班門弄斧之暴破檔案整容專家 3.0 (6千字)
檔案整容專家 3.0 暴破過程(轉載請儲存原文完整)
初次寫破解文章,難免有不足之處,望多多包涵。
軟體功能: *改變資料夾的圖示
*加上懸掛式說明文字
*在開啟資料夾時顯示訊息,或要求輸入密碼
*一進入資料夾直接跳轉到某個網址
*新增資料夾視窗的背景音樂、背景圖片
*在資料夾視窗裡加入文字、字屏、超級連結、水平線、圖片、動畫等
*改掉關於檔案屬性說明的文字
*設定檔案列表的前景色、背景色、背景圖片
*在桌面、“傳送到”選單等處自動生成該資料夾的快捷方式
功能限制:說是30天試用,好像沒有時間限制。
文章作者:eCool
破解時間:2001/10/10
暴破過程:
本來用SmartCheck破解,已經找出註冊碼,下面用十六進位制表示:
32 E4 02 00 37 E4 02 00 39 E4 02 00 35 E4 02 00 3D E4 00
可惜我不知道為什麼怎麼輸入ASCII碼為02的字元,所以無法註冊,沒有辦法,只好暴破了。
(註冊碼找錯否?望高手指點)
執行軟體,輸入假註冊碼123456,用bpx msvbvm50!__vbastrcmp 設斷,結果攔下:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004328C3(C)
|
:004328D6 8D45B0
lea eax, dword ptr [ebp-50]
:004328D9 50
push eax
:004328DA 8D45C0
lea eax, dword ptr [ebp-40]
:004328DD 50
push eax
:004328DE E88E4DFFFF call 00427671
:004328E3 8BD0
mov edx, eax
:004328E5 8D4DDC
lea ecx, dword ptr [ebp-24]
* Reference To: MSVBVM50.__vbaStrMove, Ord:0000h
|
:004328E8 E897F2FCFF Call 00401B84
:004328ED 50
push eax <--這裡是真註冊碼
:004328EE FF75E0
push [ebp-20] <--輸入的假註冊碼
* Reference To: MSVBVM50.__vbaStrCmp, Ord:0000h
|
:004328F1 E80AF2FCFF Call 00401B00
:004328F6 8BF0
mov esi, eax
:004328F8 8D45E0
lea eax, dword ptr [ebp-20]
:004328FB F7DE
neg esi
:004328FD 50
push eax
:004328FE 8D45DC
lea eax, dword ptr [ebp-24]
:00432901 1BF6
sbb esi, esi
:00432903 50
push eax
:00432904 46
inc esi
:00432905 6A02
push 00000002
:00432907 F7DE
neg esi
* Reference To: MSVBVM50.__vbaFreeStrList, Ord:0000h
|
:00432909 E816F2FCFF Call 00401B24
:0043290E 83C40C
add esp, 0000000C
:00432911 8D45D0
lea eax, dword ptr [ebp-30]
:00432914 50
push eax
:00432915 8D45D4
lea eax, dword ptr [ebp-2C]
:00432918 50
push eax
:00432919 8D45D8
lea eax, dword ptr [ebp-28]
:0043291C 50
push eax
:0043291D 6A03
push 00000003
* Reference To: MSVBVM50.__vbaFreeObjList, Ord:0000h
|
:0043291F E83CF2FCFF Call 00401B60
:00432924 83C410
add esp, 00000010
:00432927 8D45B0
lea eax, dword ptr [ebp-50]
:0043292A 50
push eax
:0043292B 8D45C0
lea eax, dword ptr [ebp-40]
:0043292E 50
push eax
:0043292F 6A02
push 00000002
* Reference To: MSVBVM50.__vbaFreeVarList, Ord:0000h
|
:00432931 E85AF2FCFF Call 00401B90
:00432936 83C40C
add esp, 0000000C
:00432939 B904000280 mov ecx,
80020004
:0043293E 663BF3
cmp si, bx
:00432941 894D98
mov dword ptr [ebp-68], ecx
:00432944 6A0A
push 0000000A
:00432946 894DA8
mov dword ptr [ebp-58], ecx
:00432949 58
pop eax
:0043294A 894DB8
mov dword ptr [ebp-48], ecx
:0043294D 894590
mov dword ptr [ebp-70], eax
:00432950 8945A0
mov dword ptr [ebp-60], eax
:00432953 8945B0
mov dword ptr [ebp-50], eax
:00432956 0F8475010000 je 00432AD1
<-----關鍵跳躍,要跳。改為jmp 00432AD1
:0043295C 8D5580
lea edx, dword ptr [ebp-80]
:0043295F 8D4DC0
lea ecx, dword ptr [ebp-40]
* Possible StringData Ref from Code Obj ->"lQbRa"`vlQ0"
|
:00432962 C745882C034100 mov [ebp-78], 0041032C
:00432969 897D80
mov dword ptr [ebp-80], edi
* Reference To: MSVBVM50.__vbaVarDup, Ord:0000h
|
:0043296C E825F2FCFF Call 00401B96
:00432971 8D4590
lea eax, dword ptr [ebp-70]
:00432974 50
push eax
:00432975 8D45A0
lea eax, dword ptr [ebp-60]
:00432978 50
push eax
:00432979 8D45B0
lea eax, dword ptr [ebp-50]
:0043297C 50
push eax
:0043297D 8D45C0
lea eax, dword ptr [ebp-40]
:00432980 53
push ebx
:00432981 50
push eax
* Reference To: MSVBVM50.rtcMsgBox, Ord:0253h
|
:00432982 E815F2FCFF Call 00401B9C
:00432987 8D4590
lea eax, dword ptr [ebp-70]
:0043298A 50
push eax
:0043298B 8D45A0
lea eax, dword ptr [ebp-60]
:0043298E 50
push eax
:0043298F 8D45B0
lea eax, dword ptr [ebp-50]
:00432992 50
push eax
:00432993 8D45C0
lea eax, dword ptr [ebp-40]
:00432996 50
push eax
:00432997 6A04
push 00000004
可惜用Hiew修改後依然提示沒有註冊,所以程式執行有判斷是否註冊的程式碼,好
先用bpx msvbvm50!__vbastrcmp,執行程式,被攔下,按F5,再次被攔下:
* Reference To: MSVBVM50.__vbaStrMove, Ord:0000h
|
:00418CD8 E8A78EFEFF Call 00401B84
:00418CDD FF75E0
push [ebp-20] <----真註冊碼
:00418CE0 FF75D8
push [ebp-28] <----假的,不過是1111
* Reference To: MSVBVM50.__vbaStrCmp, Ord:0000h
|
:00418CE3 E8188EFEFF Call 00401B00
:00418CE8 85C0
test eax, eax
:00418CEA 0F85A1020000 jne 00418F91
<----關鍵跳躍,不跳,否則Over。把它Nop掉
:00418CF0 FF7508
push [ebp+08]
:00418CF3 8BB5BCFEFFFF mov esi, dword
ptr [ebp+FFFFFEBC]
:00418CF9 66830D38304300FF or word ptr [00433038],
FFFF
:00418D01 FF96FC020000 call dword ptr
[esi+000002FC]
:00418D07 50
push eax
:00418D08 8D45B8
lea eax, dword ptr [ebp-48]
:00418D0B 50
push eax
用Hiew修改,重新執行,提示已經註冊,而且沒有註冊按鈕了。
總結:只要改00418CF0處的FF7508改為909090就可以了,好睏啊,睡覺去嘍。
相關文章
- 班門弄斧之暴破網頁特效小精靈 (6千字)2001-10-10網頁特效
- 班門弄斧之GoldView32 2.0 Build168演算法分析 (8千字)2002-01-24GoViewUI演算法
- 一個Node.js初學者的“班門弄斧2015-12-25Node.js
- 自己寫的第一本Linux教程,也小小的班門弄斧一下2015-10-21Linux
- 用NuMega SmartCheck 破解WINDOWS整容專家V1.00 (1千字)2001-09-16Windows
- anti-homeMade(1): 檔案斧頭 fileaxe v1.00 (1千字)2015-11-15
- image optimizer v3.0之暴力破解 (6千字)2000-10-12
- VB黑客程式的暴破(修改)一例 (9千字)2003-02-06黑客
- Guitar Pro v3.0 的破文 (11千字)2001-09-08GUI
- 網咖管理專家9.5破解手記 (6千字)2001-01-26
- 螢幕錄影專家 V3.0 演算法分析
(13千字)2003-04-08演算法
- 美萍反黃專家 版本3.2破解實錄 (6千字)2001-12-08
- winrar2.71的破解和對暴破的一點想法 (4千字)2001-04-16
- Golang 專案之配置檔案2018-12-02Golang
- EasyBoot5.03脫殼+暴破2004-11-17boot
- 爆笑破解之-----ACDSEE 3.0 (4千字)2001-03-18
- *輔助工具 1.0 Encrypt by Stkman
完美暴破(應該只能用暴力了) (11千字)2002-04-03
- 暴破-AQUA 3D Screen Saver v1.5-水族館屏保程式
(15千字)2002-05-053D
- tempdb資料檔案暴增分析2023-02-27
- tempdb日誌檔案暴增分析2023-02-28
- django入門-靜態檔案-part62017-03-08Django
- 用ISDCC2破KPT 6的安裝 (8千字)2001-04-17
- Guitar Pro v3.0 的破文-----這一回真的破了 (12千字)2001-09-14GUI
- 成為資料科學家的入門專案2017-12-29資料科學
- 自動聊天機器人專案班 [一門課搞定聊天機器人]2018-07-05機器人
- 專家審讀第6期——《明解C語言:入門篇》2012-09-19C語言
- Gradle入門(6):建立Web應用專案2015-11-19GradleWeb
- 3.0的是缺少檔案吧?2006-09-18
- 【CuteJavaScript】Angular6入門專案(1.構建專案和建立路由)2019-02-23JavaScriptAngular路由
- vue cli 3.0快速建立專案2019-03-19Vue
- Vue Cli 3.0 建立TypeScript專案2019-07-08VueTypeScript
- Web專案經理手冊之跨部門合作專案2008-07-04Web
- 修復檔案終結者病毒破壞的檔案2016-08-31
- 【CuteJavaScript】Angular6入門專案(2.構建專案頁面和元件)2019-02-23JavaScriptAngular元件
- 專案經理之專案經理開門七件事2016-03-02
- MIDI軟體COMPOSER2.0暴破2002-01-14
- JiveJdon3.0 配置檔案問題2005-02-15
- STEP7KNOW_HOW_PROTECT
version1.0 (Borland C++編寫) 暴破手記 (14千字)2002-10-26C++