- UID
- 37460
注册时间2007-11-5
阅读权限20
最后登录1970-1-1
以武会友
 
TA的每日心情 | 开心
5 天前 |
|---|
签到天数: 53 天 [LV.5]常住居民I
|
XX执业资格考试宝典3.0爆破
本人小菜一个,不会算法,初学爆破,高手不要见笑。
查壳:ASPack 2.12 -> Alexey Solodovnikov
脱之
OD载入,查找字符串,找到正式版 ,
双击来到,
005E6911 . 8B55 F0 mov edx, dword ptr [ebp-10]
005E6914 . 8D45 FC lea eax, dword ptr [ebp-4]
005E6917 . 59 pop ecx
005E6918 . E8 13F3E1FF call 00405C30
005E691D . E8 EE32F9FF call 00579C10 关键CALL
005E6922 . 8BD8 mov ebx, eax
005E6924 . 889E D8030000 mov byte ptr [esi+3D8], bl
005E692A . 84DB test bl, bl
005E692C 74 0F je short 005E693D
005E692E . 8D45 FC lea eax, dword ptr [ebp-4]
005E6931 . BA E06A5E00 mov edx, 005E6AE0 ; [正式版]
005E6936 . E8 A9F2E1FF call 00405BE4
005E693B . EB 0D jmp short 005E694A
005E693D > 8D45 FC lea eax, dword ptr [ebp-4]
005E6940 . BA F46A5E00 mov edx, 005E6AF4 ; [试用版]
005E6945 . E8 9AF2E1FF call 00405BE4
005E694A > A1 DC715F00 mov eax, dword ptr [5F71DC]
005E694F . 8B00 mov eax, dword ptr [eax]
005E6951 . 8B55 FC mov edx, dword ptr [ebp-4]
005E6954 . E8 7BDDEEFF call 004D46D4
找到上面的关键调用 call 00579C10
F2 下断
F9 运行
来到关键CALL,F7跟进
00579C10 /$ 55 push ebp
00579C11 |. 8BEC mov ebp, esp
00579C13 |. 81C4 D4FEFFFF add esp, -12C
00579C19 |. 53 push ebx
00579C1A |. 33C0 xor eax, eax
00579C1C |. 8985 DCFEFFFF mov dword ptr [ebp-124], eax
00579C22 |. 8985 D8FEFFFF mov dword ptr [ebp-128], eax
00579C28 |. 8985 D4FEFFFF mov dword ptr [ebp-12C], eax
00579C2E |. 8985 E0FEFFFF mov dword ptr [ebp-120], eax
00579C34 |. 8985 E4FEFFFF mov dword ptr [ebp-11C], eax
00579C3A |. 8985 ECFEFFFF mov dword ptr [ebp-114], eax
00579C40 |. 8985 E8FEFFFF mov dword ptr [ebp-118], eax
00579C46 |. 8945 FC mov dword ptr [ebp-4], eax
00579C49 |. 8945 F8 mov dword ptr [ebp-8], eax
00579C4C |. 33C0 xor eax, eax
00579C4E |. 55 push ebp
00579C4F |. 68 BC9D5700 push 00579DBC
00579C54 |. 64:FF30 push dword ptr fs:[eax]
00579C57 |. 64:8920 mov dword ptr fs:[eax], esp
00579C5A |. 8D95 E8FEFFFF lea edx, dword ptr [ebp-118]
00579C60 |. A1 DC715F00 mov eax, dword ptr [5F71DC]
00579C65 |. 8B00 mov eax, dword ptr [eax]
00579C67 |. E8 70B8F5FF call 004D54DC
00579C6C |. 8B85 E8FEFFFF mov eax, dword ptr [ebp-118]
00579C72 |. 8D95 ECFEFFFF lea edx, dword ptr [ebp-114]
00579C78 |. E8 B71AE9FF call 0040B734
00579C7D |. 8D85 ECFEFFFF lea eax, dword ptr [ebp-114]
00579C83 |. BA D49D5700 mov edx, 00579DD4
00579C88 |. E8 57BFE8FF call 00405BE4
00579C8D |. 8B95 ECFEFFFF mov edx, dword ptr [ebp-114]
00579C93 |. 8D85 F0FEFFFF lea eax, dword ptr [ebp-110]
00579C99 |. B9 FF000000 mov ecx, 0FF
00579C9E |. E8 11BFE8FF call 00405BB4
00579CA3 |. 8D85 E4FEFFFF lea eax, dword ptr [ebp-11C]
00579CA9 |. 8D95 F0FEFFFF lea edx, dword ptr [ebp-110]
00579CAF |. E8 ACBEE8FF call 00405B60
00579CB4 |. 8B8D E4FEFFFF mov ecx, dword ptr [ebp-11C]
00579CBA |. B2 01 mov dl, 1
00579CBC |. A1 203E4800 mov eax, dword ptr [483E20]
00579CC1 |. E8 12A2F0FF call 00483ED8
00579CC6 |. 8945 F0 mov dword ptr [ebp-10], eax
00579CC9 |. 33C0 xor eax, eax
00579CCB |. 55 push ebp
00579CCC |. 68 8A9D5700 push 00579D8A
00579CD1 |. 64:FF30 push dword ptr fs:[eax]
00579CD4 |. 64:8920 mov dword ptr fs:[eax], esp
00579CD7 |. 6A 00 push 0
00579CD9 |. 8D85 E0FEFFFF lea eax, dword ptr [ebp-120]
00579CDF |. 50 push eax
00579CE0 |. B9 EC9D5700 mov ecx, 00579DEC
00579CE5 |. BA FC9D5700 mov edx, 00579DFC
00579CEA |. 8B45 F0 mov eax, dword ptr [ebp-10]
00579CED |. 8B18 mov ebx, dword ptr [eax]
00579CEF |. FF13 call dword ptr [ebx]
00579CF1 |. 8B85 E0FEFFFF mov eax, dword ptr [ebp-120]
00579CF7 |. 8D4D FC lea ecx, dword ptr [ebp-4]
00579CFA |. 8B15 DC6C5F00 mov edx, dword ptr [5F6CDC]
00579D00 |. 0FB712 movzx edx, word ptr [edx]
00579D03 |. E8 00B7FFFF call 00575408
00579D08 |. 8D85 DCFEFFFF lea eax, dword ptr [ebp-124]
00579D0E |. E8 55EEFFFF call 00578B68
00579D13 |. FFB5 DCFEFFFF push dword ptr [ebp-124]
00579D19 |. 68 0C9E5700 push 00579E0C
00579D1E |. 8D85 D8FEFFFF lea eax, dword ptr [ebp-128]
00579D24 |. 8B15 F8715F00 mov edx, dword ptr [5F71F8]
00579D2A |. 81C2 04010000 add edx, 104
00579D30 |. E8 2BBEE8FF call 00405B60
00579D35 |. FFB5 D8FEFFFF push dword ptr [ebp-128]
00579D3B |. 8D85 D4FEFFFF lea eax, dword ptr [ebp-12C]
00579D41 |. 8B15 F8715F00 mov edx, dword ptr [5F71F8]
00579D47 |. 81C2 04020000 add edx, 204
00579D4D |. E8 0EBEE8FF call 00405B60
00579D52 |. FFB5 D4FEFFFF push dword ptr [ebp-12C]
00579D58 |. 8D45 F8 lea eax, dword ptr [ebp-8]
00579D5B |. BA 04000000 mov edx, 4
00579D60 |. E8 47BFE8FF call 00405CAC
00579D65 |. 8B45 FC mov eax, dword ptr [ebp-4]
00579D68 |. 8B55 F8 mov edx, dword ptr [ebp-8]
00579D6B |. E8 D0BFE8FF call 00405D40
00579D70 0F9445 F7 sete byte ptr [ebp-9] 改为 setge byte ptr [ebp-9]
00579D74 33C0 xor eax, eax
00579D76 |. 5A pop edx
00579D77 |. 59 pop ecx
00579D78 |. 59 pop ecx
00579D79 |. 64:8910 mov dword ptr fs:[eax], edx
00579D7C |. 68 919D5700 push 00579D91
00579D81 |> 8B45 F0 mov eax, dword ptr [ebp-10]
00579D84 |. E8 5FABE8FF call 004048E8
00579D89 \. C3 retn
一路F8,来到 00579D70 0F9445 F7 sete byte ptr [ebp-9]
此处为 标志位测试,
此处若 byte ptr [ebp-9] 值为0,测试条件为假,为试用版;
反之, byte ptr [ebp-9] 值为1即为正式版。
00579D70 处爆破,为完美爆破,软件没有任何限制。
[ 本帖最后由 西门官人 于 2009-7-14 21:58 编辑 ] |
|
IP卡
发表于 2009-7-14 17:52:52
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2009-7-14 18:11:50
楼主
发表于 2009-7-14 22:06:09
发表于 2009-7-15 14:55:57
发表于 2009-7-17 06:50:19