|
論壇說明 | 標記討論區已讀 |
歡迎您來到『史萊姆論壇』 ^___^ 您目前正以訪客的身份瀏覽本論壇,訪客所擁有的權限將受到限制,您可以瀏覽本論壇大部份的版區與文章,但您將無法參與任何討論或是使用私人訊息與其他會員交流。若您希望擁有完整的使用權限,請註冊成為我們的一份子,註冊的程序十分簡單、快速,而且最重要的是--註冊是完全免費的! 請點擊這裡:『註冊成為我們的一份子!』 |
|
主題工具 | 顯示模式 |
2003-12-26, 10:27 AM | #1 |
榮譽會員
|
口氣破解ResTools的四個軟體:ResScope1.35、freeRes0.94、HexEdit0.20、GetVBRes0.51全程序
今天無意中發現ResTools的四個軟體:ResScope1.35、freeRes0.94、HexEdit0.20、GetVBRes0.51都還不錯,
全部下載進行研究,憑我以前用過freeRes0.94的經驗,知道這些軟體都需要輸入四○位的註冊碼〔太恐怖,手都要打麻了!〕這次我就不再找註冊碼了,直接修改軟體,免得我每次輸的麻煩。 下面開始一個個的開刀! 第一個是ResScope1.35,發現是用ASPack加的殼,輕鬆幹掉。 脫殼後用W32Dasm開啟ResScope.exe,搜尋字串"regcode"找到以下程式碼: * Possible StringData Ref from Code Obj ->"regcode"…………………………向下看↓↓↓ | :004B9B4E BA249C4B00 mov edx, 004B9C24 :004B9B53 8B45F8 mov eax, dword ptr [ebp-08] :004B9B56 E80DFAFFFF call 004B9568 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004B9B49(C) | :004B9B5B 8B45F0 mov eax, dword ptr [ebp-10] :004B9B5E E87DA3F4FF call 00403EE0 :004B9B63 83F828 cmp eax, 00000028…………………………這裡是比較你輸入的註冊碼是否為四○位〔28轉換十進制為40〕。 :004B9B66 7538 jne 004B9BA0…………………………註冊碼不是四○位就跳走。 :004B9B68 8B45F4 mov eax, dword ptr [ebp-0C] :004B9B6B E870A3F4FF call 00403EE0 :004B9B70 85C0 test eax, eax :004B9B72 7E2C jle 004B9BA0 :004B9B74 68338C0000 push 00008C33 :004B9B79 8D45EC lea eax, dword ptr [ebp-14] :004B9B7C 50 push eax :004B9B7D B982310000 mov ecx, 00003182 :004B9B82 BAD5030000 mov edx, 000003D5 :004B9B87 8B45F4 mov eax, dword ptr [ebp-0C] :004B9B8A E80DFCFFFF call 004B979C :004B9B8F 8B45EC mov eax, dword ptr [ebp-14] :004B9B92 8B55F0 mov edx, dword ptr [ebp-10] :004B9B95 E856A4F4FF call 00403FF0 :004B9B9A 7504 jne 004B9BA0…………………………這個數字和上面註冊碼不為四○位時跳到地方一樣,不用說當然是跳到註冊失敗的位置。 :004B9B9C C645FF01 mov [ebp-01], 01 * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:004B9B03(C), :004B9B66(C), :004B9B72(C), :004B9B9A(C) | :004B9BA0 33C0 xor eax, eax :004B9BA2 5A pop edx :004B9BA3 59 pop ecx :004B9BA4 59 pop ecx :004B9BA5 648910 mov dword ptr fs:[eax], edx :004B9BA8 68BD9B4B00 push 004B9BBD 看來這個程序的註冊碼有四○位之多,即便是找到正確的註冊碼抄下來也要累得半死。乾脆讓它什麼碼都認多省事!嘻嘻`` 決定將上面兩個跳給它NOP掉!這樣隨意輸入用戶名和若干位註冊碼〔包括零位註冊碼-就是不輸註冊碼〕 於是用UltraEdit將上面兩個跳轉7538和7504都改為9090,現在輸入任意用戶名都可以成功註冊了! 注意看中間還有個跳: :004B9B72 7E2C jle 004B9BA0 這也是跳到註冊失敗的位置,這裡也可以NOP調,不過這裡改了後就沒有輸入註冊信息的樂趣了! 現在試試,隨意填入註冊信息,哈,註冊成功! 搞定第一個,下面幾個想必大同小異吧! 下面就拿GetVBRes0.51開刀了! 還是那種殼,輕鬆搞定! 脫殼後用W32Dasm開啟GetVBRes.exe,還是搜尋字串"regcode"找到以下程式碼: * Possible StringData Ref from Code Obj ->"regcode"…………………………向下看↓↓↓ | :0049AE74 BAA8AF4900 mov edx, 0049AFA8 :0049AE79 8B45F8 mov eax, dword ptr [ebp-08] :0049AE7C E8BFA3FCFF call 00465240 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0049AE6F(C) | :0049AE81 8B45F0 mov eax, dword ptr [ebp-10] :0049AE84 E83B8FF6FF call 00403DC4 :0049AE89 83F828 cmp eax, 00000028…………………………這裡是比較你輸入的註冊碼是否為四○位〔28轉換十進制為40〕。 :0049AE8C 0F8591000000 jne 0049AF23…………………………註冊碼不是四○位就跳走。 :0049AE92 8B45F4 mov eax, dword ptr [ebp-0C] :0049AE95 E82A8FF6FF call 00403DC4 :0049AE9A 85C0 test eax, eax :0049AE9C 0F8E81000000 jle 0049AF23 :0049AEA2 68368C0000 push 00008C36 :0049AEA7 8D45EC lea eax, dword ptr [ebp-14] :0049AEAA 50 push eax :0049AEAB B985310000 mov ecx, 00003185 :0049AEB0 BAD8030000 mov edx, 000003D8 :0049AEB5 8B45F4 mov eax, dword ptr [ebp-0C] :0049AEB8 E847FBFFFF call 0049AA04 :0049AEBD 8B55EC mov edx, dword ptr [ebp-14] :0049AEC0 8D45F4 lea eax, dword ptr [ebp-0C] :0049AEC3 E8148DF6FF call 00403BDC :0049AEC8 8D55E8 lea edx, dword ptr [ebp-18] :0049AECB 8B45F4 mov eax, dword ptr [ebp-0C] :0049AECE E8C1F9FFFF call 0049A894 :0049AED3 8B45E8 mov eax, dword ptr [ebp-18] :0049AED6 8B55F0 mov edx, dword ptr [ebp-10] :0049AED9 E8F68FF6FF call 00403ED4 :0049AEDE 750C jne 0049AEEC…………………………別看走了眼,不是這裡!這裡可不能NOP掉,不然就沒得玩了。 :0049AEE0 A1F0CA4A00 mov eax, dword ptr [004ACAF0] :0049AEE5 8B00 mov eax, dword ptr [eax] :0049AEE7 E85CFEFAFF call 0044AD48 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0049AEDE(C) | :0049AEEC 68368C0000 push 00008C36 :0049AEF1 8D45E4 lea eax, dword ptr [ebp-1C] :0049AEF4 50 push eax :0049AEF5 B985310000 mov ecx, 00003185 :0049AEFA BAD8030000 mov edx, 000003D8 :0049AEFF 8B45F0 mov eax, dword ptr [ebp-10] :0049AF02 E8EDF8FFFF call 0049A7F4 :0049AF07 8B55E4 mov edx, dword ptr [ebp-1C] :0049AF0A 8D45F0 lea eax, dword ptr [ebp-10] :0049AF0D E8CA8CF6FF call 00403BDC :0049AF12 8B45F4 mov eax, dword ptr [ebp-0C] :0049AF15 8B55F0 mov edx, dword ptr [ebp-10] :0049AF18 E8B78FF6FF call 00403ED4 :0049AF1D 7504 jne 0049AF23…………………………這個數字和上面註冊碼不為四○位時跳到地方一樣,不用說當然是跳到註冊失敗的位置。 :0049AF1F C645FF01 mov [ebp-01], 01 * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:0049AE29(C), :0049AE8C(C), :0049AE9C(C), :0049AF1D(C) | :0049AF23 33C0 xor eax, eax :0049AF25 5A pop edx :0049AF26 59 pop ecx :0049AF27 59 pop ecx :0049AF28 648910 mov dword ptr fs:[eax], edx :0049AF2B 6840AF4900 push 0049AF40 一樣的,連我的註釋都不用改! 再用UltraEdit將上面兩個跳轉0F8591000000和7504都改為9090,現在輸入任意用戶名又註冊成功了! 現在是HexEdit0.20了。 同樣的方法找到以下程式碼: * Possible StringData Ref from Code Obj ->"regcode" | :0045F1B8 BAECF24500 mov edx, 0045F2EC :0045F1BD 8B45F8 mov eax, dword ptr [ebp-08] :0045F1C0 E80FF6FFFF call 0045E7D4 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0045F1B3(C) | :0045F1C5 8B45F0 mov eax, dword ptr [ebp-10] :0045F1C8 E80F4BFAFF call 00403CDC :0045F1CD 83F828 cmp eax, 00000028 :0045F1D0 0F8591000000 jne 0045F267 :0045F1D6 8B45F4 mov eax, dword ptr [ebp-0C] :0045F1D9 E8FE4AFAFF call 00403CDC :0045F1DE 85C0 test eax, eax :0045F1E0 0F8E81000000 jle 0045F267 :0045F1E6 68358C0000 push 00008C35 :0045F1EB 8D45EC lea eax, dword ptr [ebp-14] :0045F1EE 50 push eax :0045F1EF B984310000 mov ecx, 00003184 :0045F1F4 BAD7030000 mov edx, 000003D7 :0045F1F9 8B45F4 mov eax, dword ptr [ebp-0C] :0045F1FC E823FCFFFF call 0045EE24 :0045F201 8B55EC mov edx, dword ptr [ebp-14] :0045F204 8D45F4 lea eax, dword ptr [ebp-0C] :0045F207 E8E848FAFF call 00403AF4 :0045F20C 8D55E8 lea edx, dword ptr [ebp-18] :0045F20F 8B45F4 mov eax, dword ptr [ebp-0C] :0045F212 E89DFAFFFF call 0045ECB4 :0045F217 8B45E8 mov eax, dword ptr [ebp-18] :0045F21A 8B55F0 mov edx, dword ptr [ebp-10] :0045F21D E8CA4BFAFF call 00403DEC :0045F222 750C jne 0045F230 :0045F224 A1DC774800 mov eax, dword ptr [004877DC] :0045F229 8B00 mov eax, dword ptr [eax] :0045F22B E8A8CFFEFF call 0044C1D8 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0045F222(C) | :0045F230 68358C0000 push 00008C35 :0045F235 8D45E4 lea eax, dword ptr [ebp-1C] :0045F238 50 push eax :0045F239 B984310000 mov ecx, 00003184 :0045F23E BAD7030000 mov edx, 000003D7 :0045F243 8B45F0 mov eax, dword ptr [ebp-10] :0045F246 E8C9F9FFFF call 0045EC14 :0045F24B 8B55E4 mov edx, dword ptr [ebp-1C] :0045F24E 8D45F0 lea eax, dword ptr [ebp-10] :0045F251 E89E48FAFF call 00403AF4 :0045F256 8B45F4 mov eax, dword ptr [ebp-0C] :0045F259 8B55F0 mov edx, dword ptr [ebp-10] :0045F25C E88B4BFAFF call 00403DEC :0045F261 7504 jne 0045F267 :0045F263 C645FF01 mov [ebp-01], 01 * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:0045F16D(C), :0045F1D0(C), :0045F1E0(C), :0045F261(C) | :0045F267 33C0 xor eax, eax :0045F269 5A pop edx :0045F26A 59 pop ecx :0045F26B 59 pop ecx :0045F26C 648910 mov dword ptr fs:[eax], edx :0045F26F 6884F24500 push 0045F284 現在知道改哪了吧! 最後一個是freeRes0.94,它的修改方法是一樣的,就是用TRW脫殼後不能執行,這樣即使修改也不起作用了!幸好我有KeyMake1.6,用它製作記憶體修正檔就可以了! 開啟KeyMake,按F6鍵,出現「製作記憶體修正檔」視窗。填入程序名freeRes.exe,在記憶體資料中按下「增加」按鈕,出現「增加資料」視窗。在修改位址中填入:4BBCBC;修改長度:6;原始指令:0F8591000000;修改指令:909090909090,再按「增加」按鈕再次輸入修改位址:4BBD4D;修改長度:2;原始指令:7504;修改指令:9090。儲存退出,將它拷貝到freeRes.exe同一目錄下執行,輸入任意用戶名再次註冊成功了! 搞完! leeyam |
送花文章: 3,
|