* Possible StringData Ref from Data Obj ->"注册不成功。"
对,找到00437221看看,如下:
.
.
.
. :00437221 0F83E1010000 jnb 00437408
:00437227 C705EC454B0001000000 mov dword ptr [004B45EC], 00000001 ======》看到了吗,注册Flag!!!
:00437231 8B55A0 mov edx, dword ptr [ebp-60]
:00437234 8B8AFC020000 mov ecx, dword ptr [edx+000002FC]
:0043723A 81C108020000 add ecx, 00000208
:00437240 894D84 mov dword ptr [ebp-7C], ecx
:00437243 66C745B46800 mov [ebp-4C], 0068
:00437249 8D45DC lea eax, dword ptr [ebp-24]
:0043724C E857A6FCFF call 004018A8
:00437251 8BD0 mov edx, eax
:00437253 FF45C0 inc [ebp-40]
:00437256 8B4DA0 mov ecx, dword ptr [ebp-60]
:00437259 8B81DC020000 mov eax, dword ptr [ecx+000002DC]
:0043725F E898F60300 call 004768FC
:00437264 8D4DDC lea ecx, dword ptr [ebp-24]
:00437267 8B09 mov ecx, dword ptr [ecx]
:00437269 8B4584 mov eax, dword ptr [ebp-7C]
:0043726C 8B00 mov eax, dword ptr [eax]
:0043726E 33D2 xor edx, edx
:00437270 8B18 mov ebx, dword ptr [eax]
:00437272 FF5320 call [ebx+20]
:00437275 FF4DC0 dec [ebp-40]
:00437278 8D45DC lea eax, dword ptr [ebp-24]
:0043727B BA02000000 mov edx, 00000002
:00437280 E8B7B30700 call 004B263C
:00437285 8B4DA0 mov ecx, dword ptr [ebp-60]
:00437288 8B81FC020000 mov eax, dword ptr [ecx+0000
.
.
.
.
由00437221 0F83E1010000 jnb 00437408可知,此处不能跳,一跳就GAME OVER了!在跳转的下面一句是:00437227 C705EC454B0001000000 mov dword ptr [004B45EC], 00000001 ,如果不跳的话,就将1赋值给一个地址,好,就从这入手!为了能将1赋值给它,只能让上面不跳。改00437221 为909090909090即可!打开Hacker view执行更改,运行,注册!哇,注册成功,窗体上显示"属于 xxx xxx"字样!这样破解了吗?关闭!重新运行,该死的,还是未注册用户!
不要紧,刚才说了这个Flag是一个全局变量,一定是在某处又给它赋值为0了!怎么办?查找刚才的Flag一句的十六进制值:C705EC454B0001000000一查,又发现一句,如下:
:0040B9CE 83C408 add esp, 00000008
:0040B9D1 DC6DA0 fsubr qword ptr [ebp-60]
:0040B9D4 83C4F8 add esp, FFFFFFF8
:0040B9D7 DD1C24 fstp qword ptr [esp]
:0040B9DA E8B5F10900 call 004AAB94
:0040B9DF 83C408 add esp, 00000008
:0040B9E2 DC1D2CBC4000 fcomp qword ptr [0040BC2C]
:0040B9E8 DFE0 fstsw ax
:0040B9EA 9E sahf
:0040B9EB 734B jnb 0040BA38
:0040B9ED C705EC454B0001000000 mov dword ptr [004B45EC], 00000001 =====>这里
:0040B9F7 66C745C07400 mov [ebp-40], 0074
:0040B9FD 8D45D8 lea eax, dword ptr [ebp-28]
:0040BA00 E8A35EFFFF call 004018A8
:0040BA05 8BC8 mov ecx, eax
:0040BA07 FF45CC inc [ebp-34]
:0040BA0A 8D55FC lea edx, dword ptr [ebp-04]
* Possible StringData Ref from Data Obj ->"仿真物理实验室 Ver1.01 属于 "
|
:0040BA0D B89D474B00 mov eax, 004B479D
:0040BA12 E8416E0A00 call 004B2858
:0040BA17 8D55D8 lea edx, dword ptr [ebp-28]
:0040BA1A 8B12 mov edx, dword ptr [edx]
:0040BA1C A1B8754C00 mov eax, dword ptr [004C75B8]
:0040BA21 E806AF0600 call 0047692C
:0040BA26 FF4DCC dec [ebp-34]
:0040BA29 8D45D8 lea eax, dword ptr [ebp-28]
:0040BA2C BA02000000 mov edx, 00000002
:0040BA31 E8066C0A00 call 004B263C
:0040BA36 EB3A jmp 0040BA72
再往上一看,又是一个跳转,显然不能跳了!把 0040B9EB 734B jnb 0040BA38改为9090再查找,还有一处:
:0041998A DFE0 fstsw ax
:0041998C 9E sahf
:0041998D 734B jnb 004199DA
:0041998F C705EC454B0001000000 mov dword ptr [004B45EC], 00000001=====》这里它上面的jnb显然也不行啦,改为9090好啦!继续查找,再也没啦!用Hacker view 执行更改!再运行程序,任意注册成功!再启动,依然是注册版本!再检查各种功能限制,也没啦!OK!破解成功!
经验证:437227处的赋值是检查注册时注册码是否正确
40b9ed处的赋值是启动时检查注册码的正确与否!
41998f处的赋值是打开实验时检查注册码的正确与否!
总结:此程序破解,重点应放在Flag上,而不是跳转上
我曾用此法破解过不少软件,它应属于破解方法中的一种吧!
|
|