OICQ HACK 1.0 破解過程 (9千字)
OICQ HACK 1.0 B 可執行檔案:OicqHack.exe
此程式未註冊將無法開啟多號碼探測和號碼檔案列表模式。
演算方式:將使用者輸入的Register進行演算(輸入的前6位不參於演算),將程式的Serial進行演算(同Award BIOS密碼演算方法一樣),比較兩次演算的結果,相同則註冊成功。
由於倒算註冊碼嫌麻煩,改用修改法:
破解過程如下:
:00405C65 8935EC5E4400 mov dword
ptr [00445EEC], esi
:00405C6B 8BD6
mov edx, esi
:00405C6D 83C224
add edx, 00000024
:00405C70 B911000000 mov ecx,
00000011
:00405C75 8B83D4010000 mov eax, dword
ptr [ebx+000001D4]
:00405C7B E8D48A0000 call
0040E754
:00405C80 A1EC5E4400 mov eax,
dword ptr [00445EEC]
:00405C85 50
push eax
:00405C86 E845F9FFFF call
004055D0――――――――――――――――進入總比較call
:00405C8B 59
pop ecx
:00405C8C 85C0
test eax, eax――――――――――――――――為0就為未註冊
:00405C8E 7415
je 00405CA5
:00405C90 6A00
push 00000000
* Possible StringData Ref from Data Obj ->"Registration Successed"
|
:00405C92 68DF144400 push
004414DF
* Possible StringData Ref from Data Obj ->"Thanks for your registration, "――――――――透過
->"all limits
are removed now."
|
:00405C97 68A5144400 push
004414A5
:00405C9C 6A00
push 00000000
* Reference To: USER32.MessageBoxA, Ord:0000h
|
:00405C9E E8A3700300 Call
0043CD46
:00405CA3 EB13
jmp 00405CB8
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00405C8E(C)
|
:00405CA5 6A00
push 00000000
* Possible StringData Ref from Data Obj ->"Registration failed"
|
:00405CA7 680F154400 push
0044150F
* Possible StringData Ref from Data Obj ->"Incorrect register code."――――――――未透過
|
:00405CAC 68F6144400 push
004414F6
:00405CB1 6A00
push 00000000
* Reference To: USER32.MessageBoxA, Ord:0000h
|
:00405CB3 E88E700300 Call
0043CD46
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00405CA3(U)
|
:00405CB8 6A03
push 00000003
:00405CBA 8B15EC5E4400 mov edx, dword
ptr [00445EEC]
:00405CC0 52
push edx
:00405CC1 E8EEF8FFFF call
004055B4
:00405CC6 83C408
add esp, 00000008
:00405CC9 8BC3
mov eax, ebx
:00405CCB E8203E0100 call
00419AF0
:00405CD0 8B55D8
mov edx, dword ptr [ebp-28]
:00405CD3 64891500000000 mov dword ptr fs:[00000000],
edx
:00405CDA 5E
pop esi
:00405CDB 5B
pop ebx
:00405CDC 8BE5
mov esp, ebp
:00405CDE 5D
pop ebp
:00405CDF C3
ret
總比較call
:004055D0 55
push ebp
:004055D1 8BEC
mov ebp, esp
:004055D3 53
push ebx
:004055D4 56
push esi
:004055D5 57
push edi
:004055D6 8B5D08
mov ebx, dword ptr [ebp+08]
:004055D9 8D4304
lea eax, dword ptr [ebx+04]
:004055DC 50
push eax
:004055DD 53
push ebx
:004055DE E8E5000000 call
004056C8
:004055E3 83C408
add esp, 00000008
:004055E6 8D7324
lea esi, dword ptr [ebx+24]
:004055E9 83C606
add esi, 00000006
:004055EC 56
push esi
:004055ED E8DA340300 call
00438ACC――――――――――――此call將使用者輸入的Register進行演算
:004055F2 59
pop ecx
由於程式此後還將多次呼叫此call對使用者輸入的Register進行計算並比較
:004055F3 8BF8
mov edi, eax
所以改下面的那個jne是沒有用的,最好的方法是改這個call
:004055F5 897B44
mov dword ptr [ebx+44], edi
:004055F8 8D4304
lea eax, dword ptr [ebx+04]
:004055FB 50
push eax
:004055FC 53
push ebx
:004055FD E89A000000 call
0040569C――――――――――――此call將程式的Serial進行演算,我的Serial是:OH100B4003312064,經此call演算後為45303DA5
:00405602 83C408
add esp, 00000008
:00405605 3BF8
cmp edi, eax
:00405607 751A
jne 00405623
:00405609 8D5324
lea edx, dword ptr [ebx+24]
:0040560C 52
push edx
:0040560D 53
push ebx
:0040560E E82D040000 call
00405A40
:00405613 83C408
add esp, 00000008
:00405616 C70301000000 mov dword
ptr [ebx], 00000001
:0040561C B801000000 mov eax,
00000001
:00405621 EB06
jmp 00405629
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00405607(C)
|
:00405623 33D2
xor edx, edx
:00405625 33C0
xor eax, eax
:00405627 8913
mov dword ptr [ebx], edx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00405621(U)
|
:00405629 5F
pop edi
:0040562A 5E
pop esi
:0040562B 5B
pop ebx
:0040562C 5D
pop ebp
:0040562D C3
ret
此call將使用者輸入的Register進行演算(有N多個地方將呼叫它,也就可知演算不只一次)
* Referenced by a CALL at Addresses:
|:004016B8 , :004017E3 , :00401F0F , :00401F19 , :004023A5
|:004023AF , :004023D1 , :004037E2 , :004037F3 , :0040389E
|:004038AA , :00403BC4 , :00403C51 , :0040439E , :004043A7
|:004047EC , :00404815 , :0040483E , :00404977 , :00404986
|:004049C5 , :004049D1 , :00405560 , :004055ED , :00438B3B
|
:00438ACC 55
push ebp
:00438ACD 8BEC
mov ebp, esp
:00438ACF 53
push ebx
:00438AD0 56
push esi
:00438AD1 57
push edi
:00438AD2 33FF
xor edi, edi
:00438AD4 8B7508
mov esi, dword ptr [ebp+08]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00438AE6(C)
|
:00438AD7 8A1E
mov bl, byte ptr [esi]
:00438AD9 46
inc esi
:00438ADA 0FBEC3
movsx eax, bl
:00438ADD 50
push eax
:00438ADE E8DD1B0000 call
0043A6C0
:00438AE3 59
pop ecx
:00438AE4 85C0
test eax, eax
:00438AE6 75EF
jne 00438AD7
:00438AE8 80FB2B
cmp bl, 2B
:00438AEB 7405
je 00438AF2
:00438AED 80FB2D
cmp bl, 2D
:00438AF0 750E
jne 00438B00
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00438AEB(C)
|
:00438AF2 80FB2D
cmp bl, 2D
:00438AF5 0F94C0
sete al
:00438AF8 83E001
and eax, 00000001
:00438AFB 8A1E
mov bl, byte ptr [esi]
:00438AFD 46
inc esi
:00438AFE EB18
jmp 00438B18
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00438AF0(C)
|
:00438B00 33C0
xor eax, eax
:00438B02 EB14
jmp 00438B18
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00438B20(C)
|
:00438B04 0FBECB
movsx ecx, bl
:00438B07 8BD7
mov edx, edi
:00438B09 8A1E
mov bl, byte ptr [esi]
:00438B0B 03D2
add edx, edx
:00438B0D 8D1492
lea edx, dword ptr [edx+4*edx]
:00438B10 03D1
add edx, ecx
:00438B12 83C2D0
add edx, FFFFFFD0
:00438B15 46
inc esi
:00438B16 8BFA
mov edi, edx
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00438AFE(U), :00438B02(U)
|
:00438B18 80FB30
cmp bl, 30
:00438B1B 7C05
jl 00438B22
:00438B1D 80FB39
cmp bl, 39
:00438B20 7EE2
jle 00438B04
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00438B1B(C)
|
:00438B22 85C0
test eax, eax―――――――不管別的,將這一鍋改為:mov eax,45303DA5
:00438B24 7406
je 00438B2C――――――――――――
nop
:00438B26 8BC7
mov eax, edi――――――――――――
nop
:00438B28 F7D8
neg eax――――――――――――――
nop
:00438B2A EB02
jmp 00438B2E――――――――――――
nop
nop
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
nop
|:00438B24(C)
nop
|
:00438B2C 8BC7
mov eax, edi―――――――一共7個nop,這樣位元組數剛好。這樣退出此call後eax就是45303DA5
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00438B2A(U)
|
:00438B2E 5F
pop edi
:00438B2F 5E
pop esi
:00438B30 5B
pop ebx
:00438B31 5D
pop ebp
:00438B32 C3
ret
最後整理:
用UltraEdit載入OicqHack.exe
查詢:7c 05 80 fb 39 7e e2 85 c0 74 06 8b c7 f7 d8 eb 02 8b c7
5f 5e 5b 5d
改為:― ― ― ― ― ― ― b8 a5 3d 30 45 90 90 90 90 90 90 90 ― ― ― ―
注:( ― 為不改變)
改完收工!!!
經過以上其實還有問題,你們自己看看動動手吧。
相關文章
- EmEditor v3.16破解過程 (9千字)2001-07-22
- 木馬克星5.33.60破解過程
(9千字)2002-03-28
- 加密精靈V2.2破解過程 (9千字)2001-10-28加密
- 破解OICQ的密碼演算法 (6千字)2001-06-25密碼演算法
- oicq build 0425 的不完全破解 (3千字)2000-05-28UI
- CUTEVIDEO 1.0破解 (4千字)2002-02-28IDE
- Nullz CrackMe 1.1破解過程 (13千字)2001-09-18Null
- WebTimeSync 5.2.0 破解過程 (14千字)2001-10-05Web
- 破解Ghost多媒體視訊點播系統全過程 (9千字)2002-07-29
- OicqSend (Oicq訊息釋出) Ver 2.01.903
破解 (1千字)2000-09-21
- Oicq 99c Build 0820版破解 (1千字)2000-10-13UI
- dfx V4.0破解過程 (10千字)2000-09-24
- 破解過程-----請多多指教 (2千字)2000-12-31
- 電腦字型秀破解過程 (1千字)2001-03-18
- webeasymail的簡單破解過程 (2千字)2001-08-04WebAI
- Kryptel 3.8 暴力破解過程 (18千字)2001-09-18
- PUZZLER1.20破解過程 (4千字)2002-01-26
- SuperCleaner2.30破解過程 (11千字)2002-02-04
- 聽力之友1.0破解 (3千字)2002-02-28
- 申請加入BCG第三篇破文:鬧鐘&笑話1.0破解過程 (2千字)2001-08-01
- Password Keeper v6.3破解過程 (8千字)2002-04-12
- post NOW! 破解過程!有意思。 (1千字)2000-12-30
- 有聲有色3.33破解過程 (4千字)2001-02-09
- 專業掃雷 1.2破解過程 (4千字)2001-02-17
- fulldisk A32 破解過程!(簡單) (1千字)2001-03-20
- 具體的破解過程來也! (10千字)2001-04-21
- 密碼大師4.0破解過程 (3千字)2001-05-06密碼
- 對VCDCUT 4.03的分析破解過程 (18千字)2001-08-08
- GaitCD破解全過程(installshield) (3千字)2015-11-15AI
- 機械設計系統1.0破解實錄------------演算法簡單,破解過程一2015-11-15演算法
- 音樂賀卡廠4.10破解過程 (6千字)2001-08-11
- 蒙泰5.0加密狗破解過程 (6千字)2001-10-11加密
- 破解 OverNimble Localize Plus 1.04
全過程! (13千字)2015-11-15
- BananaSplitter 1.0破解實戰 (10千字)2000-09-11NaN
- 我終於破解了魔裝網神了,破解過程!!,不過是用2.70破解的。 (1千字)2001-10-15
- 如何破解Bestofware SmartUI Activex 所有版本。(過程)
(5千字)2000-12-31UI
- PassWD2000破解過程~~~轉貼~~~~~~ (11千字)2001-10-10
- PowerArchiver破解過程。2015-11-15Hive