DFB4 ; 注册完成,请重新运行程序!
0050DF32 |. A1 C0645100 MOV EAX,DWORD PTR DS:[5164C0]
0050DF37 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
0050DF39 |. E8 067EF5FF CALL dfsdfds.00465D44
0050DF3E |. A1 C0645100 MOV EAX,DWORD PTR DS:[5164C0]
0050DF43 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
0050DF45 |. E8 567DF5FF CALL dfsdfds.00465CA0
0050DF4A |. 33C0 XOR EAX,EAX
0050DF4C |. 5A POP EDX
0050DF4D |. 59 POP ECX
0050DF4E |. 59 POP ECX
0050DF4F |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
往下走
在双击0050DF13按断点,运行程序 注册后断下(注册名987654321,注册码1111)
0050DEF6 |. BA 94DF5000 MOV EDX,dfsdfds.0050DF94 ; RegUser
0050DEFB |. 8BC3 MOV EAX,EBX
0050DEFD |. E8 C6D5F7FF CALL dfsdfds.0048B4C8
0050DF02 |. 8D55 F8 LEA EDX,DWORD PTR SS:[EBP-8]
0050DF05 |. 8B86 3C030000 MOV EAX,DWORD PTR DS:[ESI+33C]
0050DF0B |. E8 F07AF3FF CALL dfsdfds.00445A00
0050DF10 |. 8B4D F8 MOV ECX,DWORD PTR SS:[EBP-8]
0050DF13 |. BA A4DF5000 MOV EDX,dfsdfds.0050DFA4 ; RegNo
0050DF18 |. 8BC3 MOV EAX,EBX
0050DF1A |. E8 A9D5F7FF CALL dfsdfds.0048B4C8
0050DF1F |. 8BC3 MOV EAX,EBX
0050DF21 |. E8 465CEFFF CALL dfsdfds.00403B6C
0050DF26 |. 6A 40 PUSH 40
0050DF28 |. B9 ACDF5000 MOV ECX,dfsdfds.0050DFAC ; 提示
0050DF2D |. BA B4DF5000 MOV EDX,dfsdfds.0050DFB4 ; 注册完成,请重新运行程序!
F8步下到0050DF2D程序重启
现在双击0050EA09断重启后的注册地方
0050E9ED MOV EDX,dfsdfds.0050EAE4 RegUser
0050EA09 MOV EDX,dfsdfds.0050EAF4 RegNo
0050EA1C MOV EDX,dfsdfds.0050EB04 cpwChina
0050EA5D MOV EDX,dfsdfds.0050EB18 - 未购买用户
0050E9ED |. BA E4EA5000 MOV EDX,dfsdfds.0050EAE4 ; RegUser
0050E9F2 |. 8BC6 MOV EAX,ESI
0050E9F4 |. E8 FBCAF7FF CALL dfsdfds.0048B4F4
0050E9F9 |. 8B55 E4 MOV EDX,DWORD PTR SS:[EBP-1C]
0050E9FC |. B8 08895100 MOV EAX,dfsdfds.00518908
0050EA01 |. E8 465FEFFF CALL dfsdfds.0040494C
0050EA06 |. 8D4D E0 LEA ECX,DWORD PTR SS:[EBP-20]
0050EA09 |. BA F4EA5000 MOV EDX,dfsdfds.0050EAF4 ; RegNo
0050EA0E |. 8BC6 MOV EAX,ESI
0050EA10 |. E8 DFCAF7FF CALL dfsdfds.0048B4F4
0050EA15 |. 8B45 E0 MOV EAX,DWORD PTR SS:[EBP-20]
0050EA18 |. 50 PUSH EAX
0050EA19 |. 8D4D DC LEA ECX,DWORD PTR SS:[EBP-24]
0050EA1C |. BA 04EB5000 MOV EDX,dfsdfds.0050EB04 ; cpwChina
0050EA21 |. A1 08895100 MOV EAX,DWORD PTR DS:[518908]
0050EA26 |. E8 ADBFFDFF CALL dfsdfds.004EA9D8
0050EA2B |. 8B55 DC MOV EDX,DWORD PTR SS:[EBP-24]
0050EA2E |. 58 POP EAX
0050EA2F |. E8 C062EFFF CALL dfsdfds.00404CF4
0050EA34 |. 75 07 JNZ SHORT dfsdfds.0050EA3D
在0050E9ED处断下F8下走
0050EA2B |. 8B55 DC MOV EDX,DWORD PTR SS:[EBP-24]
在这栏出现堆栈 SS:[0012FDF4]=00F82B14, (ASCII "ED092B33A15A5A482E28A7E0A1C38ED5")
EDX=00F826B4, (ASCII "987654321")
先记下
再往下走0050EA2F |. E8 C062EFFF CALL dfsdfds.00404CF4
0050EA34 |. 75 07 JNZ SHORT dfsdfds.0050EA3D
关键CALL,不等就死(FPU也有显示EAX 00F887DC ASCII "1111"
ECX 00000002
EDX 00F82B14 ASCII "ED092B33A15A5A482E28A7E0A1C38ED5")
好了,到现在注册码出现 NOP 掉或者改为 JZ
把真注册码轸入试试
显示注册成功
,最后由于第一次发帜,可能表述不明白,请原谅
,也希望斑主给个邀请码(绝对自己原创)谢谢大家!
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
|
|
|---|---|
|
|
|
|
|
|
|
|
|
