BrickShooter 2.1破解心得(新手看看吧) (18千字)
BrickShooter 2.1破解心得(新手看看吧)
這個軟體是一個打磚塊的小遊戲,我個人感覺還不錯,
在海闊天空處下載,Unregistered 版本 有30天的
時間限制,每局30分鐘的限制,不能存檔,退出時還
有NAG,就拿它練習練習吧。
工具:CASPR 1.00,Soft-ice 4.01,UltraEdit 8.0
Exescope 6.00,icedump,FileInfo
用FileInfo檢視是用Asprotect 1.00加的殼,但是
我試著手工脫殼總是不能成功(哪位高手能指點一
下?),Import Table總是不能正確還原,看來我
要好好學習一下PE檔案結構了。還好最近出了個CAS,
太棒了,對我這樣的菜鳥來說真是一個福音:)
下面正式開始工作:
1、開啟一個DOS視窗,下命令
caspr bshoot.exe bs.exe
這樣把殼給脫了。
2、用ice載入bs.exe F5 執行,單擊“SAVE”按鈕,
它會彈出一個框,說“You are unable.....”
ctrl-D切入sice,下斷點
bpx destroywindow
F5執行,返回BShooter,單擊確定,被sice攔下,
bc * 清除斷點,F11返回到BS中,下命令
s 30:0 l ffffffff 'You are unable'
找到如下地址:
0030:0045B9B8 59 6F 75 20 61 72 65 20-75 6E 61 62 6C 65 20 74 You are
unable t
0030:0045B9C8 6F 20 6C 6F 61 64 20 6F-72 20 73 61 76 65 20 67 o load
or save g
0030:0045B9D8 61 6D 65 20 62 65 63 61-75 73 65 20 79 6F 75 72 ame because
your
0030:0045B9E8 20 63 6F 70 79 20 6F 66-20 42 72 69 63 6B 53 68 copy of
BrickSh
0030:0045B9F8 6F 6F 74 65 72 20 69 73-20 55 4E 52 45 47 49 53 ooter
is UNREGIS
0030:0045BA08 54 45 52 45 44 2E 0D 43-6C 69 63 6B 20 74 68 65 TERED..Click
the
0030:0045BA18 20 52 65 67 69 73 74 65-72 20 6C 61 62 65 6C 20 Register
label
0030:0045BA28 66 6F 72 20 6D 6F 72 65-20 69 6E 66 6F 72 6D 61 for more
informa
3、設斷 bpm 0045b9b8
F5執行,單擊“SAVE”按鈕,被sice攔下,按F12一層層地返回到BS中,
如一直按F10,最終會在幾個ret處跳來跳去,那視窗總是不出現,
沒關係,按F12二下,視窗彈出了,單擊確定後又被sice攔下,
到達下面的地方:
015F:00449F6F CALL 004400D0
015F:00449F74 MOV EAX,[EBP-0C]
015F:00449F77 MOV EDX,[EAX]
015F:00449F79 CALL [EDX+000000CC]
015F:00449F7F MOV [EBP-08],EAX
015F:00449F82 XOR EAX,EAX
015F:00449F84 POP EDX
015F:00449F85 POP ECX
015F:00449F86 POP ECX
015F:00449F87 MOV FS:[EAX],EDX
015F:00449F8A PUSH 00449F9F
015F:00449F8F MOV EAX,[EBP-0C]
015F:00449F92 CALL 00402E54
015F:00449F97 RET
015F:00449F98 JMP 004034AC
015F:00449F9D JMP 00449F8F
015F:00449F9F MOV EAX,[EBP-08]
015F:00449FA2 POP ESI
015F:00449FA3 POP EBX
015F:00449FA4 MOV ESP,EBP
015F:00449FA6 POP EBP
015F:00449FA7 RET 0010
015F:00449FAA MOV EAX,EAX
015F:00449FAC OR ECX,-01
015F:00449FAF OR EDX,-01
015F:00449FB2 CALL 00449FB8
015F:00449FB7 RET
015F:00449FB8 PUSH 00
015F:00449FBA PUSH EDX
015F:00449FBB PUSH ECX
015F:00449FBC MOV DL,04
015F:00449FBE MOV CX,[00449FCC]
015F:00449FC5 CALL 00449ED4
015F:00449FCA RET
返回幾個CALL之後,就可到達下面的關鍵之處
015F:0045B153 MOV EDI,[00461FD4]
015F:0045B159 ADD EDI,00000100
015F:0045B15F MOV EAX,EDI
015F:0045B161 ADD EAX,32
015F:0045B164 PUSH EAX
015F:0045B165 PUSH EBX
015F:0045B166 PUSH ESI
015F:0045B167 MOV ECX,[00461FD8]
015F:0045B16D ADD ECX,000001EF
015F:0045B173 ADD ECX,23
015F:0045B176 ADD ECX,09
015F:0045B179 MOV EDX,EDI
015F:0045B17B MOV EAX,[00461FD8]
015F:0045B180 ADD EAX,000001E5
015F:0045B185 ADD EAX,09
015F:0045B188 CALL 00458BC8
015F:0045B18D TEST AL,AL
015F:0045B18F JZ 0045B1C6
015F:0045B191 CMP BYTE PTR [0046208C],00
;看見這個比較了吧
015F:0045B198 JNZ 0045B1B4
;這個跳轉是關鍵
015F:0045B19A PUSH 00
015F:0045B19C MOV CX,[0045B9AC]
015F:0045B1A3 MOV DL,02
015F:0045B1A5 MOV EAX,0045B9B8
015F:0045B1AA CALL 00449EB4
015F:0045B1AF JMP 0045B9A0
015F:0045B1B4 MOV EAX,[EBP-04]
015F:0045B1B7 MOV EAX,[EAX+00000318]
015F:0045B1BD MOV ECX,ESI
015F:0045B1BF MOV EDX,EBX
015F:0045B1C1 MOV EDI,[EAX]
015F:0045B1C3 CALL [EDI+3C]
015F:0045B1C6 MOV EDI,[00461FD4]
015F:0045B1CC ADD EDI,00000155
015F:0045B1D2 MOV EAX,EDI
015F:0045B1D4 ADD EAX,30
015F:0045B1D7 PUSH EAX
015F:0045B1D8 PUSH EBX
015F:0045B1D9 PUSH ESI
顯然,[0046208C]處存放的是註冊標誌,
4、清除以前所有斷點,重新設斷
bpm 0046208c
重新載入,在如下處攔下:
015F:00458B94 INVALID
015F:00458B96 INVALID
015F:00458B98 ADD AL,00
015F:00458B9A ADD [EAX],AL
015F:00458B9C INSD
015F:00458B9E IMUL ESP,[EAX+EAX+00],05C60000
015F:00458BA6 MOV [EAX],FS
015F:00458BA8 INC ESI
015F:00458BA9 ADD [EAX],AL
015F:00458BAB JMP 00458BB1
;在這兒被攔下,
015F:00458BAD JMP 00458BB4
015F:00458BAF MOV [ECX+000007E9],ECX
015F:00458BB5 ADD [ESI+53F23D5B],AL
015F:00458BBB MOV ECX,EB04EB5A
015F:00458BC0 ADD EAX,C3C39999
015F:00458BC5 LEA EAX,[EAX+00]
015F:00458BC8 PUSH EBP
015F:00458BC9 MOV EBP,ESP
015F:00458BCB PUSH ESI
015F:00458BCC PUSH EDI
015F:00458BCD MOV EDI,[EBP+08]
015F:00458BD0 MOV ESI,[EBP+0C]
015F:00458BD3 CMP EAX,ESI
015F:00458BD5 JG 00458BE4
015F:00458BD7 CMP ECX,ESI
015F:00458BD9 JL 00458BE4
015F:00458BDB CMP EDX,EDI
015F:00458BDD JG 00458BE4
015F:00458BDF CMP EDI,[EBP+10]
015F:00458BE2 JLE 00458BE8
015F:00458BE4 XOR EAX,EAX
015F:00458BE6 JMP 00458BEA
015F:00458BE8 MOV AL,01
015F:00458BEA POP EDI
015F:00458BEB POP ESI
015F:00458BEC POP EBP
015F:00458BED RET 000C
00458bab處的上一條指令應該是寫註冊標誌的指令,
但是上面的指令已經“花”了,沒關係,F5執行,
同樣,在相同地方被攔下,按f10一步一步返回到
上一層,如下
015F:00458F09 MOV EBP,ESP
015F:00458F0B PUSH 00
015F:00458F0D PUSH 00
015F:00458F0F PUSH EBX
015F:00458F10 PUSH ESI
015F:00458F11 PUSH EDI
015F:00458F12 MOV EBX,EAX
015F:00458F14 XOR EAX,EAX
015F:00458F16 PUSH EBP
015F:00458F17 PUSH 00459227
015F:00458F1C PUSH DWORD PTR FS:[EAX]
015F:00458F1F MOV FS:[EAX],ESP
015F:00458F22 CALL 00458BA4 ;就是這個CALL
015F:00458F27 MOV EAX,[0045FEBC]
015F:00458F2C MOV EAX,[EAX]
015F:00458F2E MOV EAX,[EAX+000002D0]
015F:00458F34 MOV EDX,[EBX+00000360]
015F:00458F3A CALL 004495F0
015F:00458F3F MOV ECX,00459240
015F:00458F44 MOV DL,01
015F:00458F46 MOV EAX,[0044C404]
015F:00458F4B CALL 0044C4AC
015F:00458F50 MOV ESI,EAX
015F:00458F52 PUSH 01
015F:00458F54 MOV ECX,00459254
015F:00458F59 MOV EDX,00459264
015F:00458F5E MOV EAX,ESI
015F:00458F60 MOV EDI,[EAX]
015F:00458F62 CALL [EDI+10]
015F:00458F65 MOV EDX,EAX
015F:00458F67 MOV EAX,[0045FEBC]
015F:00458F6C MOV EAX,[EAX]
015F:00458F6E MOV EAX,[EAX+000002C4]
015F:00458F74 MOV ECX,[EAX]
015F:00458F76 CALL [ECX+000000BC]
015F:00458F7C PUSH 01
015F:00458F7E MOV ECX,00459274
015F:00458F83 MOV EDX,00459264
015F:00458F88 MOV EAX,ESI
在015F:00458F22處設斷,並清除以前斷點,
重新載入,執行被攔下後,按F8進入該CALL
015F:00458BA4 MOV BYTE PTR [0046208C],00 ;就是這個指令
015F:00458BAB JMP 00458BB1
015F:00458BAD JMP 00458BB4
015F:00458BAF MOV [ECX+000007E9],ECX
015F:00458BB5 ADD [ESI+53F23D5B],AL
015F:00458BBB MOV ECX,EB04EB5A
015F:00458BC0 ADD EAX,C3C39999
015F:00458BC5 LEA EAX,[EAX+00]
015F:00458BC8 PUSH EBP
015F:00458BC9 MOV EBP,ESP
015F:00458BCB PUSH ESI
015F:00458BCC PUSH EDI
015F:00458BCD MOV EDI,[EBP+08]
015F:00458BD0 MOV ESI,[EBP+0C]
015F:00458BD3 CMP EAX,ESI
這回看到了“花”指令的真面目了吧,下code on 看一下機器碼
015F:00458BA4 C6058C20460000 MOV
BYTE PTR [0046208C],00
015F:00458BAB EB04
JMP 00458BB1
015F:00458BAD EB05
JMP 00458BB4
015F:00458BAF 8989E9070000 MOV
[ECX+000007E9],ECX
015F:00458BB5 00865B3DF253 ADD
[ESI+53F23D5B],AL
015F:00458BBB B95AEB04EB MOV
ECX,EB04EB5A
015F:00458BC0 059999C3C3 ADD
EAX,C3C39999
015F:00458BC5 8D4000
LEA EAX,[EAX+00]
015F:00458BC8 55
PUSH EBP
015F:00458BC9 8BEC
MOV EBP,ESP
015F:00458BCB 56
PUSH ESI
015F:00458BCC 57
PUSH EDI
015F:00458BCD 8B7D08
MOV EDI,[EBP+08]
015F:00458BD0 8B750C
MOV ESI,[EBP+0C]
015F:00458BD3 3BC6
CMP EAX,ESI
015F:00458BD5 7F0D
JG 00458BE4
015F:00458BD7 3BCE
CMP ECX,ESI
相關文章
- tapinradioprov2.1破解版2020-12-01API
- 中興ZXV10B860AV2.1-A破解過程2019-02-02
- apisix2.1安裝(centos7、dashboard)新手入門2020-12-14APICentOS
- 關於WiFi密碼破解的一些心得2020-04-05WiFi密碼
- 必看的Linux系統新手進階老手心得2019-10-24Linux
- DaVinci Resolve Studio 18 破解補丁18.6.4+達芬奇18安裝教程完整版2023-12-12
- DaVinci Resolve Studio 18金鑰破解版v18.6.4「達芬奇 18啟用安裝包」2023-12-25
- 2.1 !2020-04-12
- TensorFlow入門簡介,新手請看這裡!2018-08-02
- 新手也可以讀懂的 React18 原始碼分析(一)2022-06-15React原始碼
- 程式設計師必備程式碼編輯器- Nova 2.1中文破解版2020-10-30程式設計師
- 新手一看就懂的執行緒池!2020-11-19執行緒
- UI設計新手看過來,UI教程教學2018-04-13UI
- 達芬奇18破解版 v18.6.3金鑰版 DaVinci Resolve Studio 18 for Mac詳細安裝教程2023-12-11Mac
- 小米盒子3增強版root破解教程(MDZ-18-AA型號)2024-06-06
- 新手怎麼看電腦配置高不高 win10電腦配置怎麼看2022-02-19Win10
- 千字分享|自然語言分析NLA2022-05-30
- Android 逆向 某視訊直播軟體,破解收費觀看2019-04-23Android
- 從NFC卡破解分析看ACR122U讀寫原理2018-08-09
- OAuth 2.1 框架2022-05-03OAuth框架
- crntan 2.1 原理2019-01-27
- 能聯網,卻不能使用?看看吧2021-01-19
- Parallels Desktop 18 mac中文破解版 相容Intel和M系列虛擬機器2023-12-14ParallelMacIntel虛擬機
- 暴肝兩萬五千字助你通關Servlet2022-03-01Servlet
- 低門檻玩法能否相容暴雪元素?看新手遊能否走出怪圈2023-11-14
- 2.1 CDB容器概述2020-03-16
- 2.1 TF-IDF2019-12-31
- 2.1線性表2020-09-27
- CSAPP-2.1-程式2020-11-27APP
- 2.1 基本概念2018-11-08
- 如果你在使用async,就進來看看吧2019-05-31
- 如何針對性破解自動化運維落地的18個關鍵問題?2018-10-31運維
- 三千字介紹Redis主從+哨兵+叢集2021-09-30Redis
- 休假心得2020-11-09
- BookStack v2.1 釋出,功能類似 GitBook 和看雲的線上文件管理系統2019-09-24Git
- 新手如何開始做自媒體?沒經驗的看過來2022-02-14
- 適合Mac新手看的的小技巧:輸入法如何轉換2020-10-26Mac
- sicp每日一題[2.1]2024-09-07每日一題
- TiDB 2.1 GA Release Notes2018-11-30TiDB