美萍反黃專家 版本2.41 破解實錄 (9千字)
美萍反黃專家 版本2.41 破解實錄
================
破解時間:2001-10-2
軟體簡介:該軟體對抗TRW、SOFTICE、WD32SM、CRACKCODE等破解工具!
破解形式:註冊碼
破解工具:trw(除錯工具)、pw32dasm(反彙編)、hivew (資源修改工具)
破解作者:絕密檔案
作者主頁:http://hongjian.126.com
具體破解過程:
第一部分,破解對抗
==============
一、用FI偵測,發現它用ASPACK V2.1加壓,於是用UNASPACK解壓!
二、解除發現破解工具立即關機問題!
先執行shield.exe,它會自動檢測你的硬碟是否存在以下檔案,
如果存在就立即重新啟動電腦!黑名單如下:
記憶體中的:
1、softice
2、trw、
當然目錄下的:
1、CRACKCODE
2、WDAS
解決辦法:
1、把黑名單上的名字改名!
用EXE資源編輯工具如:Ultraedit-32等工具編輯shield.exe,用查詢->替換功能,把上
述軟體的名稱替換即可!如把TRW->QHJ ;SOFTICE->QHJTICEt等!
...........}......E.^[..
]...........c:\autoexec.
bat.........WINICE...... /// 左邊的工具見到了嗎?
....REM.........User32..
........TRW.........UR
Soft..U..j.S3.Uh.%G.d.0d
. 3..
................ ///// 左邊的工具見到了嗎?
...192.168.0.255........
...crackcode...........
wdasm...........softice...
============================
2、找出關機或當機的地址:共有六處呼叫兩個CALL!
第一處:
|:00473E99(C)
|
:00473EA4 8D45F0
lea eax, dword ptr [ebp-10]
* Possible StringData Ref from Code Obj ->"TRW"
|
:00473EA7 BA04404700 mov edx,
00474004
:00473EAC E8EFFDF8FF call 00403CA0
// 這裡是關機的CALL
//把E8EFFDF8FF 改為9090909090
:00473EB1 8B45F8
mov eax, dword ptr [ebp-08]
:00473EB4 8B10
mov edx, dword ptr [eax]
:00473EB6 FF5214
call [edx+14]
:00473EB9 8BD8
mov ebx, eax
:00473EBB 4B
dec ebx
:00473EBC 85DB
test ebx, ebx
:00473EBE 7C50
jl 00473F10
:00473EC0 43
inc ebx
:00473EC1 C745F400000000 mov [ebp-0C], 00000000
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
第二處:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047405E(C)
:00474073 84DB
test bl, bl
:00474075 7537
jne 004740AE //改為EB37 可跳過關機的CALL
// 或把以下各個 CALL 00403C5CL 改為9090909090
:00474077 A1F8E44700 mov eax,
dword ptr [0047E4F8]
:0047407C 833800
cmp dword ptr [eax], 00000000
:0047407F 752D
jne 004740AE
* Possible StringData Ref from Data Obj ->"]G"
:00474081 A1ECE44700 mov eax,
dword ptr [0047E4EC]
* Possible StringData Ref from Code Obj ->"softice"
:00474086 BAF0404700 mov edx,
004740F0
:0047408B E8CCFBF8FF call 00403C5C
//關機的CALL
* Possible StringData Ref from Data Obj ->"(]G"
:00474090 A124E54700 mov eax,
dword ptr [0047E524]
* Possible StringData Ref from Code Obj ->"trw"
:00474095 BA00414700 mov edx,
00474100
:0047409A E8BDFBF8FF call 00403C5C
//關機的CALL
* Possible StringData Ref from Data Obj ->"8]G"
:0047409F A18CE34700 mov eax,
dword ptr [0047E38C]
* Possible StringData Ref from Code Obj ->"winice"
:004740A4 BA0C414700 mov edx,
0047410C
:004740A9 E8AEFBF8FF call 00403C5C
//關機的CALL
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00474075(C), :0047407F(C)
:004740AE 33C0
xor eax, eax //跳到這裡可免關機啦!
第三處:
* Possible StringData Ref from Code Obj ->"c:\autoexec.bat"
|
:00473DC7 BAC03F4700 mov edx,
00473FC0
:00473DCC E8CFFEF8FF call 00403CA0
//否則關機無商量!
// 把 E8ABFEF8FF 改為:9090909090
:00473DD1 8B45F0
mov eax, dword ptr [ebp-10]
:00473DD4 E85F4DF9FF call 00408B38
:00473DD9 84C0
test al, al
:00473DDB 740B
je 00473DE8
:00473DDD 8B55F0
mov edx, dword ptr [ebp-10]
:00473DE0 8B45F8
mov eax, dword ptr [ebp-08]
:00473DE3 8B08
mov ecx, dword ptr [eax]
:00473DE5 FF5158
call [ecx+58]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00473DDB(C)
|
:00473DE8 8D45F0
lea eax, dword ptr [ebp-10]
* Possible StringData Ref from Code Obj ->"WINICE" 在批處理檔案裡也不能有WINICE字樣!
|
:00473DEB BAD83F4700 mov edx,
00473FD8
:00473DF0 E8ABFEF8FF call 00403CA0 //否則關機無商量!
:00473DF5 8B45F8
mov eax, dword ptr [ebp-08]
// 把E8EFFDF8FF 改為9090909090
:00473DF8 8B10
mov edx, dword ptr [eax]
:00473DFA FF5214
call [edx+14]
:00473DFD 8BD8
mov ebx, eax
:00473DFF 4B
dec ebx
:00473E00 85DB
test ebx, ebx
:00473E02 7C38
jl 00473E3C
:00473E04 43
inc ebx
:00473E05 C745F400000000 mov [ebp-0C], 00000000
第四處:
* Possible StringData Ref from Code Obj ->"WINICE" // 在記憶體中不能有此,否則雖不關機也當機!
|
:00473DEB BAD83F4700 mov edx,
00473FD8
:00473DF0 E8ABFEF8FF call 00403CA0
// 把 E8ABFEF8FF 改為:9090909090
:00473DF5 8B45F8
mov eax, dword ptr [ebp-08]
:00473DF8 8B10
mov edx, dword ptr [eax]
:00473DFA FF5214
call [edx+14]
:00473DFD 8BD8
mov ebx, eax
:00473DFF 4B
dec ebx
:00473E00 85DB
test ebx, ebx
:00473E02 7C38
jl 00473E3C
:00473E04 43
inc ebx
:00473E05 C745F400000000 mov [ebp-0C], 00000000
第五處:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00473FF7(C)
|
:0047402C 33DB
xor ebx, ebx
:0047402E 8D45FC
lea eax, dword ptr [ebp-04]
* Possible StringData Ref from Code Obj ->"\\.\SICE" //否則關機無商量!
:00474031 BADC404700 mov edx,
004740DC
:00474036 E865FCF8FF call 00403CA0
// 把E8EFFDF8FF 改為9090909090
:0047403B 6A00
push 00000000
:0047403D 6880000000 push 00000080
:00474042 6A03
push 00000003
:00474044 6A00
push 00000000
:00474046 6A03
push 00000003
:00474048 68000000C0 push C0000000
:0047404D 8B45FC
mov eax, dword ptr [ebp-04]
:00474050 E8F7FFF8FF call 0040404C
:00474055 50
push eax
第六處:
* Possible StringData Ref from Code Obj ->"\\.\NTICE" //否則關機無商量!
|
:0047412D BA90414700 mov edx,
00474190
:00474132 E869FBF8FF call 00403CA0
// 把E8EFFDF8FF 改為9090909090
:00474137 6A00
push 00000000
:00474139 6880000000 push 00000080
:0047413E 6A03
push 00000003
:00474140 6A00
push 00000000
:00474142 6A03
push 00000003
:00474144 68000000C0 push C0000000
:00474149 8B45FC
mov eax, dword ptr [ebp-04]
:0047414C E8FBFEF8FF call 0040404C
:00474151 50
push eax
總結:共有關機的地址:六處呼叫兩個CALL!
1、 call 00403CA0
2、 call 00403C5C
我們也可以修改以上兩個CALL,完成工作!
=============================================================
第二部分,找註冊碼
因為其註冊後要重啟查證,故反彙編後,從“未註冊”處查起!往上找,在其讀取登錄檔資料之前!
為斷點!具體是:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00476D77(C)
|
:00476D86 8B153CFA4700 mov edx, dword
ptr [0047FA3C]
:00476D8C A14CFA4700 mov eax,
dword ptr [0047FA4C]
:00476D91 E8DED3F8FF call 00404174 //
D EDX 可見真的註冊碼很多位!!
:00476D96 85C0
test eax, eax
:00476D98 7E24
jle 00476DBE
:00476D9A A14CFA4700 mov eax,
dword ptr [0047FA4C]
:00476D9F E8E4D0F8FF call 00403E88
:00476DA4 83F805
cmp eax, 00000005 // 只取前5位進行比較!
:00476DA7 7515
jne 00476DBE
:00476DA9 8B153CFA4700 mov edx, dword
ptr [0047FA3C]
:00476DAF A14CFA4700 mov eax,
dword ptr [0047FA4C]
:00476DB4 E8BBD3F8FF call 00404174
:00476DB9 A398E24700 mov dword
ptr [0047E298], eax
用Keymake 1.2版本做freeRes它的序號產生器:
一)選擇F8-另類序號產生器!
1、程式名稱:shield.exe
2、新增資料:
中斷地址:476d91
中斷次數:1
第一位元組:E8
指令長度:5
=========
再次新增資料:
中斷地址:404174
中斷次數:1
第一位元組:85
指令長度:2
===========
二、選擇記憶體方式 EDX
執行本序號產生器!一切OK!能顯示40位長註冊碼!但只取其前5位即可!
絕密檔案
http://hongjian.126.com
相關文章
- 美萍反黃專家 版本3.2破解實錄 (6千字)2001-12-08
- 很久沒來這了,上一篇美萍反黃專家2.0註冊碼破解 (8千字)2001-07-19
- 標誌位法破解----美萍反黃衛士2.26 (4千字)2001-07-27
- 菜鳥破解實錄之 Dynamic Desktop 1.4.2 (9千字)2000-08-09
- 菜鳥破解實錄 之 GWD Text Editor 3.0 (9千字)2000-08-16
- 瘋狂單詞破解實錄(初學者請進!) (9千字)2000-08-24
- *****管理專家 V1.05版破解實錄 ,敬請高手指點,謝謝!!!
(12千字)2002-10-16
- 菜鳥破解錄(19)之 XMLwriter 1.21 (9千字)2000-08-08XML
- 紫禁城反黃衛士個人版破解(註冊演算法) (10千字)2001-10-31演算法
- iTime 破解實錄 (15千字)2001-04-26
- 國產新軟破解實錄(二) -- 電子收藏家4.0 (1千字)2001-02-27
- Gifline破解實錄 (4千字)2001-08-05
- Teleport Pro破解實戰錄 (6千字)2000-05-28
- 網咖管理專家9.5破解手記 (6千字)2001-01-26
- RegHance v1.1破解實錄 (5千字)2001-03-26
- 詞彙終結者破解實錄 (7千字)2000-08-13
- vfp&exe加密程式破解實錄 (1千字)2001-08-17加密
- KeyGhost V3.2 破解實錄 (11千字)2000-08-17
- 用NuMega SmartCheck 破解WINDOWS整容專家V1.00 (1千字)2001-09-16Windows
- 美萍安全衛士v6.9標準版(天意II+W32dasm)破解實戰!
(3千字)2000-09-09ASM
- 我的破解心得(9) (4千字)2001-03-13
- 我的破解心得(11) (9千字)2001-03-13
- 破解心得之eXeScope篇 (9千字)2001-07-01
- Soundnailsd的破解教程(一) (9千字)2001-10-17AI
- 2.412024-10-08
- Vopt99另類破解實戰錄
(3千字)2000-09-27
- 《teleport pro 1.28》破解實錄 !!高手莫進!! (5千字)2001-05-03
- 破解實錄(六)之 1toX 1.63 (6千字)2000-07-20
- 破解 周公解夢2.11 實戰錄 (3千字)2000-08-22
- 菜鳥破解實錄 之Terrapin FTP Browser (5千字)2000-09-09APIFTP
- 螢幕錄影專家
v5.0 註冊碼破解2015-11-15
- Android破解實戰:遊戲蜂窩3.21版本破解記錄2018-09-17Android遊戲
- OICQ HACK 1.0 破解過程 (9千字)2001-04-23
- PowerDirector 1.00.06.9 破解. 恭喜小球! (9千字)2002-02-03
- 再貼:軟體管理專家(Flashsoft) 1.05的破解(高手莫入)
(3千字)2001-04-22
- 美萍電腦安全衛士(V7.52標準版)終極破解(註冊法 &
暴力破解法) (1千字)2001-02-24
- 電腦幽靈pcGhost4.0破解實錄 (7千字)2001-03-07
- 破解實錄(四)之 NoteTab Pro Trial 4.81 (3千字)2000-07-18