- UID
- 2
注册时间2004-12-1
阅读权限255
最后登录1970-1-1
总坛主
TA的每日心情 | 难过
2024-4-22 14:49 |
|---|
签到天数: 11 天 [LV.3]偶尔看看II
|
【破文标题】易语言精科电脑算命V3.4破解
【破文作者】飘云[PYG]
【破解平台】winXP
【作者邮箱】piaoyun04@163.com
【软件名称】精科电脑算命V3.4
【下载地址】http://www.jk126.com
【软件简介】算命的咯·!
【破解原因】从华军把这个东东下载回来有一年了,由于是易语言的,所以一直没有去破解它,但是他的限制太毒了:只能使用30次,最主要的还是不能打印!我不想有限制,今天下定决心要解决它!!!
【破解步骤】
用PEID查看为ASPack 2.12 -> Alexey Solodovnikov,脱之!
OD载入,运行程序,输入信息:
密码:123456
注册码:1357924680
BP MessageBoxA下断
点“注册”
被拦截:
77D3ADD7 US> 833D C4D3D677 00 cmp dword ptr ds:[77D6D3C4],0 中断在这里,F2清除断点
77D3ADDE 0F85 377E0100 jnz USER32.77D52C1B
77D3ADE4 6A 00 push 0
77D3ADE6 FF7424 14 push dword ptr ss:[esp+14]
77D3ADEA FF7424 14 push dword ptr ss:[esp+14]
77D3ADEE FF7424 14 push dword ptr ss:[esp+14]
77D3ADF2 FF7424 14 push dword ptr ss:[esp+14]
77D3ADF6 E8 03000000 call USER32.MessageBoxExA
77D3ADFB C2 1000 retn 10
堆栈友好提示:
0012F210 /CALL 到 MessageBoxA 来自 krnln.10058CD0
0012F214 |hOwner = NULL
0012F218 |Text = "你的密码不正确,或你还未交纳注册费。"
0012F21C |Title = "密码错误:"
0012F220 \Style = MB_OK|MB_ICONEXCLAMATION|MB_TASKMODAL
0012F224
然后按ALT+F9 点“确定”看看注册失败时返回的地址:
10058CD6 5F pop edi ; 00AFC160
10058CD7 83F8 03 cmp eax,3
10058CDA 5E pop esi
10058CDB 75 0F jnz short krnln.10058CEC
10058CDD 8B4C24 68 mov ecx,dword ptr ss:[esp+68]
10058CE1 B8 02000000 mov eax,2
10058CE6 8901 mov dword ptr ds:[ecx],eax
10058CE8 83C4 64 add esp,64
10058CEB C3 retn
接下来CTRL+F9 (我的是2次)根据Od信息直到返回领空为止
100257EE C3 retn
堆栈信息:
0012F2AC 返回到 123.0048CA73 来自 123.0049015C
现在按一下F8吧:
0048CA6E E8 E9360000 call 123.0049015C
0048CA73 83C4 28 add esp,28 停在这里,呵呵!回来了!
0048CA76 68 05000100 push 10005
0048CA7B 68 DF020116 push 160102DF
0048CA80 68 CF000152 push 520100CF
0048CA85 68 01000000 push 1
0048CA8A BB 64030000 mov ebx,364
0048CA8F E8 C8360000 call 123.0049015C
0048CA94 83C4 10 add esp,10
0048CA97 E9 00000000 jmp 123.0048CA9C
0048CA9C 8BE5 mov esp,ebp
0048CA9E 5D pop ebp
0048CA9F C3 retn
根据向上返回定律找到:
0048C903 55 push ebp ; 这里就是点“注册”所执行的第一句代码 下断,重新注册立即中断
0048C904 8BEC mov ebp,esp
0048C906 81EC 24000000 sub esp,24
0048C90C C745 FC 00000000 mov dword ptr ss:[ebp-4],0
0048C913 DB05 F80CAF00 fild dword ptr ds:[AF0CF8] ; 取注册号的后几位 我的注册号是:3D1054306 所以取1054306
0048C919 DD5D F4 fstp qword ptr ss:[ebp-C] ; 这里是浮点运算,不管它!向下走
0048C91C DD45 F4 fld qword ptr ss:[ebp-C]
0048C91F DC05 F07D4500 fadd qword ptr ds:[457DF0]
0048C925 DD5D F4 fstp qword ptr ss:[ebp-C]
0048C928 DD45 F4 fld qword ptr ss:[ebp-C]
0048C92B DC25 F87D4500 fsub qword ptr ds:[457DF8]
0048C931 DD5D EC fstp qword ptr ss:[ebp-14]
0048C934 DD45 EC fld qword ptr ss:[ebp-14]
0048C937 DC05 007E4500 fadd qword ptr ds:[457E00]
0048C93D DD5D E4 fstp qword ptr ss:[ebp-1C]
0048C940 68 01030080 push 80000301
0048C945 6A 00 push 0
0048C947 68 BB184D00 push 4D18BB
0048C94C DD45 E4 fld qword ptr ss:[ebp-1C]
0048C94F E8 3C21FEFF call 123.0046EA90
0048C954 68 01030080 push 80000301
0048C959 6A 00 push 0
0048C95B 50 push eax
0048C95C 68 02000000 push 2
0048C961 BB CC000000 mov ebx,0CC
0048C966 E8 F1370000 call 123.0049015C
0048C96B 83C4 1C add esp,1C
0048C96E 8945 FC mov dword ptr ss:[ebp-4],eax
0048C971 6A FF push -1
0048C973 6A 08 push 8
0048C975 68 DF020116 push 160102DF
0048C97A 68 CF000152 push 520100CF
0048C97F E8 F0370000 call 123.00490174
0048C984 83C4 10 add esp,10
0048C987 8945 F8 mov dword ptr ss:[ebp-8],eax
0048C98A 68 04000080 push 80000004
0048C98F 6A 00 push 0
0048C991 8B45 F8 mov eax,dword ptr ss:[ebp-8]
0048C994 85C0 test eax,eax
0048C996 75 05 jnz short 123.0048C99D
0048C998 B8 62644100 mov eax,123.00416462
0048C99D 50 push eax
0048C99E 68 01000000 push 1
0048C9A3 BB 78010000 mov ebx,178
0048C9A8 E8 AF370000 call 123.0049015C
0048C9AD 83C4 10 add esp,10
0048C9B0 8945 F4 mov dword ptr ss:[ebp-C],eax
0048C9B3 8B5D F8 mov ebx,dword ptr ss:[ebp-8]
0048C9B6 85DB test ebx,ebx
0048C9B8 74 09 je short 123.0048C9C3
0048C9BA 53 push ebx
0048C9BB E8 A8370000 call 123.00490168
0048C9C0 83C4 04 add esp,4
0048C9C3 68 04000080 push 80000004
0048C9C8 6A 00 push 0
0048C9CA 8B45 F4 mov eax,dword ptr ss:[ebp-C]
0048C9CD 85C0 test eax,eax
0048C9CF 75 05 jnz short 123.0048C9D6
0048C9D1 B8 62644100 mov eax,123.00416462
0048C9D6 50 push eax
0048C9D7 68 01000000 push 1
0048C9DC BB 64010000 mov ebx,164
0048C9E1 E8 76370000 call 123.0049015C
0048C9E6 83C4 10 add esp,10
0048C9E9 8945 EC mov dword ptr ss:[ebp-14],eax
0048C9EC 8955 F0 mov dword ptr ss:[ebp-10],edx
0048C9EF 8B5D F4 mov ebx,dword ptr ss:[ebp-C]
0048C9F2 85DB test ebx,ebx
0048C9F4 74 09 je short 123.0048C9FF
0048C9F6 53 push ebx
0048C9F7 E8 6C370000 call 123.00490168
0048C9FC 83C4 04 add esp,4
0048C9FF DB45 FC fild dword ptr ss:[ebp-4] ; 到这里就看到21096252
0048CA02 DD5D E4 fstp qword ptr ss:[ebp-1C]
0048CA05 DD45 EC fld qword ptr ss:[ebp-14] ; 这里12345,呵呵!知道干什么了吗?
0048CA08 DC65 E4 fsub qword ptr ss:[ebp-1C]
0048CA0B D9E4 ftst
0048CA0D DFE0 fstsw ax
0048CA0F F6C4 01 test ah,1
0048CA12 74 02 je short 123.0048CA16
0048CA14 D9E0 fchs
0048CA16 DC1D 49DE4100 fcomp qword ptr ds:[41DE49]
0048CA1C DFE0 fstsw ax
0048CA1E F6C4 41 test ah,41
0048CA21 B8 00000000 mov eax,0
0048CA26 0F95C0 setne al
0048CA29 8945 E4 mov dword ptr ss:[ebp-1C],eax
0048CA2C 837D E4 01 cmp dword ptr ss:[ebp-1C],1
0048CA30 0F85 0A000000 jnz 123.0048CA40 ; 如果密码正确就不跳
0048CA36 E8 65000000 call 123.0048CAA0 ; 计算核心
0048CA3B E9 5C000000 jmp 123.0048CA9C
我们输入正确的密码 21096252 在 0048CA36处下断,重新来过(当然,你也可以把0048CA30处的JNZ改为JZ继续分析)
BTW:不要嫌麻烦,CRACKER就是这样!
断下后F7进入:
0048CAA0 55 push ebp
0048CAA1 8BEC mov ebp,esp
0048CAA3 81EC 20000000 sub esp,20
0048CAA9 C745 FC 00000000 mov dword ptr ss:[ebp-4],0
0048CAB0 C745 F8 00000000 mov dword ptr ss:[ebp-8],0
0048CAB7 68 04000080 push 80000004
0048CABC 6A 00 push 0
0048CABE 68 90A94200 push 123.0042A990
0048CAC3 68 01000000 push 1
0048CAC8 BB 64010000 mov ebx,164
0048CACD E8 8A360000 call 123.0049015C
0048CAD2 83C4 10 add esp,10
0048CAD5 8945 F0 mov dword ptr ss:[ebp-10],eax
0048CAD8 8955 F4 mov dword ptr ss:[ebp-C],edx
0048CADB DD05 A9A94200 fld qword ptr ds:[42A9A9] ; 又是浮点,我们不管它,向下找关键东西
0048CAE1 DC65 F0 fsub qword ptr ss:[ebp-10]
0048CAE4 DD5D E8 fstp qword ptr ss:[ebp-18]
0048CAE7 DD45 E8 fld qword ptr ss:[ebp-18]
0048CAEA E8 A11FFEFF call 123.0046EA90
0048CAEF 68 01030080 push 80000301
0048CAF4 6A 00 push 0
0048CAF6 50 push eax
0048CAF7 68 01030080 push 80000301
0048CAFC 6A 00 push 0
0048CAFE FF35 F80CAF00 push dword ptr ds:[AF0CF8]
0048CB04 68 02000000 push 2
0048CB09 BB CC000000 mov ebx,0CC
0048CB0E E8 49360000 call 123.0049015C
0048CB13 83C4 1C add esp,1C
0048CB16 8945 FC mov dword ptr ss:[ebp-4],eax
0048CB19 6A FF push -1
0048CB1B 6A 08 push 8
0048CB1D 68 DC020116 push 160102DC
0048CB22 68 CF000152 push 520100CF
0048CB27 E8 48360000 call 123.00490174
0048CB2C 83C4 10 add esp,10
0048CB2F 8945 F4 mov dword ptr ss:[ebp-C],eax
0048CB32 68 04000080 push 80000004
0048CB37 6A 00 push 0
0048CB39 8B45 F4 mov eax,dword ptr ss:[ebp-C]
0048CB3C 85C0 test eax,eax
0048CB3E 75 05 jnz short 123.0048CB45
0048CB40 B8 62644100 mov eax,123.00416462
0048CB45 50 push eax
0048CB46 68 01000000 push 1
0048CB4B BB 64010000 mov ebx,164
0048CB50 E8 07360000 call 123.0049015C
0048CB55 83C4 10 add esp,10
0048CB58 8945 EC mov dword ptr ss:[ebp-14],eax
0048CB5B 8955 F0 mov dword ptr ss:[ebp-10],edx
0048CB5E 8B5D F4 mov ebx,dword ptr ss:[ebp-C]
0048CB61 85DB test ebx,ebx
0048CB63 74 09 je short 123.0048CB6E
0048CB65 53 push ebx
0048CB66 E8 FD350000 call 123.00490168
0048CB6B 83C4 04 add esp,4
0048CB6E DD45 EC fld qword ptr ss:[ebp-14]
0048CB71 E8 1A1FFEFF call 123.0046EA90 ;来到这里,很经典吧·!
0048CB76 8945 F8 mov dword ptr ss:[ebp-8],eax
0048CB79 8B45 FC mov eax,dword ptr ss:[ebp-4]
0048CB7C 3945 F8 cmp dword ptr ss:[ebp-8],eax ;这里查看EAX的十进制为45404440
[ebp-8]为1357924680 ~~^_^~~
0048CB7F 0F85 5D040000 jnz 123.0048CFE2 ;跳则GAME OVER!
0048CB85 6A FF push -1
0048CB87 6A 08 push 8
0048CB89 68 DC020116 push 160102DC
0048CB8E 68 CF000152 push 520100CF
总结:由于是浮点运算,比较麻烦,懒得分析,先搞个注册码用了再说。
注册号:3D1054306
密码:21096252
注册码:45404440(好怪哦!)
附:注册信息保存在:HKEY_CURRENT_UESR\SOFTWARE\JSMKK\LOGIN 删掉该键值又可继续研究 |
|
IP卡
发表于 2005-2-18 14:26:43
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2005-2-23 09:13:24
发表于 2005-3-31 20:33:47
发表于 2006-2-19 10:36:26
发表于 2006-3-4 14:07:15
