精美屏保暴力破解全过程
先用WD32ASM8.93超级中文版进行反汇编,然后查找,会看到:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040D097(C)
|
:0040D0AD 6A03 push 00000003
:0040D0AF E82C67FFFF call 004037E0
:0040D0B4 83C404 add esp, 00000004
:0040D0B7 8945F8 mov dword ptr [ebp-08], eax
:0040D0BA 837DF800 cmp dword ptr [ebp-08], 00000000
:0040D0BE 7414 je 0040D0D4 //—–>修改74-75即jne->je
:0040D0C0 C70500FE410003000000 mov dword ptr [0041FE00], 00000003
:0040D0CA 6A01 push 00000001
:0040D0CC E8A86EFFFF call 00403F79
:0040D0D1 83C404 add esp, 00000004
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040D0BE(C) //———->修改处,往上找。
|
:0040D0D4 833D00FE410000 cmp dword ptr [0041FE00], 00000000
:0040D0DB 7458 je 0040D135 //—————修改74->75即jne->je
:0040D0DD C605B1DD410001 mov byte ptr [0041DDB1], 01
:0040D0E4 C605B2DD410001 mov byte ptr [0041DDB2], 01
:0040D0EB 833D00FE410001 cmp dword ptr [0041FE00], 00000001
:0040D0F2 7514 jne 0040D108 //——————-修改74->75即jne->je
* Possible StringData Ref from Data Obj ->”TEMP registration OK” //—–2条鱼!
|
:0040D0F4 6834E54100 push 0041E534
:0040D0F9 6892000000 push 00000092
:0040D0FE 8B4D08 mov ecx, dword ptr [ebp+08]
:0040D101 51 push ecx
* Reference To: USER32.SetDlgItemTextA, Ord:022Ch
|
:0040D102 FF1514A24100 Call dword ptr [0041A214]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040D0F2(C) //————-修改的地方,往上找
|
:0040D108 833D00FE410002 cmp dword ptr [0041FE00], 00000002
:0040D10F 7514 jne 0040D125
* Possible StringData Ref from Data Obj ->”BASIC registration OK” //——-3条鱼!
|
:0040D111 684CE54100 push 0041E54C
:0040D116 6892000000 push 00000092
:0040D11B 8B5508 mov edx, dword ptr [ebp+08]
:0040D11E 52 push edx
* Reference To: USER32.SetDlgItemTextA, Ord:022Ch
|
:0040D11F FF1514A24100 Call dword ptr [0041A214]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040D10F(C)
|
:0040D125 833D00FE410003 cmp dword ptr [0041FE00], 00000003 //—–>
:0040D12C 7D07 jge 0040D135 //——> 比较大于则跳,所以改为小于7D->7E
:0040D12E 33C0 xor eax, eax
:0040D130 E91B010000 jmp 0040D250
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040D0DB(C), :0040D12C(C)
|
:0040D135 833D00FE410003 cmp dword ptr [0041FE00], 00000003
:0040D13C 7545 jne 0040D183 //——–修改75-74即jne->je
* Possible StringData Ref from Data Obj ->”DELUXE registration OK” //—–7条鱼!
|
:0040D13E 6864E54100 push 0041E564
:0040D143 6892000000 push 00000092
:0040D148 8B4508 mov eax, dword ptr [ebp+08]
:0040D14B 50 push eax
* Reference To: USER32.SetDlgItemTextA, Ord:022Ch
|
:0040D14C FF1514A24100 Call dword ptr [0041A214]
:0040D152 C605B1DD410001 mov byte ptr [0041DDB1], 01 //—-
:0040D159 C605B2DD410001 mov byte ptr [0041DDB2], 01 //—-
:0040D160 C605B3DD410001 mov byte ptr [0041DDB3], 01 //—-
:0040D167 C605B4DD410001 mov byte ptr [0041DDB4], 01 //—-
:0040D16E C605B5DD410001 mov byte ptr [0041DDB5], 01 //—-
:0040D175 C605B6DD410001 mov byte ptr [0041DDB6], 01 //—-
:0040D17C 33C0 xor eax, eax
:0040D17E E9CD000000 jmp 0040D250
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040D13C(C) //————————-根据上面的值变化,也要修改。
|
:0040D183 6878104200 push 00421078
:0040D188 6892000000 push 00000092
:0040D18D 8B4D08 mov ecx, dword ptr [ebp+08]
:0040D190 51 push ecx
* Reference To: USER32.SetDlgItemTextA, Ord:022Ch
|
:0040D191 FF1514A24100 Call dword ptr [0041A214]
:0040D197 33C0 xor eax, eax
:0040D199 E9B2000000 jmp 0040D250
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040CFD1(C)
下面是参考dyiyd兄的提示写的:感谢dyiyd兄。
修改了上面的内容注册就是任意注册码了。而且是DELUXE,7条鱼!!!但是还有启动注册框NAG,下面来去掉他!
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00404194(C)
|
:004041A0 833D00FE410000 cmp dword ptr [0041FE00], 00000000 //—-0041FE00是否为0
:004041A7 740E je 004041B7 //—–等于0就跳,玩完了。 74->75即je->jne
:004041A9 C605B1DD410001 mov byte ptr [0041DDB1], 01
:004041B0 C605B2DD410001 mov byte ptr [0041DDB2], 01
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004041A7(C)
|
:004041B7 6A03 push 00000003
:004041B9 E822F6FFFF call 004037E0
:004041BE 83C404 add esp, 00000004
:004041C1 85C0 test eax, eax
:004041C3 7434 je 004041F9 //——>eax=0就跳,玩完了。74->75即je->jne
:004041C5 C70500FE410003000000 mov dword ptr [0041FE00], 00000003 //—–使0041FE00=3
:004041CF C605B1DD410001 mov byte ptr [0041DDB1], 01
:004041D6 C605B2DD410001 mov byte ptr [0041DDB2], 01
:004041DD C605B3DD410001 mov byte ptr [0041DDB3], 01
:004041E4 C605B4DD410001 mov byte ptr [0041DDB4], 01
:004041EB C605B5DD410001 mov byte ptr [0041DDB5], 01
:004041F2 C605B6DD410001 mov byte ptr [0041DDB6], 01
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00404186(C), :004041C3(C)
|
:004041F9 833D00FE410000 cmp dword ptr [0041FE00], 00000000
:00404200 7410 je 00404212
:00404202 837DFC00 cmp dword ptr [ebp-04], 00000000
:00404206 740A je 00404212
:00404208 6A01 push 00000001
:0040420A E86AFDFFFF call 00403F79
所以只要使0041FE00=3就可以了,所以我们可以这么修改。
