BrickShooter 2.1破解心得(新手看看吧) (18千字)
BrickShooter 2.1破解心得(新手看看吧)
這個軟體是一個打磚塊的小遊戲,我個人感覺還不錯,
在海闊天空處下載,Unregistered 版本 有30天的
時間限制,每局30分鐘的限制,不能存檔,退出時還
有NAG,就拿它練習練習吧。
工具:CASPR 1.00,Soft-ice 4.01,UltraEdit 8.0
Exescope 6.00,icedump,FileInfo
用FileInfo檢視是用Asprotect 1.00加的殼,但是
我試著手工脫殼總是不能成功(哪位高手能指點一
下?),Import Table總是不能正確還原,看來我
要好好學習一下PE檔案結構了。還好最近出了個CAS,
太棒了,對我這樣的菜鳥來說真是一個福音:)
下面正式開始工作:
1、開啟一個DOS視窗,下命令
caspr bshoot.exe bs.exe
這樣把殼給脫了。
2、用ice載入bs.exe F5 執行,單擊“SAVE”按鈕,
它會彈出一個框,說“You are unable.....”
ctrl-D切入sice,下斷點
bpx destroywindow
F5執行,返回BShooter,單擊確定,被sice攔下,
bc * 清除斷點,F11返回到BS中,下命令
s 30:0 l ffffffff 'You are unable'
找到如下地址:
0030:0045B9B8 59 6F 75 20 61 72 65 20-75 6E 61 62 6C 65 20 74 You are
unable t
0030:0045B9C8 6F 20 6C 6F 61 64 20 6F-72 20 73 61 76 65 20 67 o load
or save g
0030:0045B9D8 61 6D 65 20 62 65 63 61-75 73 65 20 79 6F 75 72 ame because
your
0030:0045B9E8 20 63 6F 70 79 20 6F 66-20 42 72 69 63 6B 53 68 copy of
BrickSh
0030:0045B9F8 6F 6F 74 65 72 20 69 73-20 55 4E 52 45 47 49 53 ooter
is UNREGIS
0030:0045BA08 54 45 52 45 44 2E 0D 43-6C 69 63 6B 20 74 68 65 TERED..Click
the
0030:0045BA18 20 52 65 67 69 73 74 65-72 20 6C 61 62 65 6C 20 Register
label
0030:0045BA28 66 6F 72 20 6D 6F 72 65-20 69 6E 66 6F 72 6D 61 for more
informa
3、設斷 bpm 0045b9b8
F5執行,單擊“SAVE”按鈕,被sice攔下,按F12一層層地返回到BS中,
如一直按F10,最終會在幾個ret處跳來跳去,那視窗總是不出現,
沒關係,按F12二下,視窗彈出了,單擊確定後又被sice攔下,
到達下面的地方:
015F:00449F6F CALL 004400D0
015F:00449F74 MOV EAX,[EBP-0C]
015F:00449F77 MOV EDX,[EAX]
015F:00449F79 CALL [EDX+000000CC]
015F:00449F7F MOV [EBP-08],EAX
015F:00449F82 XOR EAX,EAX
015F:00449F84 POP EDX
015F:00449F85 POP ECX
015F:00449F86 POP ECX
015F:00449F87 MOV FS:[EAX],EDX
015F:00449F8A PUSH 00449F9F
015F:00449F8F MOV EAX,[EBP-0C]
015F:00449F92 CALL 00402E54
015F:00449F97 RET
015F:00449F98 JMP 004034AC
015F:00449F9D JMP 00449F8F
015F:00449F9F MOV EAX,[EBP-08]
015F:00449FA2 POP ESI
015F:00449FA3 POP EBX
015F:00449FA4 MOV ESP,EBP
015F:00449FA6 POP EBP
015F:00449FA7 RET 0010
015F:00449FAA MOV EAX,EAX
015F:00449FAC OR ECX,-01
015F:00449FAF OR EDX,-01
015F:00449FB2 CALL 00449FB8
015F:00449FB7 RET
015F:00449FB8 PUSH 00
015F:00449FBA PUSH EDX
015F:00449FBB PUSH ECX
015F:00449FBC MOV DL,04
015F:00449FBE MOV CX,[00449FCC]
015F:00449FC5 CALL 00449ED4
015F:00449FCA RET
返回幾個CALL之後,就可到達下面的關鍵之處
015F:0045B153 MOV EDI,[00461FD4]
015F:0045B159 ADD EDI,00000100
015F:0045B15F MOV EAX,EDI
015F:0045B161 ADD EAX,32
015F:0045B164 PUSH EAX
015F:0045B165 PUSH EBX
015F:0045B166 PUSH ESI
015F:0045B167 MOV ECX,[00461FD8]
015F:0045B16D ADD ECX,000001EF
015F:0045B173 ADD ECX,23
015F:0045B176 ADD ECX,09
015F:0045B179 MOV EDX,EDI
015F:0045B17B MOV EAX,[00461FD8]
015F:0045B180 ADD EAX,000001E5
015F:0045B185 ADD EAX,09
015F:0045B188 CALL 00458BC8
015F:0045B18D TEST AL,AL
015F:0045B18F JZ 0045B1C6
015F:0045B191 CMP BYTE PTR [0046208C],00
;看見這個比較了吧
015F:0045B198 JNZ 0045B1B4
;這個跳轉是關鍵
015F:0045B19A PUSH 00
015F:0045B19C MOV CX,[0045B9AC]
015F:0045B1A3 MOV DL,02
015F:0045B1A5 MOV EAX,0045B9B8
015F:0045B1AA CALL 00449EB4
015F:0045B1AF JMP 0045B9A0
015F:0045B1B4 MOV EAX,[EBP-04]
015F:0045B1B7 MOV EAX,[EAX+00000318]
015F:0045B1BD MOV ECX,ESI
015F:0045B1BF MOV EDX,EBX
015F:0045B1C1 MOV EDI,[EAX]
015F:0045B1C3 CALL [EDI+3C]
015F:0045B1C6 MOV EDI,[00461FD4]
015F:0045B1CC ADD EDI,00000155
015F:0045B1D2 MOV EAX,EDI
015F:0045B1D4 ADD EAX,30
015F:0045B1D7 PUSH EAX
015F:0045B1D8 PUSH EBX
015F:0045B1D9 PUSH ESI
顯然,[0046208C]處存放的是註冊標誌,
4、清除以前所有斷點,重新設斷
bpm 0046208c
重新載入,在如下處攔下:
015F:00458B94 INVALID
015F:00458B96 INVALID
015F:00458B98 ADD AL,00
015F:00458B9A ADD [EAX],AL
015F:00458B9C INSD
015F:00458B9E IMUL ESP,[EAX+EAX+00],05C60000
015F:00458BA6 MOV [EAX],FS
015F:00458BA8 INC ESI
015F:00458BA9 ADD [EAX],AL
015F:00458BAB JMP 00458BB1
;在這兒被攔下,
015F:00458BAD JMP 00458BB4
015F:00458BAF MOV [ECX+000007E9],ECX
015F:00458BB5 ADD [ESI+53F23D5B],AL
015F:00458BBB MOV ECX,EB04EB5A
015F:00458BC0 ADD EAX,C3C39999
015F:00458BC5 LEA EAX,[EAX+00]
015F:00458BC8 PUSH EBP
015F:00458BC9 MOV EBP,ESP
015F:00458BCB PUSH ESI
015F:00458BCC PUSH EDI
015F:00458BCD MOV EDI,[EBP+08]
015F:00458BD0 MOV ESI,[EBP+0C]
015F:00458BD3 CMP EAX,ESI
015F:00458BD5 JG 00458BE4
015F:00458BD7 CMP ECX,ESI
015F:00458BD9 JL 00458BE4
015F:00458BDB CMP EDX,EDI
015F:00458BDD JG 00458BE4
015F:00458BDF CMP EDI,[EBP+10]
015F:00458BE2 JLE 00458BE8
015F:00458BE4 XOR EAX,EAX
015F:00458BE6 JMP 00458BEA
015F:00458BE8 MOV AL,01
015F:00458BEA POP EDI
015F:00458BEB POP ESI
015F:00458BEC POP EBP
015F:00458BED RET 000C
00458bab處的上一條指令應該是寫註冊標誌的指令,
但是上面的指令已經“花”了,沒關係,F5執行,
同樣,在相同地方被攔下,按f10一步一步返回到
上一層,如下
015F:00458F09 MOV EBP,ESP
015F:00458F0B PUSH 00
015F:00458F0D PUSH 00
015F:00458F0F PUSH EBX
015F:00458F10 PUSH ESI
015F:00458F11 PUSH EDI
015F:00458F12 MOV EBX,EAX
015F:00458F14 XOR EAX,EAX
015F:00458F16 PUSH EBP
015F:00458F17 PUSH 00459227
015F:00458F1C PUSH DWORD PTR FS:[EAX]
015F:00458F1F MOV FS:[EAX],ESP
015F:00458F22 CALL 00458BA4 ;就是這個CALL
015F:00458F27 MOV EAX,[0045FEBC]
015F:00458F2C MOV EAX,[EAX]
015F:00458F2E MOV EAX,[EAX+000002D0]
015F:00458F34 MOV EDX,[EBX+00000360]
015F:00458F3A CALL 004495F0
015F:00458F3F MOV ECX,00459240
015F:00458F44 MOV DL,01
015F:00458F46 MOV EAX,[0044C404]
015F:00458F4B CALL 0044C4AC
015F:00458F50 MOV ESI,EAX
015F:00458F52 PUSH 01
015F:00458F54 MOV ECX,00459254
015F:00458F59 MOV EDX,00459264
015F:00458F5E MOV EAX,ESI
015F:00458F60 MOV EDI,[EAX]
015F:00458F62 CALL [EDI+10]
015F:00458F65 MOV EDX,EAX
015F:00458F67 MOV EAX,[0045FEBC]
015F:00458F6C MOV EAX,[EAX]
015F:00458F6E MOV EAX,[EAX+000002C4]
015F:00458F74 MOV ECX,[EAX]
015F:00458F76 CALL [ECX+000000BC]
015F:00458F7C PUSH 01
015F:00458F7E MOV ECX,00459274
015F:00458F83 MOV EDX,00459264
015F:00458F88 MOV EAX,ESI
在015F:00458F22處設斷,並清除以前斷點,
重新載入,執行被攔下後,按F8進入該CALL
015F:00458BA4 MOV BYTE PTR [0046208C],00 ;就是這個指令
015F:00458BAB JMP 00458BB1
015F:00458BAD JMP 00458BB4
015F:00458BAF MOV [ECX+000007E9],ECX
015F:00458BB5 ADD [ESI+53F23D5B],AL
015F:00458BBB MOV ECX,EB04EB5A
015F:00458BC0 ADD EAX,C3C39999
015F:00458BC5 LEA EAX,[EAX+00]
015F:00458BC8 PUSH EBP
015F:00458BC9 MOV EBP,ESP
015F:00458BCB PUSH ESI
015F:00458BCC PUSH EDI
015F:00458BCD MOV EDI,[EBP+08]
015F:00458BD0 MOV ESI,[EBP+0C]
015F:00458BD3 CMP EAX,ESI
這回看到了“花”指令的真面目了吧,下code on 看一下機器碼
015F:00458BA4 C6058C20460000 MOV
BYTE PTR [0046208C],00
015F:00458BAB EB04
JMP 00458BB1
015F:00458BAD EB05
JMP 00458BB4
015F:00458BAF 8989E9070000 MOV
[ECX+000007E9],ECX
015F:00458BB5 00865B3DF253 ADD
[ESI+53F23D5B],AL
015F:00458BBB B95AEB04EB MOV
ECX,EB04EB5A
015F:00458BC0 059999C3C3 ADD
EAX,C3C39999
015F:00458BC5 8D4000
LEA EAX,[EAX+00]
015F:00458BC8 55
PUSH EBP
015F:00458BC9 8BEC
MOV EBP,ESP
015F:00458BCB 56
PUSH ESI
015F:00458BCC 57
PUSH EDI
015F:00458BCD 8B7D08
MOV EDI,[EBP+08]
015F:00458BD0 8B750C
MOV ESI,[EBP+0C]
015F:00458BD3 3BC6
CMP EAX,ESI
015F:00458BD5 7F0D
JG 00458BE4
015F:00458BD7 3BCE
CMP ECX,ESI
相關文章
- 破解心得之CDRWin 4.0A BETA篇 (18千字)2001-04-24
- 我的破解心得(1) (3千字)2001-03-13
- 我的破解心得(5) (16千字)2001-03-13
- 我的破解心得(6) (3千字)2001-03-13
- 我的破解心得(8) (2千字)2001-03-13
- 我的破解心得(9) (4千字)2001-03-13
- 我的破解心得(11) (9千字)2001-03-13
- 我的破解心得(12) (1千字)2001-03-13
- 破解心得之WinImage篇 (15千字)2001-07-01
- 破解心得之eXeScope篇 (9千字)2001-07-01
- 登陸奇兵3.0破解心得 (5千字)2001-05-02
- Readbook 1.31破解心得
(3千字)2000-03-01
- 破解至嘉DB Tools V2.1 (5千字)2000-09-11
- 破解心得之CHMMaker(耶圃歟┢ (11千字)2002-01-27HMM
- Diskbase 5.11的破解和註冊演算法(俺是新手) (18千字)2001-05-21演算法
- 彩票快車破解手記(copyyour兄要的,來看看吧) (1千字)2001-03-25
- 輕鬆提取資源1.45破解心得
(7千字)2015-11-15
- 論一次VB程式的破解(新手看過來) <---wolflh2002兄請看!! (4千字)2015-11-15
- 新手破解:敏思硬碟衛士 2.2 (1千字)2001-07-25硬碟
- 《漂葉網咖管理系統4.0》破解心得: (9千字)2001-01-14
- 破解魔法轉換 v2.1 Beta 2 測試版 (11千字)2001-10-28
- 最新 英語聽力通 v2.1 破解實錄 (6千字)2002-01-21
- 破解心得之3DMark2001篇 (10千字)2001-04-183D
- FINDITNOW!1.25 or 102 中文版 破解心得 (14千字)2002-02-09
- 初學者請進(一篇破解javagirl的心得) (2千字)2000-05-09Java
- Kryptel 3.8 暴力破解過程 (18千字)2001-09-18
- Don't Panic 3.2的破解過程(俺是新手) (3千字)2001-05-15
- 請看小弟KeyFile保護的破解 (7千字)2001-02-01
- LogoManager 1.18破解手記 (1千字)2001-02-18Go
- 對VCDCUT 4.03的分析破解過程 (18千字)2001-08-08
- Camtasia
Studio Version 2.1破解教程2004-11-02
- 破解心得之eXeScope篇2015-11-15
- 破解API Spy for Windows 95/98/NT/2000 《=寫得不好,初學者看一看吧
(4千字)2001-07-03APIWindows
- 《chm幫助編輯器V2.61》註冊碼破解心得: (11千字)2001-02-17
- tapinradioprov2.1破解版2020-12-01API
- 菜鳥破解錄(18)之 GWD Text Editor 3.0 (4千字)2000-08-06
- 再次湊湊熱鬧:破解心得之ChinaZip 5.0(中華壓縮)篇
(8千字)2001-04-10
- 資料大師3.17破解心得!(我對vfp的程式很頭疼呀!) (1千字)2001-12-04