- UID
- 123928
- 积分
- 0
- 精华
- 贡献
-
- 威望
-
- 活跃度
-
- D豆
-
- 在线时间
- 小时
- 注册时间
- 2004-4-11
- 最后登录
- 1970-1-1
|
马上注册,结交更多好友,享用更多功能,让你轻松玩转社区。
您需要 登录 才可以下载或查看,没有账号?立即注册
×
一、版本:天正建筑6.5单机版+050111升级补丁(AutoCAD 2002的断点是:1C003A13)
平台:AutoCAD 2002/2004 + Win2K/XP
1C0039F9 E8 92F6FFFF CALL 1C003090 \:JMPUP
1C0039FE 8BB424 28020000 MOV ESI, DWORD PTR [ESP+228]
1C003A05 83C4 0C ADD ESP, C
1C003A08 8D8424 14010000 LEA EAX, DWORD PTR [ESP+114]
1C003A0F 8A10 MOV DL, BYTE PTR [EAX] \:BYJMP JmpBy:1C003A2D,
1C003A11 8ACA MOV CL, DL
* 1C003A13 3A16 CMP DL, BYTE PTR [ESI]
1C003A15 75 1C JNZ SHORT 1C003A33 \:JMPDOWN
1C003A17 84C9 TEST CL, CL
1C003A19 74 14 JE SHORT 1C003A2F \:JMPDOWN
1C003A1B 8A50 01 MOV DL, BYTE PTR [EAX+1]
1C003A1E 8ACA MOV CL, DL
1C003A20 3A56 01 CMP DL, BYTE PTR [ESI+1]
1C003A23 75 0E JNZ SHORT 1C003A33 \:JMPDOWN
1C003A25 83C0 02 ADD EAX, 2
寻找注册码:
1、打开天正建筑6.5 For AutoCAD 2002,出现注册提示框
2、运行OllyDbg,依次步骤:文件(F)--〉附加(A),选择天正注册码,确认[附加]
3、点击鼠标右键--〉查看--〉选择模块“tch_init”
4、查找断点:按[ctrl]+[g]--〉输入断点 1c003a13--〉点击[确定]
5、确认断点:按[F2](变成红色)--〉按[F9]运行后,切换到注册提示框窗口,随意输入注册码,点击[确定]后,
自动会回到OllyDbg窗口,在寄存器中可找到eax后面真正的注册码,复制所有注册码或把注册码用笔记下来备用
6、退出OllyDbg,重新打开天正建筑6.5 For AutoCAD 2002,出现注册提示框,输入注册码,点击[确定]
OK!!!
二、天正建筑6.5注册
支持正版!!!!
会使用OllyDbg的.
1 打开6.5forCAD2005,出现注册提示框,随便输入一个注册码
2 运行0llydbg ,依次:文件-〉附加,选择xx注册码,点击 附加
3 查看-〉调用堆栈
4右键-〉线程-〉主要
5 选择其中的 tch_int 双击
6 找到 1C0109D2 ,在 5C 处双击,使 1C0109D2 变红色050111版的在1C0109D2处设置断点就ok
7 查看-〉CPU
8 调试-〉运行
9 Alt+Tab 切换到 天正建筑注册框,点击确定
10 自动返回到 0llydbg 窗口,在下面的 Stack 处右键-〉在转存中跟随地址
11 将看到的注册码用笔记下来
斑竹,加分啊。
如果成功了帮我顶 啊。。。
我在我自己的机器上测试过。2000 xp。分别for 2004 2005
三、浩辰给排水软件igp2003i1203破解
给排水软件破解
hcgpsupport.dll:
Exported fn(): ?testEncrypt@@YAHHH@Z - Ord:0002h
:1000234A 55 push ebp
:1000234B 8BEC mov ebp, esp
:1000234D 8B450C mov eax, dword ptr [ebp+0C]
:10002350 50 push eax
:10002351 8B4D08 mov ecx, dword ptr [ebp+08]
:10002354 51 push ecx
:10002355 E886F9FFFF call 10001CE0
:1000235A 83C408 add esp, 00000008
:1000235D 83F801 cmp eax, 00000001
:10002360 7415 je 10002377 改为eb15
:10002362 8B550C mov edx, dword ptr [ebp+0C]
:10002365 52 push edx
:10002366 8B4508 mov eax, dword ptr [ebp+08]
:10002369 50 push eax
:1000236A E821FAFFFF call 10001D90
:1000236F 83C408 add esp, 00000008
:10002372 83F801 cmp eax, 00000001
:10002375 7507 jne 1000237E
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10002360(C)
|
:10002377 B801000000 mov eax, 00000001
:1000237C EB02 jmp 10002380
解压后复制到C:\WINDOWS\SYSTEM32目录下或者C:\WINDOWS\SYSTEM目录下覆盖原文件即可
by liuxinminln
破解广联达的方法!
广联达GBG8.0破解过程
加密方式:北京飞天诚信公司公司
使用软件:TRW2000 WIN32DSAM
软件限制:没狗时以学习版方式启动,当然学习版会有很多限制啦。
动手吧,反汇编后Find “学习版”字样来到:
:0084F714 A110708500 mov eax, dword ptr [00857010]
:0084F719 C60001 mov byte ptr [eax], 01
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0084F70A(C), :0084F712(C)
|
:0084F71C A110708500 mov eax, dword ptr [00857010]
:0084F721 803800 cmp byte ptr [eax], 00
:0084F724 0F860A010000 jbe 0084F834 //这里不能跳,跳即学习版
:0084F72A B804AE8500 mov eax, 0085AE04
:0084F72F E82049BBFF call 00404054
:0084F734 33C0 xor eax, eax
:0084F736 A300AE8500 mov dword ptr [0085AE00], eax
很显然,0084F721处的[EAX]的什很重要,我们用TRW可以得知EAX=853638,同时我们可以得知853638的值是0,只要其值大于0那么就不是学习版了。下断bpm 853638,程序中断如下:
:0084F5FB E8E442BFFF call 004438E4
:0084F600 8D4580 lea eax, dword ptr [ebp-80]
:0084F603 E83091C2FF call 00478738
:0084F608 8B4580 mov eax, dword ptr [ebp-80]
:0084F60B E83433BBFF call 00402944
:0084F610 A110708500 mov eax, dword ptr [00857010]
:0084F615 C60000 mov byte ptr [eax], 00 //中断在此,很简单吧,把00改为01即可
:0084F618 C60511AE850000 mov byte ptr [0085AE11], 00
:0084F61F 8D857CFFFFFF lea eax, dword ptr [ebp+FFFFFF7C]
:0084F625 E80E91C2FF call 00478738
:0084F62A 8D857CFFFFFF lea eax, dword ptr [ebp+FFFFFF7C]
* Possible StringData Ref from Code Obj ->"RYCLIENT.ini"
|
:0084F630 BA78FC8400 mov edx, 0084FC78
:0084F635 E8A24CBBFF call 004042DC
:0084F63A 8B8D7CFFFFFF mov ecx, dword ptr [ebp+FFFFFF7C]
:0084F640 B201 mov dl, 01
再运行程序,不再是学习版了,哈哈没这么简单吧,果然进入后还要求输入每一个模块的注册码,但输入什么注册码也不对,拦也拦不下来,于是我休息几周(KAO,是不是休息的也太长了点,老兄我也是没办法嘛),后来注意到没注册的都有“模块”二字,
:0055BDD8 55 push ebp
:0055BDD9 8BEC mov ebp, esp
:0055BDDB 83C4F0 add esp, FFFFFFF0
:0055BDDE B898A68500 mov eax, 0085A698
* Possible StringData Ref from Code Obj ->"预算编制模块"
|
:0055BDE3 BA04C35500 mov edx, 0055C304
:0055BDE8 E8BB82EAFF call 004040A8
:0055BDED C6059CA6850033 mov byte ptr [0085A69C], 33
:0055BDF4 C6059DA6850000 mov byte ptr [0085A69D], 00 //这就是是否注册的标志呀,先是给系统没有注册的标志,然后通过读狗如果有狗[85A69D]的值就成了1,没狗就还是0
:0055BDFB B8A0A68500 mov eax, 0085A6A0
* Possible StringData Ref from Code Obj ->"洽商变更模块"
|
:0055BE00 BA1CC35500 mov edx, 0055C31C
:0055BE05 E89E82EAFF call 004040A8
:0055BE0A C605A4A6850034 mov byte ptr [0085A6A4], 34
:0055BE11 C605A5A6850000 mov byte ptr [0085A6A5], 00
:0055BE18 B8A8A68500 mov eax, 0085A6A8
* Possible StringData Ref from Code Obj ->"月度统计模块"
|
:0055BE1D BA34C35500 mov edx, 0055C334
:0055BE22 E88182EAFF call 004040A8
:0055BE27 C605ACA6850035 mov byte ptr [0085A6AC], 35
:0055BE2E C605ADA6850000 mov byte ptr [0085A6AD], 00
:0055BE35 B8B0A68500 mov eax, 0085A6B0
* Possible StringData Ref from Code Obj ->"结算模块"
|
:0055BE3A BA4CC35500 mov edx, 0055C34C
:0055BE3F E86482EAFF call 004040A8
:0055BE44 C605B4A6850036 mov byte ptr [0085A6B4], 36
:0055BE4B C605B5A6850000 mov byte ptr [0085A6B5], 00
:0055BE52 B8B8A68500 mov eax, 0085A6B8
* Possible StringData Ref from Code Obj ->"审核模块"
|
:0055BE57 BA60C35500 mov edx, 0055C360
:0055BE5C E84782EAFF call 004040A8
:0055BE61 C605BCA6850037 mov byte ptr [0085A6BC], 37
:0055BE68 C605BDA6850000 mov byte ptr [0085A6BD], 00
:0055BE6F B8C0A68500 mov eax, 0085A6C0
* Possible StringData Ref from Code Obj ->"施工预算模块"
|
:0055BE74 BA74C35500 mov edx, 0055C374
:0055BE79 E82A82EAFF call 004040A8
:0055BE7E C605C4A6850038 mov byte ptr [0085A6C4], 38
:0055BE85 C605C5A6850000 mov byte ptr [0085A6C5], 00
:0055BE8C B8C8A68500 mov eax, 0085A6C8
* Possible StringData Ref from Code Obj ->"国际预算模块"
|
:0055BE91 BA8CC35500 mov edx, 0055C38C
:0055BE96 E80D82EAFF call 004040A8
:0055BE9B C605CCA6850039 mov byte ptr [0085A6CC], 39
:0055BEA2 C605CDA6850000 mov byte ptr [0085A6CD], 00
:0055BEA9 B8D0A68500 mov eax, 0085A6D0
* Possible StringData Ref from Code Obj ->"国际洽商模块"
|
:0055BEAE BAA4C35500 mov edx, 0055C3A4
:0055BEB3 E8F081EAFF call 004040A8
:0055BEB8 C605D4A685003A mov byte ptr [0085A6D4], 3A
:0055BEBF C605D5A6850000 mov byte ptr [0085A6D5], 00
:0055BEC6 B8D8A68500 mov eax, 0085A6D8
* Possible StringData Ref from Code Obj ->"国际统计模块"
|
:0055BECB BABCC35500 mov edx, 0055C3BC
:0055BED0 E8D381EAFF call 004040A8
:0055BED5 C605DCA685003B mov byte ptr [0085A6DC], 3B
:0055BEDC C605DDA6850000 mov byte ptr [0085A6DD], 00
:0055BEE3 B8E0A68500 mov eax, 0085A6E0
* Possible StringData Ref from Code Obj ->"国际结算模块"
|
:0055BEE8 BAD4C35500 mov edx, 0055C3D4
:0055BEED E8B681EAFF call 004040A8
:0055BEF2 C605E4A6850041 mov byte ptr [0085A6E4], 41
:0055BEF9 C605E5A6850000 mov byte ptr [0085A6E5], 00
:0055BF00 B8E8A68500 mov eax, 0085A6E8
* Possible StringData Ref from Code Obj ->"国际审核模块"
|
:0055BF05 BAECC35500 mov edx, 0055C3EC
:0055BF0A E89981EAFF call 004040A8
:0055BF0F C605ECA6850042 mov byte ptr [0085A6EC], 42
:0055BF16 C605EDA6850000 mov byte ptr [0085A6ED], 00
:0055BF1D B8F0A68500 mov eax, 0085A6F0
* Possible StringData Ref from Code Obj ->"安装模块"
|
:0055BF22 BA04C45500 mov edx, 0055C404
:0055BF27 E87C81EAFF call 004040A8
:0055BF2C C605F4A6850045 mov byte ptr [0085A6F4], 45
:0055BF33 C605F5A6850000 mov byte ptr [0085A6F5], 00
:0055BF3A 33C9 xor ecx, ecx
:0055BF3C B201 mov dl, 01
* Possible StringData Ref from Code Obj ->"滯N"
|
:0055BF3E A1BC654E00 mov eax, dword ptr [004E65BC]
:0055BF43 E8003FF9FF call 004EFE48
:0055BF48 A318A78500 mov dword ptr [0085A718], eax
:0055BF4D A118A78500 mov eax, dword ptr [0085A718]
:0055BF52 C7401414000000 mov [eax+14], 00000014
:0055BF59 33C9 xor ecx, ecx
:0055BF5B 33D2 xor edx, edx
:0055BF5D A118A78500 mov eax, dword ptr [0085A718]
:0055BF62 E8B542F9FF call 004F021C
:0055BF67 33C9 xor ecx, ecx
:0055BF69 33D2 xor edx, edx
:0055BF6B A118A78500 mov eax, dword ptr [0085A718]
:0055BF70 E8A742F9FF call 004F021C
:0055BF75 33C9 xor ecx, ecx
:0055BF77 B201 mov dl, 01
软件的模块很多,一共有九个,但都是一样的,只要改变其注册标志,就注册了,这里不再垒述!到此这个软件已经破解完成了,余下还有就是要使定额注册,以后再讲!
破文标题】 开目CAD2005---企业资源管理器破解分析
【破文作者】 WGC3306 [CZG] 04.09.18
【作者邮箱】 WGC3306@163.com QQ:24803353
【使用工具】 TRW2000
【破解平台】 WinME
【软件名称】 企业资源管理器
【下载地址】
【软件简介】
【软件大小】
【破解目的】 喜欢该软件,朋友要求。大家还是要支持国产软件的。
【破解声明】 我乃小菜鸟一只,偶得一点心得,愿与大家分享^-^
----------------------------------------------------------------------
【破解内容】
运行TRW2000,BPX DEVICEIOCONTROL下断,F5,运行企业资源管理器,断下,N次F12,出现没狗框,点确定,回到TRW2000,往上看见下面代码,可以看到006C985E E8BB50D4FF Call 0040E91E-----产生错误的CALL,我们现在只需要往上找什么地方能跳过此处就成功了,一直找,直到:006C9636 0F8544020000 jne 006C9880---关键跳,跳走就成功;
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:006C9418(U), :006C952D(U), :006C95AB(U), :006C9629(U)
|
:006C9630 0FBF45D8 movsx eax, word ptr [ebp-28]
:006C9634 85C0 test eax, eax---------------------------------------注意此处EAX=0
:006C9636 0F8544020000 jne 006C9880--------------------------------关键跳,跳走就成功,
:006C963C 833D78FC710000 cmp dword ptr [0071FC78], 00000000
:006C9643 751B jne 006C9660
:006C9645 6878FC7100 push 0071FC78
:006C964A 68D4A54300 push 0043A5D4
* Reference T MSVBVM60.__vbaNew2, Ord:0000h
|
:006C964F E86E51D4FF Call 0040E7C2
:006C9654 C7853CFEFFFF78FC7100 mov dword ptr [ebp+FFFFFE3C], 0071FC78
:006C965E EB0A jmp 006C966A
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:006C9643(C)
|
:006C9660 C7853CFEFFFF78FC7100 mov dword ptr [ebp+FFFFFE3C], 0071FC78
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:006C965E(U)
|
:006C966A 8B853CFEFFFF mov eax, dword ptr [ebp+FFFFFE3C]
:006C9670 8B00 mov eax, dword ptr [eax]
:006C9672 8985D8FEFFFF mov dword ptr [ebp+FFFFFED8], eax
:006C9678 833D90D8710000 cmp dword ptr [0071D890], 00000000
:006C967F 751B jne 006C969C
:006C9681 6890D87100 push 0071D890
:006C9686 687CF54000 push 0040F57C
* Reference T MSVBVM60.__vbaNew2, Ord:0000h
|
:006C968B E83251D4FF Call 0040E7C2
:006C9690 C78538FEFFFF90D87100 mov dword ptr [ebp+FFFFFE38], 0071D890
:006C969A EB0A jmp 006C96A6
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:006C967F(C)
|
:006C969C C78538FEFFFF90D87100 mov dword ptr [ebp+FFFFFE38], 0071D890
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:006C969A(U)
|
:006C96A6 8B8538FEFFFF mov eax, dword ptr [ebp+FFFFFE38]
:006C96AC FF30 push dword ptr [eax]
:006C96AE 8D8564FFFFFF lea eax, dword ptr [ebp+FFFFFF64]
:006C96B4 50 push eax
* Reference T MSVBVM60.__vbaObjSetAddref, Ord:0000h
|
:006C96B5 E83251D4FF Call 0040E7EC
:006C96BA 50 push eax
:006C96BB 8B85D8FEFFFF mov eax, dword ptr [ebp+FFFFFED8]
:006C96C1 8B00 mov eax, dword ptr [eax]
:006C96C3 FFB5D8FEFFFF push dword ptr [ebp+FFFFFED8]
:006C96C9 FF5010 call [eax+10]
:006C96CC DBE2 fclex
:006C96CE 8985D4FEFFFF mov dword ptr [ebp+FFFFFED4], eax
:006C96D4 83BDD4FEFFFF00 cmp dword ptr [ebp+FFFFFED4], 00000000
:006C96DB 7D20 jge 006C96FD
:006C96DD 6A10 push 00000010
:006C96DF 68C4A54300 push 0043A5C4
:006C96E4 FFB5D8FEFFFF push dword ptr [ebp+FFFFFED8]
:006C96EA FFB5D4FEFFFF push dword ptr [ebp+FFFFFED4]
* Reference T MSVBVM60.__vbaHresultCheckObj, Ord:0000h
|
:006C96F0 E81B51D4FF Call 0040E810
:006C96F5 898534FEFFFF mov dword ptr [ebp+FFFFFE34], eax
:006C96FB EB07 jmp 006C9704
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:006C96DB(C)
|
:006C96FD 83A534FEFFFF00 and dword ptr [ebp+FFFFFE34], 00000000
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:006C96FB(U)
|
:006C9704 8D8D64FFFFFF lea ecx, dword ptr [ebp+FFFFFF64]
* Reference T MSVBVM60.__vbaFreeObj, Ord:0000h
|
:006C970A E8D750D4FF Call 0040E7E6
:006C970F 8B55C8 mov edx, dword ptr [ebp-38]
:006C9712 8D8DBCFEFFFF lea ecx, dword ptr [ebp+FFFFFEBC]
* Reference T MSVBVM60.__vbaStrCopy, Ord:0000h
|
:006C9718 E85351D4FF Call 0040E870
:006C971D FFB5BCFEFFFF push dword ptr [ebp+FFFFFEBC]
:006C9723 68CCB64300 push 0043B6CC
* Reference T MSVBVM60.__vbaStrCmp, Ord:0000h
|
:006C9728 E8C151D4FF Call 0040E8EE
:006C972D 85C0 test eax, eax
:006C972F 753C jne 006C976D
:006C9731 6884C54400 push 0044C584
:006C9736 FF3518D17100 push dword ptr [0071D118]
* Reference T MSVBVM60.__vbaStrCat, Ord:0000h
|
:006C973C E8B951D4FF Call 0040E8FA
:006C9741 8BD0 mov edx, eax
:006C9743 8D4D8C lea ecx, dword ptr [ebp-74]
* Reference T MSVBVM60.__vbaStrMove, Ord:0000h
|
:006C9746 E88350D4FF Call 0040E7CE
:006C974B 50 push eax
:006C974C 68A8C54400 push 0044C5A8
* Reference T MSVBVM60.__vbaStrCat, Ord:0000h
|
:006C9751 E8A451D4FF Call 0040E8FA
:006C9756 8BD0 mov edx, eax
:006C9758 8D4DDC lea ecx, dword ptr [ebp-24]
* Reference T MSVBVM60.__vbaStrMove, Ord:0000h
|
:006C975B E86E50D4FF Call 0040E7CE
:006C9760 8D4D8C lea ecx, dword ptr [ebp-74]
* Reference T MSVBVM60.__vbaFreeStr, Ord:0000h
|
:006C9763 E86050D4FF Call 0040E7C8
:006C9768 E984000000 jmp 006C97F1
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:006C972F(C)
|
:006C976D FFB5BCFEFFFF push dword ptr [ebp+FFFFFEBC]
:006C9773 6878C54400 push 0044C578
* Reference T MSVBVM60.__vbaStrCmp, Ord:0000h
|
:006C9778 E87151D4FF Call 0040E8EE
:006C977D 85C0 test eax, eax
:006C977F 7539 jne 006C97BA
:006C9781 68B0C54400 push 0044C5B0
:006C9786 FF3518D17100 push dword ptr [0071D118]
* Reference T MSVBVM60.__vbaStrCat, Ord:0000h
|
:006C978C E86951D4FF Call 0040E8FA
:006C9791 8BD0 mov edx, eax
:006C9793 8D4D8C lea ecx, dword ptr [ebp-74]
* Reference T MSVBVM60.__vbaStrMove, Ord:0000h
|
:006C9796 E83350D4FF Call 0040E7CE
:006C979B 50 push eax
:006C979C 68A8C54400 push 0044C5A8
* Reference T MSVBVM60.__vbaStrCat, Ord:0000h
|
:006C97A1 E85451D4FF Call 0040E8FA
:006C97A6 8BD0 mov edx, eax
:006C97A8 8D4DDC lea ecx, dword ptr [ebp-24]
* Reference T MSVBVM60.__vbaStrMove, Ord:0000h
|
:006C97AB E81E50D4FF Call 0040E7CE
:006C97B0 8D4D8C lea ecx, dword ptr [ebp-74]
* Reference T MSVBVM60.__vbaFreeStr, Ord:0000h
|
:006C97B3 E81050D4FF Call 0040E7C8
:006C97B8 EB37 jmp 006C97F1
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:006C977F(C)
|
:006C97BA 68D4C54400 push 0044C5D4
:006C97BF FF3518D17100 push dword ptr [0071D118]
* Reference T MSVBVM60.__vbaStrCat, Ord:0000h
|
:006C97C5 E83051D4FF Call 0040E8FA
:006C97CA 8BD0 mov edx, eax
:006C97CC 8D4D8C lea ecx, dword ptr [ebp-74]
* Reference T MSVBVM60.__vbaStrMove, Ord:0000h
|
:006C97CF E8FA4FD4FF Call 0040E7CE
:006C97D4 50 push eax
:006C97D5 68A8C54400 push 0044C5A8
* Reference T MSVBVM60.__vbaStrCat, Ord:0000h
|
:006C97DA E81B51D4FF Call 0040E8FA
:006C97DF 8BD0 mov edx, eax
:006C97E1 8D4DDC lea ecx, dword ptr [ebp-24]
* Reference T MSVBVM60.__vbaStrMove, Ord:0000h
|
:006C97E4 E8E54FD4FF Call 0040E7CE
:006C97E9 8D4D8C lea ecx, dword ptr [ebp-74]
* Reference T MSVBVM60.__vbaFreeStr, Ord:0000h
|
:006C97EC E8D74FD4FF Call 0040E7C8
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:006C9768(U), :006C97B8(U)
|
:006C97F1 C7854CFFFFFF04000280 mov dword ptr [ebp+FFFFFF4C], 80020004
:006C97FB C78544FFFFFF0A000000 mov dword ptr [ebp+FFFFFF44], 0000000A
:006C9805 C7855CFFFFFF04000280 mov dword ptr [ebp+FFFFFF5C], 80020004
:006C980F C78554FFFFFF0A000000 mov dword ptr [ebp+FFFFFF54], 0000000A
:006C9819 C7850CFFFFFF18D17100 mov dword ptr [ebp+FFFFFF0C], 0071D118
:006C9823 C78504FFFFFF08400000 mov dword ptr [ebp+FFFFFF04], 00004008
:006C982D 8D45DC lea eax, dword ptr [ebp-24]
:006C9830 89851CFFFFFF mov dword ptr [ebp+FFFFFF1C], eax
:006C9836 C78514FFFFFF08400000 mov dword ptr [ebp+FFFFFF14], 00004008
:006C9840 8D8544FFFFFF lea eax, dword ptr [ebp+FFFFFF44]
:006C9846 50 push eax
:006C9847 8D8554FFFFFF lea eax, dword ptr [ebp+FFFFFF54]
:006C984D 50 push eax
:006C984E 8D8504FFFFFF lea eax, dword ptr [ebp+FFFFFF04]
:006C9854 50 push eax
:006C9855 6A10 push 00000010
:006C9857 8D8514FFFFFF lea eax, dword ptr [ebp+FFFFFF14]
:006C985D 50 push eax
* Reference T MSVBVM60.rtcMsgBox, Ord:0253h
|
:006C985E E8BB50D4FF Call 0040E91E--------产生错误的CALL,“没有找到……狗”
:006C9863 8D8544FFFFFF lea eax, dword ptr [ebp+FFFFFF44]
:006C9869 50 push eax
:006C986A 8D8554FFFFFF lea eax, dword ptr [ebp+FFFFFF54]
:006C9870 50 push eax
:006C9871 6A02 push 00000002
经过上面的分析,我们把关键跳转改之,运行,OK成功了,不过启动太慢,显然有找狗的CALL。我们继续,现在的目的是找到找狗的CALL,然后把它干掉;
这个应该很好找吧,运行TRW2000,BPX DEVICEIOCONTROL下断,F5,运行企业资源管理器,断下,PMODULE,到KmRes.exe领空,当有一段长时间找狗后,将回到TRW2000,往上找到找狗CALL见下面代码,为00627664 E8EB22E2FF call 00449954。
* Reference T MSVBVM60.__vbaFpI4, Ord:0000h
|
:00627653 E84E72DEFF Call 0040E8A6
:00627658 8945F4 mov dword ptr [ebp-0C], eax
:0062765B FF7510 push [ebp+10]
:0062765E FF750C push [ebp+0C]
:00627661 FF7508 push [ebp+08]
:00627664 E8EB22E2FF call 00449954---------------------------找狗CALL,干掉!
:00627669 8945F0 mov dword ptr [ebp-10], eax
* Reference T MSVBVM60.__vbaSetSystemError, Ord:0000h
破解总结:
爆破:006C9636 0F8544020000 jne 006C9880 处的0F8544020000改为0F8444020000
:00627664 E8EB22E2FF call 00449954 处的E8EB22E2FF改为9090909090即可!
【版权声明】 本文
纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢! |
|
如果你在论坛求助问题,并且已经从坛友或者管理的回复中解决了问题,请把帖子标题加上【已解决】;
如何回报帮助你解决问题的坛友,一个好办法就是给对方加【D豆】,加分不会扣除自己的积分,做一个热心并受欢迎的人!
|申请友链|Archiver|手机版|小黑屋|辽公网安备|晓东CAD家园
( 辽ICP备15016793号 )
窥视卡
雷达卡
发表于 2005-5-24 15:25:16
提升卡
置顶卡
沉默卡
变色卡
千斤顶
