【标 题】:WinRip 2.0保护机制分析及其补丁制作
【关键字】:in,ip,Win,Wi,WinRip
【来 源】:网络
WinRip 2.0保护机制分析及其补丁制作
工具:ollydbg 1.07a
平台:Windows 2000 Professional
该软件在试用期(30天)过后,将会出现NAG,功能也会受到限制。根据这一现象,在GetSystemTime处设断,运行程序,被拦截后一步一步返回到了这里(0040ce45):
0040CDF8 /$ B8 18884300 MOV EAX,WinRip.00438818
0040CDFD |. E8 2EEB0000 CALL WinRip.0041B930
0040CE02 |. 83EC 68 SUB ESP,68
0040CE05 |. 53 PUSH EBX
0040CE06 |. 56 PUSH ESI
0040CE07 |. BB 7CBA4300 MOV EBX,WinRip.0043BA7C
0040CE0C |. 57 PUSH EDI
0040CE0D |. 8BF1 MOV ESI,ECX
0040CE0F |. 895D D4 MOV [LOCAL.11],EBX
0040CE12 |. E8 94E0FFFF CALL WinRip.0040AEAB
0040CE17 |. 33FF XOR EDI,EDI
0040CE19 |. 8D4D D4 LEA ECX,[LOCAL.11]
0040CE1C |. 57 PUSH EDI ; /Arg2 => 00000000
0040CE1D |. 50 PUSH EAX ; |Arg1
0040CE1E |. E8 FFF8FFFF CALL WinRip.0040C722 ; \WinRip.0040C722
0040CE23 |. 57 PUSH EDI
0040CE24 |. 897D FC MOV [LOCAL.1],EDI
0040CE27 |. FF15 14AA4300 CALL [DWORD DS:<&ole32.CoInitialize>] ; ole32.CoInitialize
0040CE2D |. 3BC7 CMP EAX,EDI
0040CE2F |. 8945 F0 MOV [LOCAL.4],EAX
0040CE32 |. 7C 7B JL SHORT WinRip.0040CEAF
0040CE34 |. 8D45 EC LEA EAX,[LOCAL.5]
0040CE37 |. 50 PUSH EAX
0040CE38 |. 68 E4B74300 PUSH WinRip.0043B7E4
0040CE3D |. 6A 01 PUSH 1
0040CE3F |. 57 PUSH EDI
0040CE40 |. 68 44B84300 PUSH WinRip.0043B844
0040CE45 |. FF15 0CAA4300 CALL [DWORD DS:<&ole32.CoCreateInstance>>; ole32.CoCreateInstance <取得系统时间>
0040CE4B |. 3BC7 CMP EAX,EDI
0040CE4D |. 8945 F0 MOV [LOCAL.4],EAX
0040CE50 |. 7C 57 JL SHORT WinRip.0040CEA9
0040CE52 |. 6A 40 PUSH 40 ; /n = 40 (64.)
0040CE54 |. 8D45 94 LEA EAX,[LOCAL.27] ; |
0040CE57 |. 57 PUSH EDI ; |c
0040CE58 |. 50 PUSH EAX ; |s
0040CE59 |. 897D 90 MOV [LOCAL.28],EDI ; |
0040CE5C |. E8 F5EA0000 CALL <JMP.&MSVCRT.memset> ; \memset
0040CE61 |. 8D86 F0000000 LEA EAX,[DWORD DS:ESI+F0]
0040CE67 |. 6A 40 PUSH 40 ; /maxlen = 40 (64.)
0040CE69 |. 50 PUSH EAX ; |src
0040CE6A |. 8D45 94 LEA EAX,[LOCAL.27] ; |
0040CE6D |. 50 PUSH EAX ; |dest
0040CE6E |. FF15 E4A74300 CALL [DWORD DS:<&MSVCRT.strncpy>] ; \strncpy
0040CE74 |. 8B86 30010000 MOV EAX,[DWORD DS:ESI+130]
0040CE7A |. 83C4 18 ADD ESP,18
0040CE7D |. 8945 90 MOV [LOCAL.28],EAX
0040CE80 |. C745 8C 050000>MOV [LOCAL.29],5
0040CE87 |. E8 48000000 CALL WinRip.0040CED4 <进去看看,参考下面>
0040CE8C |. 8B4D EC MOV ECX,[LOCAL.5]
0040CE8F |. 50 PUSH EAX <参数1:如果为0则导致过期,正常值应该是1E>
0040CE90 |. FF75 08 PUSH [ARG.1]
0040CE93 |. 8D45 8C LEA EAX,[LOCAL.29]
0040CE96 |. 8B11 MOV EDX,[DWORD DS:ECX]
0040CE98 |. 50 PUSH EAX
0040CE99 |. 51 PUSH ECX
0040CE9A |. FF52 10 CALL [DWORD DS:EDX+10] <此处调用了appregag.10003c31,根据参数1,是否出现NAG并是否限制功能>
0040CE9D |. 8945 F0 MOV [LOCAL.4],EAX
0040CEA0 |. 8B45 EC MOV EAX,[LOCAL.5]
0040CEA3 |. 50 PUSH EAX
0040CEA4 |. 8B08 MOV ECX,[DWORD DS:EAX]
0040CEA6 |. FF51 08 CALL [DWORD DS:ECX+8]
0040CEA9 |> FF15 10AA4300 CALL [DWORD DS:<&ole32.CoUninitialize>] ; ole32.CoUninitialize
0040CEAF |> 397D E8 CMP [LOCAL.6],EDI
0040CEB2 |. 5F POP EDI
0040CEB3 |. 895D D4 MOV [LOCAL.11],EBX
0040CEB6 |. 5E POP ESI
0040CEB7 |. 5B POP EBX
0040CEB8 |. 74 09 JE SHORT WinRip.0040CEC3
0040CEBA |. FF75 E8 PUSH [LOCAL.6] ; /hObject
0040CEBD |. FF15 ACA14300 CALL [DWORD DS:<&KERNEL32.CloseHandle>] ; \CloseHandle
0040CEC3 |> 8B4D F4 MOV ECX,[LOCAL.3]
0040CEC6 |. 8B45 F0 MOV EAX,[LOCAL.4]
0040CEC9 |. 64:890D 000000>MOV [DWORD FS:0],ECX
0040CED0 |. C9 LEAVE
0040CED1 \. C2 0400 RETN 4
=====<<由40CE87调用>>===================================================================
0040CED4 /$ 56 PUSH ESI
0040CED5 |. E8 D1DFFFFF CALL WinRip.0040AEAB
0040CEDA |. 50 PUSH EAX
0040CEDB |. E8 65DBFFFF CALL WinRip.0040AA45
0040CEE0 |. 8BF0 MOV ESI,EAX
0040CEE2 |. 59 POP ECX
0040CEE3 |. 85F6 TEST ESI,ESI
0040CEE5 |. 74 17 JE SHORT WinRip.0040CEFE
0040CEE7 |. 57 PUSH EDI
0040CEE8 |. 8BCE MOV ECX,ESI
0040CEEA |. E8 719A0200 CALL WinRip.00436960 <确定参数1的值,进出看看,必须在此前下断点后,才能看到,是动态生成的>
0040CEEF |. 8BF8 MOV EDI,EAX
0040CEF1 |. 8B06 MOV EAX,[DWORD DS:ESI]
0040CEF3 |. 6A 01 PUSH 1
0040CEF5 |. 8BCE MOV ECX,ESI
0040CEF7 |. FF10 CALL [DWORD DS:EAX]
0040CEF9 |. 8BC7 MOV EAX,EDI
0040CEFB |. 5F POP EDI
0040CEFC |. 5E POP ESI
0040CEFD |. C3 RETN
0040CEFE |> 33C0 XOR EAX,EAX <如果执行了这一条,则出现NAG,功能也受到限制>
0040CF00 |. 5E POP ESI
0040CF01 \. C3 RETN
=====<<由40CEEA调用,注:此段代码是动态生成的>>============================
00436960 /$ 51 PUSH ECX
00436961 |. 56 PUSH ESI
00436962 |. 8D4424 04 LEA EAX,[DWORD SS:ESP+4]
00436966 |. 50 PUSH EAX ; /timer
00436967 |. 8BF1 MOV ESI,ECX ; |
00436969 |. FF15 D4A74300 CALL [DWORD DS:<&MSVCRT.time>] ; \time
0043696F |. 83C4 04 ADD ESP,4
00436972 |. 8BCE MOV ECX,ESI
00436974 |. E8 77FFFFFF CALL WinRip.004368F0 <在此call中的4368F9处的子过程中有取得磁盘卷序号的调用,
以及在436931处的子过程中有查询注册表的调用>
00436979 |. 8B4C24 04 MOV ECX,[DWORD SS:ESP+4]
0043697D |. 2BC8 SUB ECX,EAX
0043697F |. B8 07452EC2 MOV EAX,C22E4507
00436984 |. F7E9 IMUL ECX
00436986 |. 8B46 14 MOV EAX,[DWORD DS:ESI+14] <值1E,即30(D)>
00436989 |. 03D1 ADD EDX,ECX
0043698B |. C1FA 10 SAR EDX,10
0043698E |. 8BCA MOV ECX,EDX
00436990 |. C1E9 1F SHR ECX,1F
00436993 |. 03D1 ADD EDX,ECX
00436995 |. 3BD0 CMP EDX,EAX
00436997 |. 5E POP ESI
00436998 |. 7E 04 JLE SHORT WinRip.0043699E <改成JMP SHORT WinRip.004369A4,所有限制将被去掉(代码EB07)>
0043699A |. 33C0 XOR EAX,EAX
0043699C |. 59 POP ECX
0043699D |. C3 RETN
0043699E |> 85D2 TEST EDX,EDX
004369A0 |. 7E 02 JLE SHORT WinRip.004369A4
004369A2 |. 2BC2 SUB EAX,EDX
004369A4 |> 59 POP ECX
004369A5 \. C3 RETN
=====<<由这里解码出上面的代码>>============================
00435F06 |> 3BCF CMP ECX,EDI <40c8f8-40cc2e,436200-436f50:解码地址>
00435F08 |. 8B45 08 MOV EAX,[ARG.1] <B672AB32,78F03D5D:解码初值>
00435F0B |. 73 3B JNB SHORT WinRip.00435F48
00435F0D |. 8D49 00 LEA ECX,[DWORD DS:ECX]
00435F10 |> 8B31 /MOV ESI,[DWORD DS:ECX] <取待解码数据,传给esi>
00435F12 |. 33F0 |XOR ESI,EAX <esi=esi ^ eax 这里就是解码核心的核心了>
00435F14 |. 8BD6 |MOV EDX,ESI <edx=esi>
00435F16 |. 03C2 |ADD EAX,EDX <eax=eax + edx>
00435F18 |. 8931 |MOV [DWORD DS:ECX],ESI <存入解码后的数据>
00435F1A |. 8BD0 |MOV EDX,EAX <edx=eax>
00435F1C |. C1EA 06 |SHR EDX,6 <esi=edx % 0x40>
00435F1F |. 8BF0 |MOV ESI,EAX <esi=eax>
00435F21 |. 81E2 00F80700 |AND EDX,7F800 <edx=edx & 0x7f800>
00435F27 |. 81E6 00F80700 |AND ESI,7F800 <esi=esi & 0xf7800>
00435F2D |. 33D6 |XOR EDX,ESI <edx=edx^esi>
00435F2F |. 8BF0 |MOV ESI,EAX <esi=eax>
00435F31 |. C1EA 0B |SHR EDX,0B <edx=edx & 0x800>
00435F34 |. 81E6 FF000000 |AND ESI,0FF <esi=esi & 0xff>
00435F3A |. 33D6 |XOR EDX,ESI <edx=edx ^ esi>
00435F3C |. C1E0 08 |SHL EAX,8 <eax=eax * 0x100>
00435F3F |. 83C1 04 |ADD ECX,4 <ecx=ecx +0x4>
00435F42 |. 0BC2 |OR EAX,EDX <eax=eax | edx>
00435F44 |. 3BCF |CMP ECX,EDI <循环条件判断>
00435F46 |.^72 C8 \JB SHORT WinRip.00435F10 <跳转,取下一个待解码数据>
00435F48 |> 5F POP EDI
补丁原理:
1、根据上面解码原理编写一个解码过程 DeCode(Byte buff[]);
2、打开“WinRip.exe”,把 436200-436f50这一段读入Byte buff[0xD50] ,并对其用DeCode(Byte buff[])进行解码;
3、修改 buff[0x998]、buff[0x999]中数据的值分别为eb 、07;
4、重新对buff[]用DeCode(Byte buff[])进行编码(编码、解码是对称的);
5、把buff[]写回文件;
至此,程序已经完全破解。
youth
2002-8-23
【关键字】:in,ip,Win,Wi,WinRip
【来 源】:网络
WinRip 2.0保护机制分析及其补丁制作
工具:ollydbg 1.07a
平台:Windows 2000 Professional
该软件在试用期(30天)过后,将会出现NAG,功能也会受到限制。根据这一现象,在GetSystemTime处设断,运行程序,被拦截后一步一步返回到了这里(0040ce45):
0040CDF8 /$ B8 18884300 MOV EAX,WinRip.00438818
0040CDFD |. E8 2EEB0000 CALL WinRip.0041B930
0040CE02 |. 83EC 68 SUB ESP,68
0040CE05 |. 53 PUSH EBX
0040CE06 |. 56 PUSH ESI
0040CE07 |. BB 7CBA4300 MOV EBX,WinRip.0043BA7C
0040CE0C |. 57 PUSH EDI
0040CE0D |. 8BF1 MOV ESI,ECX
0040CE0F |. 895D D4 MOV [LOCAL.11],EBX
0040CE12 |. E8 94E0FFFF CALL WinRip.0040AEAB
0040CE17 |. 33FF XOR EDI,EDI
0040CE19 |. 8D4D D4 LEA ECX,[LOCAL.11]
0040CE1C |. 57 PUSH EDI ; /Arg2 => 00000000
0040CE1D |. 50 PUSH EAX ; |Arg1
0040CE1E |. E8 FFF8FFFF CALL WinRip.0040C722 ; \WinRip.0040C722
0040CE23 |. 57 PUSH EDI
0040CE24 |. 897D FC MOV [LOCAL.1],EDI
0040CE27 |. FF15 14AA4300 CALL [DWORD DS:<&ole32.CoInitialize>] ; ole32.CoInitialize
0040CE2D |. 3BC7 CMP EAX,EDI
0040CE2F |. 8945 F0 MOV [LOCAL.4],EAX
0040CE32 |. 7C 7B JL SHORT WinRip.0040CEAF
0040CE34 |. 8D45 EC LEA EAX,[LOCAL.5]
0040CE37 |. 50 PUSH EAX
0040CE38 |. 68 E4B74300 PUSH WinRip.0043B7E4
0040CE3D |. 6A 01 PUSH 1
0040CE3F |. 57 PUSH EDI
0040CE40 |. 68 44B84300 PUSH WinRip.0043B844
0040CE45 |. FF15 0CAA4300 CALL [DWORD DS:<&ole32.CoCreateInstance>>; ole32.CoCreateInstance <取得系统时间>
0040CE4B |. 3BC7 CMP EAX,EDI
0040CE4D |. 8945 F0 MOV [LOCAL.4],EAX
0040CE50 |. 7C 57 JL SHORT WinRip.0040CEA9
0040CE52 |. 6A 40 PUSH 40 ; /n = 40 (64.)
0040CE54 |. 8D45 94 LEA EAX,[LOCAL.27] ; |
0040CE57 |. 57 PUSH EDI ; |c
0040CE58 |. 50 PUSH EAX ; |s
0040CE59 |. 897D 90 MOV [LOCAL.28],EDI ; |
0040CE5C |. E8 F5EA0000 CALL <JMP.&MSVCRT.memset> ; \memset
0040CE61 |. 8D86 F0000000 LEA EAX,[DWORD DS:ESI+F0]
0040CE67 |. 6A 40 PUSH 40 ; /maxlen = 40 (64.)
0040CE69 |. 50 PUSH EAX ; |src
0040CE6A |. 8D45 94 LEA EAX,[LOCAL.27] ; |
0040CE6D |. 50 PUSH EAX ; |dest
0040CE6E |. FF15 E4A74300 CALL [DWORD DS:<&MSVCRT.strncpy>] ; \strncpy
0040CE74 |. 8B86 30010000 MOV EAX,[DWORD DS:ESI+130]
0040CE7A |. 83C4 18 ADD ESP,18
0040CE7D |. 8945 90 MOV [LOCAL.28],EAX
0040CE80 |. C745 8C 050000>MOV [LOCAL.29],5
0040CE87 |. E8 48000000 CALL WinRip.0040CED4 <进去看看,参考下面>
0040CE8C |. 8B4D EC MOV ECX,[LOCAL.5]
0040CE8F |. 50 PUSH EAX <参数1:如果为0则导致过期,正常值应该是1E>
0040CE90 |. FF75 08 PUSH [ARG.1]
0040CE93 |. 8D45 8C LEA EAX,[LOCAL.29]
0040CE96 |. 8B11 MOV EDX,[DWORD DS:ECX]
0040CE98 |. 50 PUSH EAX
0040CE99 |. 51 PUSH ECX
0040CE9A |. FF52 10 CALL [DWORD DS:EDX+10] <此处调用了appregag.10003c31,根据参数1,是否出现NAG并是否限制功能>
0040CE9D |. 8945 F0 MOV [LOCAL.4],EAX
0040CEA0 |. 8B45 EC MOV EAX,[LOCAL.5]
0040CEA3 |. 50 PUSH EAX
0040CEA4 |. 8B08 MOV ECX,[DWORD DS:EAX]
0040CEA6 |. FF51 08 CALL [DWORD DS:ECX+8]
0040CEA9 |> FF15 10AA4300 CALL [DWORD DS:<&ole32.CoUninitialize>] ; ole32.CoUninitialize
0040CEAF |> 397D E8 CMP [LOCAL.6],EDI
0040CEB2 |. 5F POP EDI
0040CEB3 |. 895D D4 MOV [LOCAL.11],EBX
0040CEB6 |. 5E POP ESI
0040CEB7 |. 5B POP EBX
0040CEB8 |. 74 09 JE SHORT WinRip.0040CEC3
0040CEBA |. FF75 E8 PUSH [LOCAL.6] ; /hObject
0040CEBD |. FF15 ACA14300 CALL [DWORD DS:<&KERNEL32.CloseHandle>] ; \CloseHandle
0040CEC3 |> 8B4D F4 MOV ECX,[LOCAL.3]
0040CEC6 |. 8B45 F0 MOV EAX,[LOCAL.4]
0040CEC9 |. 64:890D 000000>MOV [DWORD FS:0],ECX
0040CED0 |. C9 LEAVE
0040CED1 \. C2 0400 RETN 4
=====<<由40CE87调用>>===================================================================
0040CED4 /$ 56 PUSH ESI
0040CED5 |. E8 D1DFFFFF CALL WinRip.0040AEAB
0040CEDA |. 50 PUSH EAX
0040CEDB |. E8 65DBFFFF CALL WinRip.0040AA45
0040CEE0 |. 8BF0 MOV ESI,EAX
0040CEE2 |. 59 POP ECX
0040CEE3 |. 85F6 TEST ESI,ESI
0040CEE5 |. 74 17 JE SHORT WinRip.0040CEFE
0040CEE7 |. 57 PUSH EDI
0040CEE8 |. 8BCE MOV ECX,ESI
0040CEEA |. E8 719A0200 CALL WinRip.00436960 <确定参数1的值,进出看看,必须在此前下断点后,才能看到,是动态生成的>
0040CEEF |. 8BF8 MOV EDI,EAX
0040CEF1 |. 8B06 MOV EAX,[DWORD DS:ESI]
0040CEF3 |. 6A 01 PUSH 1
0040CEF5 |. 8BCE MOV ECX,ESI
0040CEF7 |. FF10 CALL [DWORD DS:EAX]
0040CEF9 |. 8BC7 MOV EAX,EDI
0040CEFB |. 5F POP EDI
0040CEFC |. 5E POP ESI
0040CEFD |. C3 RETN
0040CEFE |> 33C0 XOR EAX,EAX <如果执行了这一条,则出现NAG,功能也受到限制>
0040CF00 |. 5E POP ESI
0040CF01 \. C3 RETN
=====<<由40CEEA调用,注:此段代码是动态生成的>>============================
00436960 /$ 51 PUSH ECX
00436961 |. 56 PUSH ESI
00436962 |. 8D4424 04 LEA EAX,[DWORD SS:ESP+4]
00436966 |. 50 PUSH EAX ; /timer
00436967 |. 8BF1 MOV ESI,ECX ; |
00436969 |. FF15 D4A74300 CALL [DWORD DS:<&MSVCRT.time>] ; \time
0043696F |. 83C4 04 ADD ESP,4
00436972 |. 8BCE MOV ECX,ESI
00436974 |. E8 77FFFFFF CALL WinRip.004368F0 <在此call中的4368F9处的子过程中有取得磁盘卷序号的调用,
以及在436931处的子过程中有查询注册表的调用>
00436979 |. 8B4C24 04 MOV ECX,[DWORD SS:ESP+4]
0043697D |. 2BC8 SUB ECX,EAX
0043697F |. B8 07452EC2 MOV EAX,C22E4507
00436984 |. F7E9 IMUL ECX
00436986 |. 8B46 14 MOV EAX,[DWORD DS:ESI+14] <值1E,即30(D)>
00436989 |. 03D1 ADD EDX,ECX
0043698B |. C1FA 10 SAR EDX,10
0043698E |. 8BCA MOV ECX,EDX
00436990 |. C1E9 1F SHR ECX,1F
00436993 |. 03D1 ADD EDX,ECX
00436995 |. 3BD0 CMP EDX,EAX
00436997 |. 5E POP ESI
00436998 |. 7E 04 JLE SHORT WinRip.0043699E <改成JMP SHORT WinRip.004369A4,所有限制将被去掉(代码EB07)>
0043699A |. 33C0 XOR EAX,EAX
0043699C |. 59 POP ECX
0043699D |. C3 RETN
0043699E |> 85D2 TEST EDX,EDX
004369A0 |. 7E 02 JLE SHORT WinRip.004369A4
004369A2 |. 2BC2 SUB EAX,EDX
004369A4 |> 59 POP ECX
004369A5 \. C3 RETN
=====<<由这里解码出上面的代码>>============================
00435F06 |> 3BCF CMP ECX,EDI <40c8f8-40cc2e,436200-436f50:解码地址>
00435F08 |. 8B45 08 MOV EAX,[ARG.1] <B672AB32,78F03D5D:解码初值>
00435F0B |. 73 3B JNB SHORT WinRip.00435F48
00435F0D |. 8D49 00 LEA ECX,[DWORD DS:ECX]
00435F10 |> 8B31 /MOV ESI,[DWORD DS:ECX] <取待解码数据,传给esi>
00435F12 |. 33F0 |XOR ESI,EAX <esi=esi ^ eax 这里就是解码核心的核心了>
00435F14 |. 8BD6 |MOV EDX,ESI <edx=esi>
00435F16 |. 03C2 |ADD EAX,EDX <eax=eax + edx>
00435F18 |. 8931 |MOV [DWORD DS:ECX],ESI <存入解码后的数据>
00435F1A |. 8BD0 |MOV EDX,EAX <edx=eax>
00435F1C |. C1EA 06 |SHR EDX,6 <esi=edx % 0x40>
00435F1F |. 8BF0 |MOV ESI,EAX <esi=eax>
00435F21 |. 81E2 00F80700 |AND EDX,7F800 <edx=edx & 0x7f800>
00435F27 |. 81E6 00F80700 |AND ESI,7F800 <esi=esi & 0xf7800>
00435F2D |. 33D6 |XOR EDX,ESI <edx=edx^esi>
00435F2F |. 8BF0 |MOV ESI,EAX <esi=eax>
00435F31 |. C1EA 0B |SHR EDX,0B <edx=edx & 0x800>
00435F34 |. 81E6 FF000000 |AND ESI,0FF <esi=esi & 0xff>
00435F3A |. 33D6 |XOR EDX,ESI <edx=edx ^ esi>
00435F3C |. C1E0 08 |SHL EAX,8 <eax=eax * 0x100>
00435F3F |. 83C1 04 |ADD ECX,4 <ecx=ecx +0x4>
00435F42 |. 0BC2 |OR EAX,EDX <eax=eax | edx>
00435F44 |. 3BCF |CMP ECX,EDI <循环条件判断>
00435F46 |.^72 C8 \JB SHORT WinRip.00435F10 <跳转,取下一个待解码数据>
00435F48 |> 5F POP EDI
补丁原理:
1、根据上面解码原理编写一个解码过程 DeCode(Byte buff[]);
2、打开“WinRip.exe”,把 436200-436f50这一段读入Byte buff[0xD50] ,并对其用DeCode(Byte buff[])进行解码;
3、修改 buff[0x998]、buff[0x999]中数据的值分别为eb 、07;
4、重新对buff[]用DeCode(Byte buff[])进行编码(编码、解码是对称的);
5、把buff[]写回文件;
至此,程序已经完全破解。
youth
2002-8-23
【相关文章】
Windows优化大师5.35的反汇编代码修改成注册机源代码
动态分析技术-常用Win32 API函数简介
Speaking Clock Deluxe V3.05 算法分析
Win API函数与断点设置
Win32dasm使用简介
Win2K下如何直接读写磁盘扇区
中文版Windows9x 重要文件描述(5)
中文版Windows9x 重要文件描述(6)
Windows 非法操作详解(1)
Windows 非法操作详解(2)
【随机文章】
Telnet and FTP的其他常见用法
Flash5 ActionScript高级编程指南(2)
VBScript 运行时错误
[Perl]让Perl有sh -x一样的调试功能
pear快速入门
Photoshop 7.0 编辑菜单(1)
微软的远程处理框架.NET Remoting - 2
学习笔记——boot
Solaris系统管理培训(第九章:初始化文件管理)
HP-UX11.0操作系统安装指南
【相关评论】
没有相关评论
【发表评论】
|