¡¾±à¼¼ÄÓï¡¿
{~._.~}
( Y )
()~*~()
(_)-(_)
|
ÿÿÿÿ½ñÌìµÄÔÓÖ¾·¢ÐУ¬ÎÒÏë¸æËß´ó¼ÒÁ½¼þÊÂÇé¡£¶ÔÓÚµÚÒ»¼þÊÂÇé´ó¼ÒÒ»¶¨¶¼»á¿´µ½£¬ÄǾÍÊÇÔÓÖ¾´Ó½ñÌ쿪ʼ½«ÒÔеÄÃæòͬ´ó¼Ò¼ûÃæÁË£¬ÒòΪ´ÓÍøÓÑ´¦µÃµ½µÄÏûÏ¢ºÍÌá³öµÄÒâ¼ûºÍ½¨Ò飬¶ÔÓÚºÚÉ«×÷Ϊµ×É«²»ÀûÓÚ³¤Ê±¼äµÄÔĶÁºÍÑо¿£¬ËùÒÔ´ÓÕâÆÚ¿ªÊ¼½«ÒÔÏÖÔڵĵ×É«ÖÆ×÷ÔÓÖ¾¡£¶ÔÓÚµÚ¶þ¼þÊÂÇéÂð£¿ÎÒµÄÍøÕ¾ÒѾͬ¿´Ñ©ÍøÕ¾×öÁËÓÑÇéÁª½Ó£¬Í¬Ê±Ò²Í¬wind°²È«Õ¾×öÁËÓÑÇéÁª½Ó¡£ÎÒ½«ÔÚ±¾ÆÚÍøÕ¾½éÉÜÀ¸Ä¿ÉϽéÉÜ¿´Ñ©ÍøÕ¾£¬²¢ÇÒ½«ÔÚÏÂÆÚ½éÉÜwind°²È«ÍøÕ¾¡£´ó¼Ò»¹¼ÇµÃµÚÁùÆÚÔÓÖ¾ÖнéÉÜµÄ Custom StartUp 1.01µÄÈí¼þÆƽⷽ·¨Âð£¿Õâ´Î½«Èôó¼Ò¿´Ò»¿´Ìáµ½µÄScreen Taker V2.31µÄÆƽâ¹ý³Ì¡£ËüÃÇÁ½¸öÆäʵ¾ÍÊÇÒ»¸ö¹«Ë¾³öµÄ×÷Æ·¡£Èç¹ûÄãÏëÑéÖ¤×Ô¼ºµÄÆƽâˮƽ£¬²»·ÁÊÔÒ»ÊÔÕâÁ½¸öÈí¼þ¡£ |
| ÿÿÿÿ¡ïÆƽâÐĵà | ||
| 1¡¡Screen Taker V2.31 | ³ÌʽÁÔÈË | |
| 2¡¡How to crack ZanNet 1.0 Build 8121 | dREAMtHEATER | |
| 3¡¡How to crack AtomTime v2.1a by BuLLeT | BuLLeT | |
| ÿÿÿÿ¡ï³õѧÌìµØ | ||
| ÿÿÿÿ¡ïÎÊÌâ´ðÒÉ | ||
| ÿÿÿÿ¡ïÍøÕ¾½éÉÜ | ||
| ÿÿÿÿ¡ïÔÓÖ¾ÐÅÏä | ||
Screen Taker V2.31
³ÌʽÁÔÈË
¼ò½é£ºÒ»¸öÏ൱²»´íµÄÆÁÄ»²¶×½Èí¼þ£¬¿Éϧ¸çÃÇûÓÐʹÓùý
×·×Ù£ºfirst name:dahuilang
second name:jhw
RN:0000-12345678
Õâ¸öÈí¼þÊÇÎÒÏò´ó¼Ò½éÉܵĵڶþƪÎÄÕ£¬ÔÚÔÓÖ¾µÄµÚÁùÆÚÖнéÉܹýÈçºÎÆƽâCustom StartUp 1.01£¬
½ñÌìÔÚÕâÀïÏò´ó¼Ò½éÉÜÒ»ÏÂÕâ¸öÈí¼þµÄÆƽâ¹ý³Ì£¬ÆäʵÎÒµÄÏÈÆƽâµÄÕâ¸öÈí¼þ£¬ºóÆƽâµÄÄǸö
Custom StartUp 1.01¡£
ÏÖÔÚ¿ªÊ¼½éÉÜÈçºÎÆƽâÕâ¸öÈí¼þ£¬Õâ¸öÈí¼þµÄ×¢²áÂëÔËËã¹ý³ÌÊÇÒ»¸öÏ൱¸´ÔӵĹý³Ì£¬
˵Ëü¸´ÔÓÊÇÒòΪËü¾¹ýÁËÒ»´ÎXORºÍÒ»´ÎOR²Ù×÷ºó£¬Ëã³öÒ»¸öÊýÖµÀ´£¬ÔÙʹÓÃÕâ¸öÊýÖµ½øÐÐ
±È½Ï£¬Èç¹ûÂú×ãÌõ¼þµÄ»°£¬²ÅÄÜ×¢²á³É¹¦¡£ÏÖÔÚ¾ÍÏòÏÂÀ´¿´ÈçºÎÆƽâËü¡£
:00446485 8B049D2CB44400 mov eax, dword ptr [4*ebx+0044B42C] <-xw33
:0044648C 8B55FC mov edx, dword ptr [ebp-04] <-0000
:0044648F E8D4D6FBFF call 00403B68
:00446494 75E9 jne 0044647F
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00446483(C)
|
:00446496 83FB02 cmp ebx, 00000002
:00446499 7E04 jle 0044649F
:0044649B 33DB xor ebx, ebx
:0044649D EB73 jmp 00446512
ÔÚÕâÀï³ÌÐòÊDZȽÏ×¢²áÂëµÄÇ°ËÄ룬ÕâÇ°ËÄλÊÇÃ÷Â룬²¢ÇÒËüÓÐÁ½¸ö£¬ÎÒÃÇ¿ÉÒÔÈÎÒâµÈÓÚ
ÆäÖеÄÒ»¸ö£¬ÕâÀïÎÒ¾ÍʹÓÃxw33£¬ÏÖÔÚ»¹ÒªËµÒ»¾ä£¬ÒÔºóµÄ³ÌÐò½«Ê¹ÓÃÕâ¸öÖµÀ´½øÐÐÔËË㣬
¾ÍÊÇÇ°ÃæËù˵µÄXORÔËË㣬ÕâÒªµÈµ½ÒÔºóÔÙ˵ÁË¡£
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00446499(C)
|
:0044649F 33C0 xor eax, eax
:004464A1 55 push ebp
:004464A2 68CF644400 push 004464CF
:004464A7 64FF30 push dword ptr fs:[eax]
:004464AA 648920 mov dword ptr fs:[eax], esp
:004464AD 8D4DF4 lea ecx, dword ptr [ebp-0C]
:004464B0 8B55F8 mov edx, dword ptr [ebp-08]
:004464B3 8B45FC mov eax, dword ptr [ebp-04]
:004464B6 E849FAFFFF call 00445F04
:004464BB 8B45F4 mov eax, dword ptr [ebp-0C]
:004464BE E86108FCFF call 00406D24 <-³ö´í£¬½øÈë
:004464C3 8BD8 mov ebx, eax
:004464C5 33C0 xor eax, eax
:004464C7 5A pop edx
:004464C8 59 pop ecx
:004464C9 59 pop ecx
:004464CA 648910 mov dword ptr fs:[eax], edx
:004464CD EB13 jmp 004464E2
:004464CF E9B0CBFBFF jmp 00403084
:004464D4 33DB xor ebx, ebx
:004464D6 E84DCEFBFF call 00403328
:004464DB EB35 jmp 00446512
:004464DD E846CEFBFF call 00403328
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004464CD(U)
|
:004464E2 8BC3 mov eax, ebx
:004464E4 B943000000 mov ecx, 00000043
:004464E9 99 cdq
:004464EA F7F9 idiv ecx
:004464EC 8BC8 mov ecx, eax
:004464EE 83F901 cmp ecx, 00000001
:004464F1 7C08 jl 004464FB
:004464F3 81F9E8030000 cmp ecx, 000003E8
:004464F9 7E04 jle 004464FF
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004464F1(C)
|
:004464FB 33DB xor ebx, ebx
:004464FD EB13 jmp 00446512
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004464F9(C)
|
:004464FF 8BC3 mov eax, ebx
:00446501 B943000000 mov ecx, 00000043
:00446506 99 cdq
:00446507 F7F9 idiv ecx
:00446509 4A dec edx
:0044650A 7404 je 00446510
:0044650C 33DB xor ebx, ebx
:0044650E EB02 jmp 00446512
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0044650A(C)
|
:00446510 B301 mov bl, 01 ***
´Ó0044649Fµ½00446510ÕâÀïÊÇÕâ¸ö³ÌÐòÖ÷ÒªµÄ±È½Ï¹ý³Ì£¬ÆäÖÐÕâÀïÓÐÎÒÔÚÉÏÃæ±ê¼ÇµÄµØ·½
³ö´í£¬ÎÒÒòΪÒѾ½«Õâ¸öÈí¼þÆƽâ³öÀ´ÁË£¬ËùÒÔÏÖÔÚÀ´½²½âʱ£¬µ±È»¿ÉÒÔ´ÓϵͳµÄ·½ÃæÀ´½é
ÉÜËü¡£ÄǸö³ö´íµÄµØ·½ÎÒÃÇÒÔºóÒ»¶¨Òª½øÈ룬µ«ÊÇÏÖÔÚÊÇÏȽéÉÜËüÈçºÎÄÜ×¢²á³É¹¦¡£Õâ¸ö¶Ô
ÒÔºóµÄÔËËãÄ¿µÄÊǺÜÖØÒªµÄ¡£ÔÚ***´¦´ó¼Ò¿´µ½ÁË°É£¬ÕâÀォʹbl=1£¬¶ø³ö´íʱÊǽ«bl=0£¬
Õâ¾Í˵Ã÷Õâ¸ö³ÌÐòÈç¹ûҪע²á³É¹¦Ò»¶¨ÒªÈóÌÐò×ßµ½Õâ¸öλÖã¬ÄÇôÎÒÃDZØÐè»Ø±ÜÄÇÀï²ÅÄÜ
ʹÓóÌÐò×ßµ½ÕâÀÎÒÃÇÔÚÇ°±È½ÏÃ÷ÂëµÄµØ·½¾ÍÒѾ֪µÀÁËÒ»¸öµØ·½£¬¾ÍÊÇÏÂÃæµÄµØ·½¡£
:0044649B 33DB xor ebx, ebx
:0044649D EB73 jmp 00446512
ÕâÀォbl=0£¬²¢ÇÒ½«Ìøµ½00446512£¬ÏÖÔÚÎÒÏë¶ÔÄÇЩ³õѧÕß˵һ¸öС¾Ñ飬¾ÍÊÇÏóÉÏÃæÄÇ
Àï¿ÉÒÔÌøµ½³ö´íµÄµØ·½£¬¼ÇסÕâ¸ö³ö´íµÄµØ·½µÄµØÖ·£¬Ö»ÒªÒÔºóÄÜÌøµ½Õâ¸öµØÖ·µÄµØ·½£¬¶¼
ÊÇÎÒÃÇÒª±Ü¿ªµÄµØ·½¡£ÏÖÔÚ´ó¼ÒÏòÉÏ¿´£¬ÄÇÀïÓпÉÒÔÌøµ½³ö´íµÄµØ·½¡£
ÉÏÃæ¹²ÓÐÁ½¸öµØ·½¿ÉÒÔÌøµ½³ö´íµÄµØ·½£¬ÄÇôÎÒÃǾÍÒ»¶¨Òª»Ø±ÜÕâÁ½¸öµØ·½¡£ÏÖÔھͷÖÎö
Ò»ÏÂÈçºÎ»Ø±ÜËüÃÇ¡£Ê×ÏÈÀ´¿´µÚÒ»¸öµØ·½£¬ÔÚÄÇÀïÎÒÃǽ«ÓÐʲôÑùµÄ½áÂÛÄØ£¿³ÌÐòÔÚÄÇÀïʹ
ÓõÄeax/43(H)ºó£¬µÃµ½µÄÓàÊýÒ»¶¨Òª´óÓÚ0СÓÚ3E8(H)£¬ÕâÑùËü²ÅÄܲ»Ìøµ½³ö´íµÄµØ·½£¬²»
ÖªµÀÄãÃÇÊÇ·ñ¿´Ã÷°×ûÓУ¬Èç¹ûûÓпɾͲ»ÄܹÖÎÒ£¬ÄãÃǾÍҪѧϰѧϰ»ã±àÓïÑÔÁË¡£¶ÔÓÚÎÒ
ÃÇÒѾ֪µÀµÄµÚÒ»¸ö¿ÉÒԱܿª³ö´íµÄµØ·½£¬ÄÇôÓÐÈË»áÎÊÄǸöeax´ÓºÎ¶øÀ´µÄ£¬Õâ¸ö´ó¼ÒÏÈ
²»ÒªÈ¥¹ÜËü£¬ÎÒÃÇÏÈŪÃ÷°×ÈçºÎÄܱܿª³ö´íµÄµØ·½£¬µ½ÒÔºó¾ÍÊÇË®µ½Çþ³ÉÁË¡£ÏÖÔÚÎÒÃÇÔÙÑÐ
¾¿Ò»Ïµڶþ¸ö³ö´íµÄµØ·½¡£ÔÚÕâÀïËü»¹ÊÇʹÓÃeax/43ºóµÃµ½ÓàÊýedx£¬½«edx-1Ó¦µ±µÈÓÚ0£¬
ÕâÑùËü²ÅÄÜÌøµ½Ê¹bl=1µÄµØ·½£¬Õâ¸öÒ²¾ÍÊÇ˵eax/43ºóµÃµ½µÄÓàÊýÒ»¶¨ÒªÎª1£¬ÕâÑù²ÅÂú×ã
³ÌÐòµÄÒªÇ󡣺ÃÁËÏÖÔÚËùÓеijö´íµÄµØ·½ÎÒÃǶ¼ÒѾÑо¿¹ýÁË£¬ÎÒÃÇÏÖÔÚµÄÈÎÎñ¾ÍÊÇÒªÈçºÎ
½â¾öµôÄǸö³ö´íµÄcall¡£ÏÖÔھͽøÈëÄǸö³ö´íµÄcallÖУ¬¿ªÊ¼¶ÔËü½øÐй¥»÷¡£
ÈçÏ£º
:00406D41 8D55FC lea edx, dword ptr [ebp-04]
:00406D44 8BC3 mov eax, ebx
:00406D46 E80DBDFFFF call 00402A58 ***
:00406D4B 8BF0 mov esi, eax
:00406D4D 837DFC00 cmp dword ptr [ebp-04], 00000000
:00406D51 7423 je 00406D76
:00406D53 8D55F8 lea edx, dword ptr [ebp-08]
:00406D56 B85C674000 mov eax, 0040675C
:00406D5B E878DAFFFF call 004047D8
:00406D60 8B45F8 mov eax, dword ptr [ebp-08]
***´¦ÊÇÒ»¸ö¹Ø¼üµØ·½£¬ËùÒÔÎÒÃÇ»¹Òª½øÈëcallÖС£
:00402A88 80EB30 sub bl, 30
:00402A8B 80FB09 cmp bl, 09
:00402A8E 772A ja 00402ABA
:00402A90 39F8 cmp eax, edi
:00402A92 7726 ja 00402ABA
:00402A94 8D0480 lea eax, dword ptr [eax+4*eax]
:00402A97 01C0 add eax, eax
:00402A99 01D8 add eax, ebx
:00402A9B 8A1E mov bl, byte ptr [esi]
:00402A9D 46 inc esi
:00402A9E 84DB test bl, bl
:00402AA0 75E6 jne 00402A88
:00402AA2 FECD dec ch
:00402AA4 7410 je 00402AB6
:00402AA6 85C0 test eax, eax
:00402AA8 7C10 jl 00402ABA
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00402AB8(C), :00402AFD(U)
|
:00402AAA 59 pop ecx
:00402AAB 31F6 xor esi, esi
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402ABD(U)
|
:00402AAD 8932 mov dword ptr [edx], esi
:00402AAF 5F pop edi
:00402AB0 5E pop esi
:00402AB1 5B pop ebx
:00402AB2 C3 ret
ÎÒÃǽøÈëcallºó½«À´µ½ÕâÀÉÏÃæµÄµØ·½´ó¼Ò·¢ÏÖûÓУ¬ÆäʵËü¾ÍÊÇÔËËãÎÒÃÇÇ°ÃæËùÑо¿
µÄÄǸöeax£¬ÔÚÕâÀïÎÒÃÇ¿ÉÒÔ¿´µ½ÄǸöblÒ»¶¨ÒªÓÐÒ»¶¨µÄÒªÇó¡£blµÄÖµÒ»¶¨ÒªÔÚ30(H)µ½39(H
)Ö®¼ä£¬Ò²¾ÍÊÇÊý×Ö£¬¶øÉÏÃæµÄ¹ý³Ì¾ÍÊǽ«×Ö·ûÊý×Öת»¯ÎªÔËËãµÄÊý×Ö¡£Ò²¾ÍÊÇ˵×Ö·û´®123
45ʹÓÃÉÏÃæµÄ¹ý³Ì¾Í¿ÉÒÔ½«×Ö·û´®×ª»¯ÎªÊý×Ö12345£¬Õâ¸öÓÐʲô²»Í¬µÄ£¿ÎÒÏëÕâ¸ö¾Í²»ÓÃ
ÎÒÔÙ˵ÁË°É¡£ÔÙ˵һÏ£¬ÄǸöת»¯µÄÊý×ÖÊÇ10½øλµÄ¡£
ÏÖÔÚÎÒÃǾͿÉÒÔÖªµÀÁËËüµÄ¹ý³ÌÁË¡£ÄÇôÎÒÃÇÑо¿µÄ¹Ø¼üÊÇÈçºÎµÃµ½ÄǸöblÖµ£¬¶ÔÁË£¬Õâ
¸öÈí¼þµÄ×¢²á¹Ø¼ü¾ÍÔÚÕâÀï¡£ÎÒÃǽ«ÈçºÎµÃµ½ÄǸö¾¹ýÔËËã¹ýµÄblÖµ¡£
ÏÖÔÚ¾ÍÓ¦µ±Õ¹¿ªËѲ¶ÁË£¬²¶×½µ½ÄǸöblÖµÁË¡£¾¹ýÎÒµÄ×·×Ù·¢ÏÖÔÚÖ÷³ÌÐòÖÐcall 00445F0
4ÕâÀォÊǵÚÒ»´ÎµÄÔËËãbl¹ý³Ì¡£ÎÒÃǾͽøÈëcallÖп´Ò»¿´Ëü½«ÈçºÎ¼ÆËã¡£
ÈçÏ£º
:00445F6B BE01000000 mov esi, 00000001
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00445FAE(C)
|
:00445F70 8BC6 mov eax, esi
:00445F72 03C0 add eax, eax
:00445F74 8B55F8 mov edx, dword ptr [ebp-08]
:00445F77 8A4402FE mov al, byte ptr [edx+eax-02] ÆæÊýλÉϵÄÖµ
:00445F7B E870FFFFFF call 00445EF0
:00445F80 8BD8 mov ebx, eax
:00445F82 C1E302 shl ebx, 02
:00445F85 8BC6 mov eax, esi
:00445F87 03C0 add eax, eax
:00445F89 8B55F8 mov edx, dword ptr [ebp-08]
:00445F8C 8A4402FF mov al, byte ptr [edx+eax-01] ÏàÁÚżÊýÉϵÄÖµ
:00445F90 E85BFFFFFF call 00445EF0
:00445F95 0AD8 or bl, al
:00445F97 8D45E0 lea eax, dword ptr [ebp-20]
:00445F9A 8BD3 mov edx, ebx
:00445F9C E8DFD9FBFF call 00403980
:00445FA1 8B55E0 mov edx, dword ptr [ebp-20]
:00445FA4 8D45E8 lea eax, dword ptr [ebp-18]
:00445FA7 E8B4DAFBFF call 00403A60
:00445FAC 46 inc esi
:00445FAD 4F dec edi
:00445FAE 75C0 jne 00445F70
ÉÏÃæ¾Í¿ªÊ¼Ê¹ÓÃÎÒÃÇÊäÈëµÄºóÃæ10λֵÁË¡£³ÌÐòÊ×ÏÈʹÓÃÆæÊýλÉϵÄÖµÈçµÚ1λ1£¬½«Ëü´ø
Èëcall 00445EF0ÖУ¬Ëã³öÒ»¸öÖµÀ´£¬ÔÙ½«Ëü£ª4ºó£¬µÃµ½blÖµ£¬È»ºóÔÙʹÓÃÏàÁڵĿÊýλÉÏ
µÄÖµ£¨ÕâÀïżÊýλÉϵÄÖµÊÇÖ¸ÆæÊýλºóÃæµÄżÊý£©£¬ÕâÀï¾Í½«Ê¹ÓÃ2À´¼ÆË㣬½«2´øÈëͬÑùµÄ
callÖУ¬ÔËËã³öµÚ¶þ¸öÖµÀ´al£¬½«bl OR al¾Í¿ÉÒԵõ½Ò»¸öÔËËãµÄÖµ£¬µ«ÊÇÕâ¸öÔËËãµÄÖµ»¹
²»ÊÇÎÒÃÇÉÏÃæµÄblÖµ£¬ÔÚÏÂÃæÎÒÃÇ»¹ÒªÓÐÒ»´ÎÔËËã¡£ÏÖÔÚÎÒÃǾÍÀ´ËµÒ»ÏÂÄǸöcallÊÇÈçºÎÔË
ËãÖµµÄ¡£Õâ¸ö¾ÍÒª²Î¿¼ÎÒÔÚÏÂÃæÌṩµÄ¸½±í1ÁË£¬call 00445EF0µÄ¼ÆËãʵ¼ÊÉϾÍÊǽ«ÎÒÃÇÊä
ÈëµÄ×Ö·ûÕÒ³öÔÚ¸½±í1ÖеÄλÖÃÖµ£¬ÈçÎÒÊäÈëµÄ2£¬ËüÔÚ¸½±íÖеÄÖµ¾ÍΪ36£¬ÄÇôËüÔÚ³öÕâ¸ö
callºóµÄal=36£¬ÏÖÔÚÄãÃǾÍÓ¦µ±Ã÷°×ËüÊÇÈçºÎ¼ÆËãÎÒÃÇÊäÈëµÄÖµÁË¡£ÏÖÔÚÎÒÃÇ»¹²»ÄÜ×öʲ
ô£¬ÒòΪÔÚÏÂÃ滹ÓÐÒ»¸öµØ·½µÈ×ÅÎÒÃÇÈ¥·ÖÎöËü¡£
ÈçÏ£º
:00445FBF BE01000000 mov esi, 00000001
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00445FF1(C)
|
:00445FC4 8B45E8 mov eax, dword ptr [ebp-18]
:00445FC7 8A5C30FF mov bl, byte ptr [eax+esi-01] Ç°ÃæµÃµ½µÄblÖµ
:00445FCB 8BC6 mov eax, esi
:00445FCD 99 cdq
:00445FCE F77DEC idiv [ebp-14]
:00445FD1 8B45FC mov eax, dword ptr [ebp-04]
:00445FD4 8A4410FF mov al, byte ptr [eax+edx-01] <-78 77 33 00 78
:00445FD8 32D8 xor bl, al
:00445FDA 8D45E0 lea eax, dword ptr [ebp-20]
:00445FDD 8BD3 mov edx, ebx
:00445FDF E89CD9FBFF call 00403980
:00445FE4 8B55E0 mov edx, dword ptr [ebp-20]
:00445FE7 8D45E4 lea eax, dword ptr [ebp-1C]
:00445FEA E871DAFBFF call 00403A60
:00445FEF 46 inc esi
:00445FF0 4F dec edi
:00445FF1 75D1 jne 00445FC4
ÉÏÃæ¾ÍÊdzÌÐòµÚ¶þ¸ö¼ÆËãµÄµØ·½£¬µ±ÔÚÕâÀï¼ÆËãÍêºóµÄÖµ¾ÍÊÇÎÒÃÇÔÚ½«×Ö·û´®×ªÎªÊý×ÖµÄ
ÖµÁË¡£ÉÏÃæÊÇÈçºÎ¼ÆËãµÄÄØ£¿ÉÏÃæÎÒÒѾ±êÃ÷µÄËùÐèÒªµÄÌõ¼þÁË¡£Ëüʵ¼ÊÉϾÍÊÇʹÓÃÎÒÃÇÔÚ
Ç°ÃæµÚÒ»´ÎµÃµ½µÄblÖµ£¨¹²5¸öÖµ£©ÔÙͬÏÂÃæµÄÄÇ5¸öÖµ½øÐÐXOR²Ù×÷£¬µÃµ½µÄblÖµ½«ÊÇÎÒÃÇ
ÏëÒªµÃµ½µÄÖµ¡£
ÎÒÃǵ½´ËÒѾÃ÷°×ÁËÕâ¸öÈí¼þµÄÕû¸ö×¢²á¹ý³ÌÁË£¬ÏÖÔÚ¾ÍÊÇÈçºÎͨ¹ý¼ÆËãµÃµ½×¢²áÂëÁËÎÊ
ÌâÁË¡£ÄÇôÎÒÃǽ«ÔõÑù¼ÆËãµÃµ½×¢²áÂëÄØ£¿ÎÒÃÇÔÚÇ°ÃæµÃµ½µÄ¿ÉÒԱܿª³ö´íµØ·½µÄÌõ¼þÔÚÕâ
Àï¾ÍµÃµ½ÁËÓ¦ÓÃÁË¡£³ÌÐòÒªÇóÎÒÃǼÆËãºóµÄÖµ³ýÒÔ43(H)ºóÓ¦µ±µÃµ½ÓàÊý1£¬ÄÇôÂú×ãÕâ¸öÌõ
¼þµÄÊýÖµ½«ÓÐʲôÄØ£¿ÕâÀïÎÒʹÓÃÁË×î¼òµ¥µÄÒ»¸öÖµÒòΪ43(H)=67(D),ÄÇôֻҪ¼ÆËãµÃµ½68
¾ÍÂú×ãÌõ¼þÁË¡£ÏÖÔÚÎÒÃÇÓÐÁËÒ»¸öÃ÷È·µÄÖµÁË£¬ÔÙ½øÐÐÇ°ÃæµÄXOR²Ù×÷¾Í¼òµ¥¶àÁË¡£
ÎÒÃÇÍê³ÉXORºó£¬Ó¦µ±µÃµ½0 0 0 6 8Õâ5¸öÖµ£¬ÕâÑù¾ÍÄÜ×¢²á³É¹¦ÁË¡£ÎÒÃǾÍʹÓ÷´ÍÆ·¨
À´¼ÆËãµÚÒ»¸öÖµ£¬
bl XOR 78 =30
ͨ¹ý¼ÆËãÕâ¸öblÖµÓ¦µ±µÈÓÚ48£¬¶øÕâ¸ö48µÄÖµÊÇͨ¹ýµÚ1λµÄλÖÃÖµ£ª4ÔÙͬµÚ2λµÄλÖÃ
Öµ½øÐлò²Ù×÷µÃµ½µÄ¡£ÏÖÔÚ¾ÍÔÙÀ´ÌÖÂÛÈçºÎµÃµ½ÕâÁ½¸öÖµ£¬ÒòΪa OR b =48£¬ÕâÀïÒòΪʹÓÃ
ÁËOR²Ù×÷£¬¾ÎÒ²éOR±í·¢ÏÖÖ»Óе±0 OR 4 =4£¬4 OR 4=4£¨ÕâÀïרָ4µÄ룩£¬ÒòΪaºÍb¶¼Îª
¸½±íÖеÄλÖÃÖµ£¬ËùÒÔûÓÐÒ»¸ö¿ÉÒÔÔÚÊ×λÉϵÈÓÚ4µÄ£¬ËùÒÔÔÚÕâÀïÖ»ÓÐÊ×λΪ0ºÍ1µÄÂú×ã
Ìõ¼þ£¨ÒòΪbl£ª4£©¡£ÏÖÔÚ¾ÍÉèµÚ1λΪQ£¬ÄÇôµÚ¶þλӦµ±µÈÓÚʲôÄØ£¿ÎÒÔÚÕâÀï¾Í²»Ïò´ó
¼Ò½éÉÜÈçºÎ¼ÆËãÁË£¬ÒòΪÕâÀï¾Í±È½Ï¼òµ¥ÁË¡£Âú×ãÌõ¼þÓ¦µ±ÎªI£¬ÕâÑùÎÒÃǾ͵õ½µÄÇ°Á½Î»
µÄ×¢²áÂëÁË¡£ÒÔÏÂͬÉÏÃæÒ»Ñù£¬¾Í¿ÉÒԵõ½Õâ¸öÈí¼þµÄ×¢²áÂëÁË¡£
ºÃÁË£¬ÎÒÕâ½Ú¿ÎÒ²Ó¦µ±½áÊøÁË£¬Ò²²»ÖªµÀ´ó¼Ò¶¼Ìý¶®Ã»ÓУ¬Èç¹ûûÓÐÌý¶®¿ÉÒÔ¸øÎÒдÐÅ£¬
¡£ÔÙ¼û£¡£¡£¡
¸½±í1£º
ÐòºÅ£º0 1 2 3 4 5 6 7 8 9 A B C D E F 10 11 12 13 14 15
×Öĸ£ºA B C D E F G H I J K L M N O P Q R S T U V
ÐòºÅ£º16 17 18 19 1A 1B 1C 1D 1E 1F 20 21 22 23 24 25 26 27 28 29 2A 2B 2C
×Öĸ£ºW X Y Z a b c d e f g h i j k l m n o p q r s
ÐòºÅ£º2D 2E 2F 30 31 32 33 34 35 36 37 38 39 3A 3B 3C 3D
×Öĸ£º t u v w x y z 0 1 2 3 4 5 6 7 8 9
*********************************
* First name: dahuilang *
* Second name:jhw *
* RN: xw33-QIQHADNyQA *
*********************************
Tutor 5 How to crack ZanNet 1.0 Build 8121
×÷Õß:dREAMtHEATER
E-mail:dreamtheater@263.net
д×÷ÈÕÆÚ:30th, July 1999
Èí¼þ±³¾°×ÊÁÏ
ÔËÐÐƽ̨: Win9X
ÎļþÃû³Æ: zannetr1.zip
³ÌÐòÀàÐÍ: ServerClient¹ÜÀí
ÏÂÔصصã: www.zannet.com
Îļþ´óС: 383KB
ʹÓõŤ¾ß
SoftIce V3.25--Win9X Debugger
W32Dasm V8.93--Win9X Dissembler
Hex WorkShop v2.54--Hex Editor
RegSnap V2.51--Registry Tracer
ÄÑÒ׳̶È
Easy(x) Medium( ) Hard( ) Pro( )
----------=======ÉùÃ÷========----------
δ¾×÷ÕßͬÒ⣬²»µÃÐ޸ġ¢ÒýÓÃÔÎÄ£¬Ò»ÇÐȨÀû±£Áô¡£
±¾½Ì³ÌÖ»¹©½ÌѧÓã¬ÆäËûÒ»ÇÐÓÃ;½Ô±»½ûÖ¹¡£
----------=======Èí¼þ½éÉÜ========----------
ZanNet is a Windows 95 or 98 network client and Unix server that provide you with
a Windows 95/98 network drive to access your server files. The product includes network
provider and redirector for Windows 95/98 in addition to a Unix server. The server
portion ships with both POSIX compliant source code and binary support for select Unix
platforms. ZanNet is intended to replace both File Transfer Protocol (FTP) and Telnet
programs currently used to access web page and other files through an Internet Service
Provider (ISP).
----------=======Èí¼þµÄ±£»¤»úÖÆ========-------
ÓÐÈýÊ®ÌìÊÔÓÃÆÚ£¬Î´×¢²áʱÆô¶¯Ê±³öÏÖnagscreen,ÌáʾÄãÒÑʹÓöàÉÙÌ죬°²×°Ê±¼ä±£´æÔÚ
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Oem5A\US
×¢²áʱ£¬Ö»ÐèÊäÈëReg Code,µ«²»ÊÇhard code,ºóÃæ»áÏêϸ½âÊÍ¡£×¢²áºó£¬×¢²áÐÅÏ¢±£´æÔÚ
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ZanNet\NetworkProvider\GlobalSetti
ngs\RegistrationKey
----------=======ÕýÎÄ========----------
Part1 ×î¼òµ¥µÄ×¢²áÂë¼ÆËã·¨
ÔÚSoftIceÖÐÉè¶Ïµãbpx getdlgitemtexta do "p ret;",Ctrl-D»Øµ½×¢²á´°¿Ú£¬press
"Apply" button,ÖØлص½SoftIceÖÐ,ÊäÈë"bc *"
* Reference To: USER32.GetDlgItemTextA, Ord:00EDh
|
:10007568 FF1560E60110 Call dword ptr [1001E660]
:1000756E 688CC40110 push 1001C48C <==»Øµ½ÕâÀï
:10007573 E8D85D0000 call 1000D350 ¡´==¼ÆËã×¢²áÂë
:10007578 83C404 add esp, 00000004
:1000757B 85C0 test eax, eax
:1000757D 7513 jne 10007592 <== if EAX=1,then jump 10007592
:1000757F 6A10 push 00000010
* Possible StringData Ref from Data Obj ->"ZanNet Error"
|
:10007581 6890920110 push 10019290
* Possible StringData Ref from Data Obj ->"Your registration is not valid"
|
:10007586 68749E0110 push 10019E74
ÈÃÎÒÃÇtrace into 1000D350
* Referenced by a CALL at Addresses:
|:10007573 , :10007B1F
|
:1000D350 8B542404 mov edx, dword ptr [esp+04] <==edxÖ¸ÏòÊäÈëµÄ code
:1000D354 57 push edi
:1000D355 8BFA mov edi, edx <==ÁîediͬÑùÖ¸ÏòÊäÈëµÄ code
:1000D357 B9FFFFFFFF mov ecx, FFFFFFFF <==ecxΪѻ·¼ÇÊýÆ÷
:1000D35C 2BC0 sub eax, eax ¡´== eax=0
:1000D35E F2 repnz
:1000D35F AE scasb
:1000D360 F7D1 not ecx
:1000D362 49 dec ecx <== ÒÔÉϼ¸²½Ëã³öÊäÈëµÄ codeµÄ³¤¶È
:1000D363 83F910 cmp ecx, 00000010 ¡´==ecxÓë0x10¼´Ê®½øÖÆ16Ïà±È£¬ÕâÒâ
ζ×ÅÄã±ØÐëÊäÈë16¸ö×Ö·û
:1000D366 7404 je 1000D36C ¡´==ÈôµÈÓÚ16£¬jump to 1000D36C
:1000D368 33C0 xor eax, eax
:1000D36A 5F pop edi
:1000D36B C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1000D366(C)
|
:1000D36C 803A5A cmp byte ptr [edx], 5A ¡´==È¡ÊäÈëcodeµÄµÚÒ»¸ö×Ö·û£¬
²¢Óë0x5A±È½Ï£¬0x5AΪASCIIÂë"Z"
:1000D36F 7404 je 1000D375 <==ÈôÏàµÈ,jump to 1000D375
:1000D371 33C0 xor eax, eax
:1000D373 5F pop edi
:1000D374 C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1000D36F(C)
|
:1000D375 807A014E cmp byte ptr [edx+01], 4E ¡´==È¡ÊäÈëcodeµÄµÚ¶þ¸ö×Ö
·û£¬²¢Óë0x4E±È½Ï£¬0x4EΪASCIIÂë"N"
:1000D379 7404 je 1000D37F <==ÈôÏàµÈ,jump to 1000D37F
:1000D37B 33C0 xor eax, eax
:1000D37D 5F pop edi
:1000D37E C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1000D379(C)
|
:1000D37F 807A0231 cmp byte ptr [edx+02], 31 ¡´==È¡ÊäÈëcodeµÄµÚÈý¸ö×Ö
·û£¬²¢Óë0x31±È½Ï£¬0x31ΪASCIIÂë"1"
:1000D383 7404 je 1000D389 ¡´==ÈôÏàµÈ,jump to 1000D389
:1000D385 33C0 xor eax, eax
:1000D387 5F pop edi
:1000D388 C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1000D383(C)
|
:1000D389 807A0330 cmp byte ptr [edx+03], 30 ¡´==È¡ÊäÈëcodeµÄµÚËĸö×Ö·û
£¬²¢Óë0x±È½Ï£¬0x30ΪASCIIÂë"0"
:1000D38D 7404 je 1000D393 ¡´==ÈôÏàµÈ,jump to 1000D393
:1000D38F 33C0 xor eax, eax
:1000D391 5F pop edi
:1000D392 C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1000D38D(C)
|
:1000D393 807A0441 cmp byte ptr [edx+04], 41 ¡´==È¡ÊäÈëcodeµÄµÚÎå¸ö×Ö·û
£¬²¢Óë0x41±È½Ï£¬0x41ΪASCIIÂë"A"
:1000D397 7404 je 1000D39D ¡´==ÈôÏàµÈ,jump to 1000D39D
:1000D399 33C0 xor eax, eax
:1000D39B 5F pop edi
:1000D39C C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1000D397(C)
|
:1000D39D 807A052D cmp byte ptr [edx+05], 2D ¡´==È¡ÊäÈëcodeµÄµÚÁù¸ö×Ö
·û£¬²¢Óë0x2D±È½Ï£¬0x2DΪASCIIÂë"-"
:1000D3A1 7404 je 1000D3A7 ¡´==ÈôÏàµÈ,jump to 1000D3A7
:1000D3A3 33C0 xor eax, eax
:1000D3A5 5F pop edi
:1000D3A6 C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1000D3A1(C)
|
:1000D3A7 807A0639 cmp byte ptr [edx+06], 39 ¡´==È¡ÊäÈëcodeµÄµÚÆ߸ö×Ö
·û£¬²¢Óë0x39±È½Ï£¬0x39ΪASCIIÂë"9"
:1000D3AB 7404 je 1000D3B1 ¡´==ÈôÏàµÈ,jump to 1000D3B1
:1000D3AD 33C0 xor eax, eax
:1000D3AF 5F pop edi
:1000D3B0 C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1000D3AB(C)
|
:1000D3B1 807A0730 cmp byte ptr [edx+07], 30 ¡´==È¡ÊäÈëcodeµÄµÚ°Ë¸ö×Ö·û
£¬²¢Óë0x30±È½Ï£¬0x30ΪASCIIÂë"0"
:1000D3B5 7404 je 1000D3BB ¡´==ÈôÏàµÈ,jump to 1000D3BB
:1000D3B7 33C0 xor eax, eax
:1000D3B9 5F pop edi
:1000D3BA C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1000D3B5(C)
|
:1000D3BB 807A0837 cmp byte ptr [edx+08], 37 ¡´==È¡ÊäÈëcodeµÄµÚ¾Å¸ö×Ö·û
£¬²¢Óë0x37±È½Ï£¬0x37ΪASCIIÂë"7"
:1000D3BF 7404 je 1000D3C5 ¡´==ÈôÏàµÈ,jump to 1000D3C5
:1000D3C1 33C0 xor eax, eax
:1000D3C3 5F pop edi
:1000D3C4 C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1000D3BF(C)
|
:1000D3C5 8A4209 mov al, byte ptr [edx+09] <==È¡ÊäÈëcodeµÄµÚ¾Å¸ö×Ö·û
£¬²¢½«Æ丳ֵ¸ø¼Ä´æÆ÷AL
:1000D3C8 5F pop edi
:1000D3C9 2C39 sub al, 39 <== AL-0x39 --> AL
:1000D3CB 3C01 cmp al, 01 <==ALÓë0x01±È½Ï
:1000D3CD 1BC0 sbb eax, eax ¡´==eax×ÔÉí×öÓзûºÅ¼õ·¨
:1000D3CF F7D8 neg eax <==ÇóeaxµÄ²¹Êý
:1000D3D1 C3 ret
¿´¶®ÉÏÃæµÄ·ÖÎöÁËÂð£¿×î¼òµ¥µÄ×¢²áÂë¼ÆË㣬ע²áÂëµÄÇ°¾ÅλÊÇ¡°ZN10A-907¡±£¬µÚʮλÊÇ
¡°9¡±²ÅÄܱ£Ö¤CallµÄ·µ»ØÖµeax=1,×¢²áÂëµÄºóÁùλ¿ÉÒÔÊÇÈÎÒâ×Ö·û£¬Òò´Ë×¢²áÂëµÄÐÎʽΪ
"ZN10A-9079xxxxxx"¡£
Part2
³ÌÐò±£»¤´úÂë×öÔÚÎļþzannp32.dll£¬ÔÚW32DasmÖн«Æä·´»ã±à¡£
ÏßË÷
ÔÚW32DasmµÄDialog InformationÖÐÄã»á·¢ÏÖ´°¿Únag screen ÊÇDialog¡£
ÿ¸ödialog¶¼ÓÐËûΨһµÄID±àºÅ£¬Ã¿¸ödialogÉÏÓкܶà¿Ø¼þ(Control),ËûÃÇ·Ö±ðÊôÓÚ²»Í¬µÄ
ÀࣨClass),ÀýÈç"BUTTON"¡¢"STATIC"µÈµÈ¡£
±¾ÀýÖУ¬nagscreenµÄIDºÅ£º0x008F,ÉÏÃæÓÐ14¸öControl,dialogµÄ±êÌâΪ"ZanNet"
Name: DialogID_008F, # of Controls=014, Caption:"ZanNet", ClassName:""
001 - ControlID:0001, Control Class:"BUTTON" Control Text:"I Agree..."
002 - ControlID:0002, Control Class:"BUTTON" Control Text:"Quit"
003 - ControlID:FFFF, Control Class:"STATIC" Control Text:"ZanNet Version 1.0"
004 - ControlID:FFFF, Control Class:"STATIC" Control Text:"Copyright ?1996-1998
by Zan Software"
005 - ControlID:FFFF, Control Class:"STATIC" Control Text:"11224 83rd Place NE,
Kirkland, WA 98034"
006 - ControlID:FFFF, Control Class:"STATIC" Control Text:"This is a fully
functional unregistered version for evaluation only. You can r"
007 - ControlID:FFFF, Control Class:"BUTTON" Control Text:"Agreement"
008 - ControlID:FFFF, Control Class:"STATIC" Control Text:"I understand that I may
use the unregistered version of ZanNet for evaluation "
009 - ControlID:FFFF, Control Class:"STATIC" Control Text:"Days Using ZanNet:"
010 - ControlID:043F, Control Class:"STATIC" Control Text:""
011 - ControlID:0440, Control Class:"STATIC" Control Text:""
012 - ControlID:0414, Control Class:"BUTTON" Control Text:"Remove ZanNet"
013 - ControlID:0441, Control Class:"BUTTON" Control Text:"Order Now..."
014 - ControlID:FFFF, Control Class:"BUTTON" Control Text:"Zan Software:
http://www.zannet.com"
ÔÚW32DasmÖУ¬search "ID_008F"£¬Äã»áÕÒµ½ºÜ¶à£¬µ½µ×ÄĸöÊÇÎÒÃÇÐèÒªµÄÄØ£¿ÓÐÀàËÆÕâÑùµÄ
£º
* Possible Reference to Dialog: DialogID_008F, CONTROL_ID:0441, "Order Now..."
Õâ±íÃ÷ÊÇËûÏÂÃæµÄ´úÂëÊÇÕë¶ÔÕâ¸ödialogÉϵÄij¸öcontrol,¶ø
* Possible Reference to Dialog: DialogID_008F
±íÃ÷ÊÇËûÏÂÃæµÄ´úÂëÊÇÕë¶ÔÕâ¸ödialog´°¿ÚµÄ£¬Ò»°ãÇé¿öÏ£¬ÔÚÕû¸ö³ÌÐò´úÂëÖÐÖ»³öÏÖÒ»´Î£¬µ«²¢
²»ÊǾø¶ÔµÄ¡£
±¾ÀýÖУ¬ÎÒÖ»ÕÒµ½ÁËÒ»´¦Ïà¶ÔÓ¦µÄ´úÂë
:10007B18 7416 je 10007B30 <==×¢²á±íûÓÐ×¢²áÐÅÏ¢Ö±½Ójump to
10007B30
:10007B1A 688CC40110 push 1001C48C
:10007B1F E82C580000 call 1000D350 <==ÑéÖ¤Reg Code
:10007B24 83C404 add esp, 00000004
:10007B27 85C0 test eax, eax
:10007B29 7405 je 10007B30 <==Reg Code²»¶Ô£¬jump to 10007B30
:10007B2B BB01000000 mov ebx, 00000001 <==·ñÔò£¬ebx=1
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:10007B18(C), :10007B29(C)
|
:10007B30 85DB test ebx, ebx
:10007B32 7528 jne 10007B5C <==if already registered,then jump
to 10007B5C
:10007B34 6A00 push 00000000
:10007B36 6880780010 push 10007880
:10007B3B 6A00 push 00000000
* Possible Reference to Dialog: DialogID_008F <==nag screen
|
:10007B3D 688F000000 push 0000008F
Ö»Ðè¸Ä10007B32´¦ jneΪjmp,never show nagscreen,kool!
----------=======The Patch========----------
ÔÚÎļþzannp32.dllµÄoffset:0x00006F32´¦£¬ÐÞ¸Ä7528ΪEB28
PART 1: How to crack AtomTime v2.1a by BuLLeT
http://www.atomtime.com
This program is capable of getting the time from all parts of the world and
save it somewhere ;)
Let's crack.
1) Run the program and...BAAHH..an ugly NAG pops up. Skip it and go to the
REGISTER section of the program. Enter your NAME and a random SERIAL.
Nah..doesn't work. You get this message right in your face:
"License data is invalid..either the data was not entered correctly...."
NOTE IT !
2) Disassemble ATOMTIME.EXE using W32Dasm and go to the SDR (=String Data
Reference) section. Find the message and double-click it. Minimize the
SDR window and you should be about here:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040654F(C)
|
:004065DD 6A00 push 00000000
:004065DF 6A00 push 00000000
* Possible StringData Ref from Data Obj ->"License data is invalid...
|
:004065E1 68C5434300 push 004343C5
:004065E6 E8FD2B0200 call 004291E8
Referenced by a call at address: 0040654F. Let's check it out. Scroll up
until you see this:
:00406548 E881400000 call 0040A5CE
:0040654D 85C0 test eax, eax
:0040654F 0F8488000000 je 004065DD
Hmmz..a CALL followed by a TEST and a JE. Maybe we should change that.
Make sure the green bar is on top of the JE-line and NOTE the offset at
the bottom of the screen.
(Offset: 0000514F)
3) But this is not all. When you ran the program you noticed that there is a
* UNREGISTERED * in the title of the program. We might as well remove that
as well.
4) Restore the SDR window and locate the * UNREGISTERED * msg. Double-click it
and once again minimize the SDR window. Now you should see this:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00405FEA(C)
|
:00405FFB 8D8BE0050000 lea ecx, dword ptr [ebx+000005E0]
................ some un-important code....
:00406038 E8924D0000 call 0040ADCF
:0040603D 85C0 test eax, eax
:0040603F 7473 je 004060B4
* Possible StringData Ref from Data Obj ->" - *UNREGISTERED*"
|
:00406041 68E83E4300 push 00433EE8
Hmm..doesn't it look like that code we've already seen? Yes it does and it
would therefor we obvious to patch the JE but not in this case. If you
look a bit down you will see this:
* Possible StringData Ref from Data Obj ->"The temporary license is now %d.."
So this means that both msgs are in the same call. So let's just make the
program skip that call completely. Scroll up (about 4 lines) until you see:
:00405FE3 E8B4120000 call 0040729C
:00405FE8 85C0 test eax, eax
:00405FEA 750F jne 00405FFB
Looks familiar? Yeah! So let's change that JNE to skip the call. Once again
you place the green bar on top of the JNE-line and NOTE the offset.
(Offset: 00004BEA)
5) Ok..this should pretty much cover the expiration-thing and part of the
name/serial, but we still have one more byte to go. When you register, the
program will save your info and compare it at startup. We need to remove
that check to make the patch 100% successfull. You will see this check when
you patch the 3 places and run the program. You'll get this message:
"License data is not valid"
6) So..restore the SDR window and double-click that msg too. Close the SDR
window and you should be located about here:
:0040495D E86C5C0000 call 0040A5CE
:00404962 85C0 test eax, eax
:00404964 7518 jne 0040497E
:00404966 C7832C06000001000000 mov dword ptr [ebx+0000062C], 00000001
:00404970 6A00 push 00000000
:00404972 6A00 push 00000000
* Possible StringData Ref from Data Obj ->"License data is not valid."
|
:00404974 689E354300 push 0043359E
:00404979 E86A480200 call 004291E8
Once again you see a familiar check, so it shouldn't be hard to figure out
what to do. Place the green bar on the JNE-line and NOTE the offset.
(Offset: 00003564)
7) Ok..now you have all three offsets so let's patch. Run HIEW ATOMTIME.EXE.
8) Press TWICE to go to decode-mode.
9) Press F5 and enter the first offset. (Offset: 0000514F)
(As you remember it didn't say 74 or 75 like it normally does. It said:
0F84 which means that we need to change the 84 to 85 (74 to 75) and we need
to add 1 to the offset to get to that place. So the new offset is now:
00005150
- Press F5 and enter the NEW offset
- Press F3 to edit, and enter 85
- Press F9 to update the first byte
10) Press F5 and enter the second offset. (Offset: 00004BEA)
- Press F3 to edit, and enter 74
- Press F9 to update the second byte
11) Press F5 and enter the third (and last) offset. (Offset: 00003564)
- Press F3 to edit, and enter 74
- Press F9 to update the third byte
12) Press ESC a couple of times to quit HIEW, and you should now have a 100%
working version of AtomTime.
Hope you enjoyed following another tut by me :)
All for now..Cya
------------------- i MaY Be SLoW - BuT i'M DeaDLy aS HeLL -------------------
Written by [BuLLeT-CiA'99]
E-Mail: BuL_LeT@hotmail.com
¡¾³õѧÌìµØ¡¿
Æƽâ½Ì³ÌÁù
³ÌʽÁÔÈË
½ñÌìÓÖµ½Á˳õѧÌìµØµÄʱ¼äÁË£¬Õâ½Ú¿ÎÊÇÒ»½Ú´ðÒɿΣ¬ÒòΪÎÒÓöµ½ÁËÕâÑùÒ»¼þÊÂÇé¡£ÏÖÔÚ
ÎÒµÄÒ»¸öͬÊÂÒ²¿ªÊ¼Ñ§Æð½âÃÜÀ´¡£×òÌìËûËûÏòÎÒÎʼ¸¸ö¹ØÓÚ½âÃÜ·½ÃæµÄÎÊÌ⣬¶ÔÓÚÎÒÀ´Ëµ£¬
ÕâЩÎÊÌⶼÓÐЩ¿ÉЦ£¬¶ø¶ÔÓÚ³õѧÕßÀ´Ëµ¿ÉÄÜÈ´ÊÇÏëÒª½â¾öµÄÎÊÌâ¡£ËûÌá³öµÄÎÊÌâÈçÏ£º
1 ÖжÏÀ¹½ØÊÇ×öʲôÓô¦µÄ£¿
¶ÔÓÚÆƽâÀ´ËµÖжÏÀ¹½ØÊǹؼüµÄÇÐÈëµã£¬Ò²¾ÍÊÇʹÓÃÖжϲÅÄÜÈÃ×·×ÙÈí¼þ½øÈë³ÌÐòÖУ¬
ÎÒÃDzÅÄÜͨ¹ýÈí¼þÀ´¹Û²ì³ÌÐòµÄ×ßÏò£¬´Ó¶øÎÒÃDzÅÄܶÔÈí¼þµÄ×¢²á¹ý³ÌÓÐËùÁ˽⣬ÕâÑù²ÅÄÜ
¹»ÆƽâÈí¼þ¡£ËùÒÔ˵£¬ÆƽâÈí¼þµÄÖØÒªÒ»µã¾ÍÊÇÈçºÎÉèÖÃÒ»¸öºÃµÄÖжϣ¬ÈçºÎÉèÖÃÖжϴó¼Ò
¾ÍÒª×Ô¼ºÅ¬Á¦Ñ§Ï°ÁË¡£
2 ÎÒÓÐSIµÄ˵Ã÷Ê飬ȴûÓÐTRWµÄ˵Ã÷Ê飬ÄãÓÐûÓУ¿
¶ÔÓÚÁ½ÕßµÄ˵Ã÷ÊéÀ´Ëµ£¬ËüÃǼ¸ºõ¿ÉÒÔ˵ÊÇÒ»ÑùµÄ£¬¶ÔÓÚÈçºÎÉèÖÃÖжϣ¬ÈçºÎÏÔʾ¼Ä´æ
Æ÷µÄÖµ£¬ÈçºÎ×·×ÙËüÃǶ¼ÊÇÒ»ÑùµÄ¡£µ«ÊÇTRWÓÐЩSIûÓеŦÄÜ¡£Õâ¾ÍÒª´ó¼Ò¿´Ò»¿´TRWµÄ˵
Ã÷ÊéÁË¡£SIʲôûÓÐÄØ£¿Í¨³£ÊÇÍÑ¿Ç·½Ãæ¡£SI±¾Éí²»¾ßÓÐÍѿǹ¦ÄÜ£¬¶øTRW±¾Éí¾ßÓÐÍѿǹ¦
ÄÜ¡£´ó¼ÒÒªÏëѧϰºÃÆƽ⣬¾ÍÒ»¶¨ÒªÏÈѧϰÈçºÎʹÓÃÆƽâÈí¼þ¡£
3 ÖжϺóÎÒÒª×öʲô»òÊÇÄ¿µÄÊÇʲô£¿
ÖжϺóÒª×öʲôÄØ£¿¶ÔÓÚ³õѧÆƽâµÄÈËÀ´Ëµ¿ÉÄÜ»¹ÓÐЩÒÉ»ó¡£ÎÒÔÚÕâÀïÏò´ó¼Ò½éÉÜÒ»ÏÂ
ÖжϺóµÄÖ÷ҪĿµÄ£º
1£©²éÕÒµ½³ö´íµÄµØ·½
Õâ¸öÊÇÆƽâÈí¼þµÄ»ù´¡£¬ÒòΪÆƽâµÄ¹ý³Ì¾ÍÊdzÌÐòÔËÐеĹý³Ì¡£¶ÔÓÚÆƽâÒ»°ãµÄÈí¼þ
À´Ëµ£¬Í¨³£¾ÍÊÇÏÈÕÒµ½³ö´íµÄµØ·½£¬ÄÇôÕÒµ½ºó×öʲôÄØ£¿
2£©²éÕҺδ¦¿ÉÒÔÌøÔ¾»ò±Ü¿ª³ö´íµÄµØ·½
Õâ¸öÄ¿µÄ¾ÍÊǵÚÒ»¸öÄ¿µÄµÄ½âÊÍ£¬Í¨³£²éÕÒµ½³ö´íµÄµØ·½ºó£¬·ÖÎö³ÌÐò×ßÏò£¬¿´Ò»¿´
ÔÚÄÄÀï¿ÉÒÔÌøÔ¾¹ýÕâ¸öµØ·½£¬´ó¼ÒÊÔÏëһϣ¬ÈçºÎ³ÌÐòÌøÔ¾¹ý³ö´íµÄµØ·½£¬Í¨³£¾ÍÊÇ×¢²á³É
¹¦µÄµØ·½ÁË¡£
3£©ÕÒµ½¹Ø¼üÌøÔ¾µã
Õâ¸öÄ¿µÄÊÇ´ÓÉÏÃæÁ½¸öÄ¿µÄµÃµ½µÄ£¬¶ÔÓÚÖжϺó£¬×îÖÕ¾ÍÊÇÒªÕÒµ½¹Ø¼üµÄÌøÔ¾µã£¬
ÒòΪÔÚÕâÀïÎÒÃÇ¿ÉÒÔ·ÖÎö³ÌÐòºó£¬¿ÉÒԵõ½Èí¼þµÄ×¢²áÂë»òÊÇʹÓÃÐ޸ĵķ½·¨À´ÆƽâÕâ¸öÈí
¼þ¡£
4 ÈçºÎÖªµÀÒѾ²éÕҹؼüµÄÌøÔ¾µã
ͨ¹ýÉÏÃæ½éÉܵÄÄ¿µÄ¾Í¿ÉÒÔµ½´ï¹Ø¼üµÄÌøÔ¾µã£¬²¢ÇÒÔÚ×·×Ù¹ý³ÌÖжàʹÓÃD¼ü£¬È磺d
eax;d ecx;µÈ£¬ÄÇôÕâ¸ödÊÇʲôÓô¦ÄØ£¿Ëü¾ÍÊÇÏÔʾ¼Ä´æÆ÷µÄÖµ¡£
5 ¼Ä´æÆ÷µÄÖµ¶¼ÓÐʲôÑù
¶ÔÓڼĴæÆ÷µÄÖµÀ´ËµÍ¨³£ÓÐÈçϼ¸Ñù£º
1£©´æ´¢×Öĸ»òÊý×Ö£¨¶¼Îª×ÖĸÐÎʽ£©
Èçd eaxºó£¬Äã¿ÉÒԵõ½ÄãÊäÈëµÄ×¢²áÂ룬¼ÙÈçÄãÊäÈëµÄ×¢²áÂëΪ78787878£¬Ê¹ÓÃd
eaxºó£¬Äã¿ÉÒÔ¿´µ½Êý¾Ý´°¿ÚÖÐÏÔʾµÄֵΪ78787878¡£
2£©´æ´¢ÊýÖµ
¼ÙÉèͬÉÏ£¬Ê¹ÓÃd eaxºó£¬Ä㽫¿´µ½µÄֵΪ04b23526£¬Õâ¸öÖµ¾ÍΪ78787878µÄÊ®Áù
½øλµÄÖµ¡£
3£©´æ´¢ÔËÐÐÊýÖµ
ͬÉÏ£¬Í¨¹ý¼Ä´æÆ÷´°¿Ú£¬Äã¿ÉÒÔÖ±½Ó¿´µ½eaxΪ78787878£¬Õâ¸öͨ¹ýÊÇʹÓÃeaxÀ´¼Æ
ËãʹÓõġ£
4£©´æ´¢Æì±êÖµ
ÈçÏÂËùʾ£º
test eax eax
jz 004?????
ÉÏÃæÕâ¸öeax¾ÍÊDZ£´æÁËÆì±êÖµ£¬Í¨³£ÕⶼÊǹؼüµÄµØ·½¡£
6 ÈçºÎÉèÖÃÖжϣ¿
¶ÔÓÚÉèÖÃÖжϣ¬Í¨³£ÒªÒÀ¾Ý²»Í¬µÄÇé¿öÀ´ÉèÖò»Í¬µÄÖжϡ£±È½Ï³£ÓõÄΪ
bpx hmemcpy
ʹÓÃÔÚÊäÈënameºÍfake RNºó£¬µã»÷×¢²áºóʹÓá£ËüÊÇÄڴ濽±´Ê±ÖжÏ
bpx lockmytask
µ±ÎÞ·¨Ê¹ÓÃÉÏÃæµÄÖжϻòÔÚ¿ªÊ¼Ê±µÄÆì±ê´°¿ÚʹÓá£Õâ¸öΪÊÕ´°ÖжÏ
bpx sendmessage
µ±³ÌÐò´¥·¢Ä³¸öÊÂÇéºóÖжϣ¬Õâ¸öºÜÓÐÓ㬶ÔÓÚÆƽâÓй¦ÄÜÏÞÖƵÄÈí¼þÓô¦´ó´óµÄ
bpx RegQueryValue
¶Áȡע²á±íÖµÖжϣ¬Õâ¸öÖж϶ÔÓÚÄÇÖÖÔÚÆô¶¯Ê±Ñé֤ע²áÂëµÄÈí¼þÆƽâÊÇÒ»¸öºÜ
ÖØÒªµÄÇÐÈëµã¡£
bpx readfile
¶ÁÈ¡ÎļþʱÖжϣ¬ËüÊÇÊÊÓÃÓÚkey±£»¤µÄÎļþ¡£Èç¹û³ÌÐòÑéÖ¤ÓÐÎÞkeyÎļþʱ£¬¿É
ÒÔʹÓÃËüÀ´ÖжÏ
bpx GetSystemtime
ÆƽâÓÐʱ¼äÏÞÖƵÄÈí¼þºÃµÄÖжϵ㣬ÒòΪ³ÌÐòÔÚÆô¶¯¹ý³ÌÖÐÒ»¶¨ÒªµÃµ½ÏµÍ³Ê±¼ä
ͬ°²×°Ê±¼äÀ´±È½Ï£¬¶øµ±³ÌÐò¶Áȡϵͳʱ¼äʱ£¬·¢ÉúÖжϡ¡£¬ÆäËü¾ÍÒª¿´ÄãÃÇÁË¡£
bpx GetDriveType
Æƽâ¹âÅ̱£»¤×ʹÓõÄÖжϡ£ÓйâÅ̱£»¤µÄÈí¼þÔÚ¿ªÊ¼Ê±Ò»¶¨Òª¼ì²éϵͳÖÐÄǸö
ÅÌÊǹâÅÌÇý¶¯Æ÷£¬µ±ËüÒ»¼ì²éʱ£¬Äã¾Í¿ÉÒÔ½øÈë³ÌÐòÖÐÁË¡£
7 ÎÒ¿´ÆäËûÆƽâÎÄÕÂÖУ¬ÎªÊ²Ã´Óеĺ¯ÊýΪ RegQueryValueA ¶øÓеÄΪ RegQueryValue£¬
ËûÃÇÓÐʲô²»Í¬£¿
¶ÔÓÚÇ°ÕßÊÇ32λ³ÌÐòʹÓõģ¬¶øºóÕßÕßÊÇ16λ³ÌÐòʹÓõġ£ÉèÖÃÖжÏʱËüÃÇÊDz»Í¬µÄ¡£
ÎÒÏëÕâ½Ú´ðÒɿξ͵½ÕâÀïÁË£¬Èç¹û´ó¼Ò»¹ÓÐʲôÒÉÎÊ£¬¿ÉÒÔ¸øÎÒдÐÅ¡£ºÃÁË£¬Ï¿Ρ£
¡¾ÎÊÌâ´ðÒÉ¡¿
¡¾ÍøÕ¾½éÉÜ¡¿
¡¾ÔÓÖ¾ÐÅÏä¡¿