★從輕鬆試卷 v4.03 的破解看 r fl z 的妙用★ (16千字)
★從輕鬆試卷 v4.03 的破解看 r fl z 的妙用★
作者:PaulYoung
E-mail:paulyoung@yeah.net
軟體簡介:顧名思義啦。
URL:http://easypaper.yeah.net (最新版本是 v4.04 ,相信也差不了多少)
破解工具:SOFT-ICE V4.0.5
二○○一年三月二十四日凌晨
==============================================================================================================
首先感謝★小牧童★大師的指點,才能使我能用 W32DASM V8.93 反彙編輕鬆試卷。雖然我是用動態跟蹤破解的,但要寫破解心得,首選還是 w32DASM
。
==============================================================================================================
好了,首先自我介紹一番,我是名初學者,學了個把兩個月破解吧,因此,彙編知識自然是鳥之又鳥的了,但熟能生巧嘛,而且我又是看雪破解論壇的常客,一來二往,真的學了不少東西。
最近我學了一招 r fl z ,功能大概跟 a 指令差不多吧,不過我覺得它按起來順手多了。TRW2000 和 SOFT-ICE 均可使用,靈活運用,對破解能起到事半功倍的作用。
下面,我就以輕鬆試卷為例,看看 r fl z 有何妙處吧。
1、執行輕鬆試卷,在註冊框的學校/單位、使用者名稱、註冊號處填寫,隨你便啦。
2、Ctrl+D 啟用SOFT-ICE,下 BPX HMEMCPY。F5 退出,點選確定,被攔截。
3、下 BD * ,中斷所有斷點。
4、按12次 F12 (因為13次出錯),開始看:
:004019A5 8D4DF8
lea ecx, dword ptr [ebp-08] //程式入口
:004019A8 51
push ecx
:004019A9 8BD7
mov edx, edi
:004019AB 8D45F4
lea eax, dword ptr [ebp-0C]
:004019AE E8D5721200 call
00528C88
:004019B3 FF431C
inc [ebx+1C]
:004019B6 8D55F4
lea edx, dword ptr [ebp-0C]
:004019B9 58
pop eax
:004019BA E80D751200 call
00528ECC
:004019BF 50
push eax
:004019C0 FF4B1C
dec [ebx+1C]
:004019C3 8D45F4
lea eax, dword ptr [ebp-0C]
:004019C6 BA02000000 mov edx,
00000002
:004019CB E818741200 call
00528DE8
:004019D0 FF4B1C
dec [ebx+1C]
:004019D3 8D45F8
lea eax, dword ptr [ebp-08]
:004019D6 BA02000000 mov edx,
00000002
:004019DB E808741200 call
00528DE8 //學校名、單位名不能為空(我掉頭就溜……)
:004019E0 59
pop ecx
:004019E1 84C9
test cl, cl
:004019E3 745F
je 00401A44 //下 r fl z ,F5退出,可看到上面提示
:004019E5 66C743101400 mov [ebx+10],
0014
:004019EB 8D5701
lea edx, dword ptr [edi+01]
:004019EE 8D45F0
lea eax, dword ptr [ebp-10]
:004019F1 E892721200 call
00528C88
:004019F6 FF431C
inc [ebx+1C]
:004019F9 8D45F0
lea eax, dword ptr [ebp-10]
:004019FC 33D2
xor edx, edx
:004019FE 8955EC
mov dword ptr [ebp-14], edx
:00401A01 8D55EC
lea edx, dword ptr [ebp-14]
:00401A04 FF431C
inc [ebx+1C]
:00401A07 E8E8A90100 call
0041C3F4
:00401A0C 8D45EC
lea eax, dword ptr [ebp-14]
:00401A0F 8B00
mov eax, dword ptr [eax]
:00401A11 E886420100 call
00415C9C
:00401A16 FF4B1C
dec [ebx+1C]
:00401A19 8D45EC
lea eax, dword ptr [ebp-14]
:00401A1C BA02000000 mov edx,
00000002
:00401A21 E8C2731200 call
00528DE8
:00401A26 FF4B1C
dec [ebx+1C]
:00401A29 8D45F0
lea eax, dword ptr [ebp-10]
:00401A2C BA02000000 mov edx,
00000002
:00401A31 E8B2731200 call
00528DE8
:00401A36 8B0B
mov ecx, dword ptr [ebx]
:00401A38 64890D00000000 mov dword ptr fs:[00000000],
ecx
:00401A3F E972030000 jmp 00401DB6
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004019E3(C)
|
:00401A44 66C743102000 mov [ebx+10],
0020
:00401A4A 33C0
xor eax, eax
:00401A4C 8945E8
mov dword ptr [ebp-18], eax
:00401A4F 8D55E8
lea edx, dword ptr [ebp-18]
:00401A52 FF431C
inc [ebx+1C]
:00401A55 8B86DC020000 mov eax, dword
ptr [esi+000002DC]
:00401A5B E8F8A60D00 call
004DC158
:00401A60 8D55E8
lea edx, dword ptr [ebp-18]
:00401A63 52
push edx
:00401A64 8D5711
lea edx, dword ptr [edi+11]
:00401A67 8D45E4
lea eax, dword ptr [ebp-1C]
:00401A6A E819721200 call
00528C88
:00401A6F FF431C
inc [ebx+1C]
:00401A72 8D55E4
lea edx, dword ptr [ebp-1C]
:00401A75 58
pop eax
:00401A76 E851741200 call
00528ECC
:00401A7B 50
push eax
:00401A7C FF4B1C
dec [ebx+1C]
:00401A7F 8D45E4
lea eax, dword ptr [ebp-1C]
:00401A82 BA02000000 mov edx,
00000002
:00401A87 E85C731200 call
00528DE8
:00401A8C FF4B1C
dec [ebx+1C]
:00401A8F 8D45E8
lea eax, dword ptr [ebp-18]
:00401A92 BA02000000 mov edx,
00000002
:00401A97 E84C731200 call
00528DE8 //使用者名稱不能為空(傻子才會跟進去)
:00401A9C 59
pop ecx
:00401A9D 84C9
test cl, cl
:00401A9F 745F
je 00401B00 //下 r fl z ,F5退出,可看到上面提示
:00401AA1 66C743102C00 mov [ebx+10],
002C
:00401AA7 8D5712
lea edx, dword ptr [edi+12]
:00401AAA 8D45E0
lea eax, dword ptr [ebp-20]
:00401AAD E8D6711200 call
00528C88
:00401AB2 FF431C
inc [ebx+1C]
:00401AB5 8D45E0
lea eax, dword ptr [ebp-20]
:00401AB8 33D2
xor edx, edx
:00401ABA 8955DC
mov dword ptr [ebp-24], edx
:00401ABD 8D55DC
lea edx, dword ptr [ebp-24]
:00401AC0 FF431C
inc [ebx+1C]
:00401AC3 E82CA90100 call
0041C3F4
:00401AC8 8D45DC
lea eax, dword ptr [ebp-24]
:00401ACB 8B00
mov eax, dword ptr [eax]
:00401ACD E8CA410100 call
00415C9C
:00401AD2 FF4B1C
dec [ebx+1C]
:00401AD5 8D45DC
lea eax, dword ptr [ebp-24]
:00401AD8 BA02000000 mov edx,
00000002
:00401ADD E806731200 call
00528DE8
:00401AE2 FF4B1C
dec [ebx+1C]
:00401AE5 8D45E0
lea eax, dword ptr [ebp-20]
:00401AE8 BA02000000 mov edx,
00000002
:00401AED E8F6721200 call
00528DE8
:00401AF2 8B0B
mov ecx, dword ptr [ebx]
:00401AF4 64890D00000000 mov dword ptr fs:[00000000],
ecx
:00401AFB E9B6020000 jmp 00401DB6
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401A9F(C)
|
:00401B00 66C743103800 mov [ebx+10],
0038
:00401B06 33C0
xor eax, eax
:00401B08 8945D8
mov dword ptr [ebp-28], eax
:00401B0B 8D55D8
lea edx, dword ptr [ebp-28]
:00401B0E FF431C
inc [ebx+1C]
:00401B11 8B86E0020000 mov eax, dword
ptr [esi+000002E0]
:00401B17 E83CA60D00 call
004DC158
:00401B1C 8D55D8
lea edx, dword ptr [ebp-28]
:00401B1F 52
push edx
:00401B20 8D5724
lea edx, dword ptr [edi+24]
:00401B23 8D45D4
lea eax, dword ptr [ebp-2C]
:00401B26 E85D711200 call
00528C88
:00401B2B FF431C
inc [ebx+1C]
:00401B2E 8D55D4
lea edx, dword ptr [ebp-2C]
:00401B31 58
pop eax
:00401B32 E895731200 call
00528ECC
:00401B37 50
push eax
:00401B38 FF4B1C
dec [ebx+1C]
:00401B3B 8D45D4
lea eax, dword ptr [ebp-2C]
:00401B3E BA02000000 mov edx,
00000002
:00401B43 E8A0721200 call
00528DE8
:00401B48 FF4B1C
dec [ebx+1C]
:00401B4B 8D45D8
lea eax, dword ptr [ebp-28]
:00401B4E BA02000000 mov edx,
00000002
:00401B53 E890721200 call
00528DE8
//註冊號不能為空(快點走吧……)
:00401B58 59
pop ecx
:00401B59 84C9
test cl, cl
:00401B5B 745F
je 00401BBC //下 r fl z ,F5退出,可看到上面提示
:00401B5D 66C743104400 mov [ebx+10],
0044
:00401B63 8D5725
lea edx, dword ptr [edi+25]
:00401B66 8D45D0
lea eax, dword ptr [ebp-30]
:00401B69 E81A711200 call
00528C88
:00401B6E FF431C
inc [ebx+1C]
:00401B71 8D45D0
lea eax, dword ptr [ebp-30]
:00401B74 33D2
xor edx, edx
:00401B76 8955CC
mov dword ptr [ebp-34], edx
:00401B79 8D55CC
lea edx, dword ptr [ebp-34]
:00401B7C FF431C
inc [ebx+1C]
:00401B7F E870A80100 call
0041C3F4
:00401B84 8D45CC
lea eax, dword ptr [ebp-34]
:00401B87 8B00
mov eax, dword ptr [eax]
:00401B89 E80E410100 call
00415C9C
:00401B8E FF4B1C
dec [ebx+1C]
:00401B91 8D45CC
lea eax, dword ptr [ebp-34]
:00401B94 BA02000000 mov edx,
00000002
:00401B99 E84A721200 call
00528DE8
:00401B9E FF4B1C
dec [ebx+1C]
:00401BA1 8D45D0
lea eax, dword ptr [ebp-30]
:00401BA4 BA02000000 mov edx,
00000002
:00401BA9 E83A721200 call
00528DE8
:00401BAE 8B0B
mov ecx, dword ptr [ebx]
:00401BB0 64890D00000000 mov dword ptr fs:[00000000],
ecx
:00401BB7 E9FA010000 jmp 00401DB6
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401B5B(C)
|
:00401BBC 66C743105C00 mov [ebx+10],
005C
:00401BC2 33C0
xor eax, eax
:00401BC4 8945C4
mov dword ptr [ebp-3C], eax
:00401BC7 8D55C4
lea edx, dword ptr [ebp-3C]
:00401BCA FF431C
inc [ebx+1C]
:00401BCD 8B86D8020000 mov eax, dword
ptr [esi+000002D8]
:00401BD3 E880A50D00 call
004DC158
:00401BD8 8D55C4
lea edx, dword ptr [ebp-3C]
:00401BDB 33C0
xor eax, eax
:00401BDD 8B0A
mov ecx, dword ptr [edx]
:00401BDF 8D55C8
lea edx, dword ptr [ebp-38]
:00401BE2 51
push ecx
:00401BE3 8945C8
mov dword ptr [ebp-38], eax
:00401BE6 FF431C
inc [ebx+1C]
:00401BE9 8B86DC020000 mov eax, dword
ptr [esi+000002DC]
:00401BEF E864A50D00 call
004DC158
:00401BF4 8D45C8
lea eax, dword ptr [ebp-38]
:00401BF7 8B00
mov eax, dword ptr [eax]
:00401BF9 33D2
xor edx, edx
:00401BFB 8955FC
mov dword ptr [ebp-04], edx
:00401BFE 8D4DFC
lea ecx, dword ptr [ebp-04]
:00401C01 FF431C
inc [ebx+1C]
:00401C04 5A
pop edx
:00401C05 E8762C0100 call
00414880
:00401C0A FF4B1C
dec [ebx+1C]
:00401C0D 8D45C4
lea eax, dword ptr [ebp-3C]
:00401C10 BA02000000 mov edx,
00000002
:00401C15 E8CE711200 call
00528DE8
:00401C1A FF4B1C
dec [ebx+1C]
:00401C1D 8D45C8
lea eax, dword ptr [ebp-38]
:00401C20 BA02000000 mov edx,
00000002
:00401C25 E8BE711200 call
00528DE8
:00401C2A 66C743105000 mov [ebx+10],
0050
:00401C30 66C743106800 mov [ebx+10],
0068
:00401C36 33C0
xor eax, eax
:00401C38 8945C0
mov dword ptr [ebp-40], eax
:00401C3B 8D55C0
lea edx, dword ptr [ebp-40]
:00401C3E FF431C
inc [ebx+1C]
:00401C41 8B86E0020000 mov eax, dword
ptr [esi+000002E0]
:00401C47 E80CA50D00 call
004DC158
:00401C4C 8D55C0
lea edx, dword ptr [ebp-40]
:00401C4F 8D45FC
lea eax, dword ptr [ebp-04]
:00401C52 E875721200 call
00528ECC
:00401C57 50
push eax
:00401C58 FF4B1C
dec [ebx+1C]
:00401C5B 8D45C0
lea eax, dword ptr [ebp-40]
:00401C5E BA02000000 mov edx,
00000002
:00401C63 E880711200 call
00528DE8 //恭喜你,你已成功註冊(哈……哈……,快成功了!)
:00401C68 59
pop ecx
:00401C69 84C9
test cl, cl
:00401C6B 0F84C0000000 je 00401D31 //下
r fl z ,F5退出,可看到上面提示
:00401C71 66C743107400 mov [ebx+10],
0074
:00401C77 33C0
xor eax, eax
:00401C79 8945BC
mov dword ptr [ebp-44], eax
:00401C7C 8D55BC
lea edx, dword ptr [ebp-44]
:00401C7F FF431C
inc [ebx+1C]
:00401C82 8B86D8020000 mov eax, dword
ptr [esi+000002D8]
:00401C88 E8CBA40D00 call
004DC158
:00401C8D 8D55BC
lea edx, dword ptr [ebp-44]
:00401C90 33C0
xor eax, eax
:00401C92 8B0A
mov ecx, dword ptr [edx]
:00401C94 8D55B8
lea edx, dword ptr [ebp-48]
:00401C97 51
push ecx
:00401C98 8945B8
mov dword ptr [ebp-48], eax
:00401C9B FF431C
inc [ebx+1C]
:00401C9E 8B86DC020000 mov eax, dword
ptr [esi+000002DC]
:00401CA4 E8AFA40D00 call
004DC158
:00401CA9 8D55B8
lea edx, dword ptr [ebp-48]
:00401CAC 8B0A
mov ecx, dword ptr [edx]
:00401CAE 51
push ecx
:00401CAF E818340100 call
004150CC
:00401CB4 83C408
add esp, 00000008
:00401CB7 FF4B1C
dec [ebx+1C]
:00401CBA 8D45B8
lea eax, dword ptr [ebp-48]
:00401CBD BA02000000 mov edx,
00000002
//D EDX ,ALT+↑可看到註冊碼
:00401CC2 E821711200 call
00528DE8
:00401CC7 FF4B1C
dec [ebx+1C]
:00401CCA 8D45BC
lea eax, dword ptr [ebp-44]
:00401CCD BA02000000 mov edx,
00000002
:00401CD2 E811711200 call
00528DE8
:00401CD7 66C743108000 mov [ebx+10],
0080
:00401CDD 8D573D
lea edx, dword ptr [edi+3D]
:00401CE0 8D45B4
lea eax, dword ptr [ebp-4C]
:00401CE3 E8A06F1200 call
00528C88
:00401CE8 FF431C
inc [ebx+1C]
:00401CEB 8D45B4
lea eax, dword ptr [ebp-4C]
:00401CEE 33D2
xor edx, edx
:00401CF0 8955B0
mov dword ptr [ebp-50], edx
:00401CF3 8D55B0
lea edx, dword ptr [ebp-50]
:00401CF6 FF431C
inc [ebx+1C]
:00401CF9 E8F6A60100 call
0041C3F4
:00401CFE 8D45B0
lea eax, dword ptr [ebp-50]
:00401D01 8B00
mov eax, dword ptr [eax]
:00401D03 E8B03E0100 call
00415BB8 //彈出“恭喜你,你已成功註冊”視窗
**************************************************************************************************************
大家明白了嗎?r fl z 並不會真的修改程式,只是起到模擬的作用,用它來驗證某些 CALL 的功能非常好用,象我這種不太懂彙編的初學者來說,看到可疑的
CALL 與 jne,je 時,在jne/je 處下 r fl z ,再 F5 退出,看一看提示,就毋須象以前那樣亂 D or ?一通,甚至
F8 跟入,徒勞無功了。如象 00401C63 處,在 00401C6B je 00401D31 處下 r fl z,彈出成功視窗,說明這個call有問題,雖然跟進這個
call 只能看到正確註冊碼的前三位,但很多軟體還是用這種辦法直接找到註冊碼或 F8 跟入再找到註冊碼的。
注:1、各位驗證某個 call 時最好先 BD * 中斷之前的所有斷點,再在這個 call 設斷,下 r fl z ,F5 退出後,如果發現不是驗證註冊碼的
call ,按確定一般都可以被 TRW2000,SOFT-ICE 攔截,以便繼續驗證。(因為驗證可能不止一次,如上例,以免重複作無謂的勞動。)
2、00401C6B je 00401D31 處必須下 r fl z,否則你是不可能來到00401CBD mov edx, 00000002的,切記,切記!
相關文章
- 輕鬆試卷 V4.5版破解實錄。 (8千字)2002-06-30
- 輕鬆試卷 V4.50 演算法分析 (5千字)2002-01-03演算法
- 輕鬆提取資源1.45破解心得
(7千字)2015-11-15
- 我的破解心得(5) (16千字)2001-03-13
- 輕鬆部署 Laravel 應用 | 《16. 初試 Envoy》2019-04-05Laravel
- 看動畫輕鬆理解「 堆 」2018-12-20動畫
- 在 React 16 中從 setState 返回 null 的妙用2019-06-04ReactNull
- 金融界的科技“內卷”風來襲,看EBC金融平臺如何輕鬆破局2021-10-23
- 用r fl z使體育彩票隨機號碼產生器 v3.3 自動註冊。 (1千字)2001-03-25隨機
- 哪位大俠能解決這個對抗W32DASM的“輕鬆試卷”??? (454字)2001-03-24ASM
- 看圖輕鬆理解計數排序2019-03-04排序
- 【動畫】看動畫輕鬆理解「Trie樹」2019-01-02動畫
- 看圖輕鬆理解最小(大)堆2018-12-10
- 妙用WPS 輕鬆實現跨文件應用格式刷2010-06-26
- 請看小弟KeyFile保護的破解 (7千字)2001-02-01
- 在ECS上輕鬆搭建RDS的從例項2018-06-26
- 如何輕鬆搞定資料科學麵試:Python&R語言篇2018-09-20資料科學PythonR語言
- 使用OpenCV+Keras輕鬆破解驗證碼2017-12-14OpenCVKeras
- 看動畫輕鬆學會 Raft 演算法2021-03-02動畫Raft演算法
- 支付寶AR搶紅包?前端輕鬆就破解~2016-12-25前端
- 從卷積拆分和分組的角度看CNN模型的演化2020-05-14卷積CNN模型
- WPS演示教程:妙用自定義動畫輕鬆繪製城市輪廓圖2016-09-27動畫
- 如何輕鬆識別圖片文字?請看教程2021-12-29
- 看動畫輕鬆理解時間複雜度(二)2018-12-15動畫時間複雜度
- 看動畫輕鬆理解時間複雜度(一)2018-12-13動畫時間複雜度
- Syntrillum CoolEditPro2.00 21天試用版時間限制破解
(16千字)2002-06-01
- 用於影象分割的卷積神經網路:從R-CNN到Mark R-CNN2017-04-24卷積神經網路CNN
- 破解90天試用期 (2千字)2001-04-03
- 瞭解與軟體測試的區別,輕鬆應付遊戲測試2020-10-13遊戲
- R語言實戰試卷 第二章2018-08-15R語言
- 破解LeapFTP 2.7剛完成的,寫得不好高手別看^_^ (7千字)2002-03-16FTP
- 看動畫輕鬆理解「遞迴」與「動態規劃」2019-01-19動畫遞迴動態規劃
- 《Quick View Plus 5.0》30天試用版的破解 (5千字)2001-07-24UIView
- 高效而輕鬆的sed命令2022-06-10
- 從《Skelittle 巨型派對》看輕度聚會遊戲的困境2019-12-05遊戲
- EmEditor v3.16破解過程 (9千字)2001-07-22
- 智慧狂拼試用版之破解 (1千字)2000-09-04
- ClassExplorer的破解 (13千字)2001-07-29