蒙泰5.0加密狗破解過程 (6千字)
又到殺狗的時間了,呵呵,這次的瘋狗的是什麼呢?小弟是廣告界的,當然先拿噴繪軟體來開刀了,蒙泰5.0應該是國內用得最多的一個噴繪軟體吧,好,這次就拿它來試刀了。
工具:trw2000
w32dasm8.93黃金版
hview
蒙泰在執行時如果沒有加密狗,就會彈出一個對話方塊,好,我們就從這個對話方塊入手。執行trw2000,然後執行蒙泰,會
出現對話方塊,切入trw2000(ctrl+N),下斷點bpx enddialog,返回主程式,按下“確定”按鈕,Boom,被攔下來的,暫停
斷點(BD *),接著就一直按F12和F10,直到返回到下面的程式碼處:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00490D53(C)
|
:00490D5D 8B1B
mov ebx, dword ptr [ebx]
:00490D5F 85DB
test ebx, ebx
:00490D61 75EC
jne 00490D4F
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00490D47(C), :00490D4D(C)
|
:00490D63 833D80AC630007 cmp dword ptr [0063AC80],
00000007 <=====我們想辦法讓[0063AC80]不等於7
:00490D6A 750E
jne 00490D7A
:00490D6C 833D20C6650000 cmp dword ptr [0065C620],
00000000
:00490D73 7505
jne 00490D7A
:00490D75 E836FFFFFF call 00490CB0
<=====出錯對話方塊
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00490D6A(C), :00490D73(C)
|
:00490D7A B801000000 mov eax,
00000001 <=====返回到這裡
我們往上看,有兩條跳轉指令,程式是透過地址63ac80和65c620的內容來決定是否顯示出錯對話方塊的,好,退出蒙泰,我們再
下斷點bpm 63ac80,看會斷在什麼地方:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B67AC(C)
|
:004B67CD C743109A010000 mov [ebx+10], 0000019A
:004B67D4 C743145C000000 mov [ebx+14], 0000005C
:004B67DB 33D2
xor edx, edx
:004B67DD 895318
mov dword ptr [ebx+18], edx
:004B67E0 C7431C07000000 mov [ebx+1C], 00000007
<=====這裡就是給63ac80賦值的地方,當走到這裡的
時候就GAME OVER了,所以我們往上看什麼地方可以跳過這裡
:004B67E7 68606D0000 push 00006D60
<======中斷在此
:004B67EC E85EF10E00 call 005A594F
我們往上看,是4B67AC這個地址呼叫的:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B6792(C)
|
:004B67A4 83BC240402000004 cmp dword ptr [esp+00000204],
00000004 <=====當[esp+00000204]小於4時,
就會跳到4B67CD,如果沒有狗,這個地址的內容為0,同時這裡也是判斷版本號的地方,當大於等於4時,就是通用版
:004B67AC 7C1F
jl 004B67CD
:004B67AE C705D443630001000000 mov dword ptr [006343D4], 00000001
:004B67B8 33C0
xor eax, eax
:004B67BA C743148C000000 mov [ebx+14], 0000008C
:004B67C1 894318
mov dword ptr [ebx+18], eax
:004B67C4 C7431C05000000 mov [ebx+1C], 00000005
<=====[63AC80]=5
:004B67CB EB55
jmp 004B6822
再往上看地址4B6792:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B66EB(U)
|
:004B6757 83BC24040200000C cmp dword ptr [esp+00000204],
0000000C <=====大於等於0C時,是專業版
:004B675F 7C0C
jl 004B676D
:004B6761 C7431C01000000 mov [ebx+1C], 00000001
:004B6768 E9B5000000 jmp 004B6822
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B675F(C)
|
:004B676D 83BC24040200000A cmp dword ptr [esp+00000204],
0000000A <=====大於等於0A時,是專業版S(哪
位朋友知道專業版S和專業版有什麼區別)
:004B6775 7C13
jl 004B678A
:004B6777 C74314C2010000 mov [ebx+14], 000001C2
:004B677E C7431C02000000 mov [ebx+1C], 00000002
:004B6785 E998000000 jmp 004B6822
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B6775(C)
|
:004B678A 83BC240402000006 cmp dword ptr [esp+00000204],
00000006 <=====當大於等於6時,是標準版
:004B6792 7C10
jl 004B67A4
:004B6794 C743142C010000 mov [ebx+14], 0000012C
:004B679B C7431C04000000 mov [ebx+1C], 00000004
:004B67A2 EB7E
jmp 004B6822
好了,我們快要接近目標了,再往上看:
:004B6722 51
push ecx
:004B6723 E8EAE11000 call 005C4912
:004B6728 85C0
test eax, eax <=====注意了,這裡就是關鍵的地方,當沒有狗時,EAX=0
:004B672A 740E
je 004B673A
:004B672C 8B842408020000 mov eax, dword ptr
[esp+00000208]
:004B6733 A320C66500 mov dword
ptr [0065C620], eax
:004B6738 EB09
jmp 004B6743
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004B6702(C), :004B672A(C)
|
:004B673A 33D2
xor edx, edx <=====EDX=0
:004B673C 89942404020000 mov dword ptr [esp+00000204],
edx <=====放標誌了,[ESP+00000204]=0
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B6738(U)
|
:004B6743 6800010000 push 00000100
:004B6748 6A00
push 00000000
:004B674A 8D4C240C lea
ecx, dword ptr [esp+0C]
:004B674E 51
push ecx
:004B674F E8A8EF1000 call 005C56FC
:004B6754 83C40C
add esp, 0000000C
好了,我們找到關鍵的地方了,我們要讓[ESP+00000204]不為0,我的改法是:
004B6722 51
push ecx
:004B6723 E8EAE11000 call 005C4912
:004B6728 85C0
test eax, eax <=====改為push 0c(我需要專業版嘛,如果你要通用版,就用04好
了,我想你不會那麼笨吧,呵呵)
:004B672A 740E
je 004B673A <=====改為JMPS 004B673A
:004B672C 8B842408020000 mov eax, dword ptr
[esp+00000208]
:004B6733 A320C66500 mov dword
ptr [0065C620], eax
:004B6738 EB09
jmp 004B6743
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004B6702(C), :004B672A(C)
|
:004B673A 33D2
xor edx, edx <=====改為POP EDX; NOP(POP指令只有一個位元組,所以要加NOP補
足)
:004B673C 89942404020000 mov dword ptr [esp+00000204],
edx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B6738(U)
|
:004B6743 6800010000 push 00000100
:004B6748 6A00
push 00000000
:004B674A 8D4C240C lea
ecx, dword ptr [esp+0C]
:004B674E 51
push ecx
:004B674F E8A8EF1000 call 005C56FC
:004B6754 83C40C
add esp, 0000000C
好長啊,終於寫完了。哪位朋友對解HASP外殼狗有經驗的,能否給我一份破解過程呢?小弟很需要這方面的知識的,謝謝了。
本文章可以自由張貼,但請保持此文章的完整性,謝謝
相關文章
- Hardlock加密狗破解過程-----外殼型加密狗的破解方法 (7千字)2001-10-15加密
- 管家婆8.2單機版加密狗破解過程 (3千字)2001-10-13加密
- 音樂賀卡廠4.10破解過程 (6千字)2001-08-11
- Authorware 5.0破解 (4千字)2001-09-10
- 《伊妹捕神中文版》 破解過程詳解 (6千字)2001-04-29
- 交作業了!!!!!!PECompact1.48破解過程 (6千字)2001-06-26
- 方正飛騰3.1加密狗破解過程-----淺談Sentinel Super Pro的加密演算法 (14千字)2015-11-15加密演算法
- 如何破解深思Ⅲ加密狗!想解狗的朋友過來看了!
(10千字)2015-11-15加密
- wintools5.0破解 (1千字)2000-03-02
- OICQ HACK 1.0 破解過程 (9千字)2001-04-23
- Nullz CrackMe 1.1破解過程 (13千字)2001-09-18Null
- WebTimeSync 5.2.0 破解過程 (14千字)2001-10-05Web
- 破解足彩大師5.0
(1千字)2015-11-15
- dfx V4.0破解過程 (10千字)2000-09-24
- 破解過程-----請多多指教 (2千字)2000-12-31
- 電腦字型秀破解過程 (1千字)2001-03-18
- webeasymail的簡單破解過程 (2千字)2001-08-04WebAI
- Kryptel 3.8 暴力破解過程 (18千字)2001-09-18
- PUZZLER1.20破解過程 (4千字)2002-01-26
- SuperCleaner2.30破解過程 (11千字)2002-02-04
- B-Puzzle Version 5.0破解過程,請高手指點,謝謝!★強烈向初學破解者推薦★ (2千字)2001-11-25
- 破解管家婆輝煌網路版8.0A客戶端的加密狗 (6千字)2001-10-05客戶端加密
- Password Keeper v6.3破解過程 (8千字)2002-04-12
- post NOW! 破解過程!有意思。 (1千字)2000-12-30
- 有聲有色3.33破解過程 (4千字)2001-02-09
- 專業掃雷 1.2破解過程 (4千字)2001-02-17
- fulldisk A32 破解過程!(簡單) (1千字)2001-03-20
- 具體的破解過程來也! (10千字)2001-04-21
- 密碼大師4.0破解過程 (3千字)2001-05-06密碼
- EmEditor v3.16破解過程 (9千字)2001-07-22
- 對VCDCUT 4.03的分析破解過程 (18千字)2001-08-08
- 木馬克星5.33.60破解過程
(9千字)2002-03-28
- GaitCD破解全過程(installshield) (3千字)2015-11-15AI
- KEYGENNING4NEWBIES #7破解過程+序號產生器 (6千字)2001-08-21
- asmstudio5.0完全完美破解版的誕生過程(和初學者共同學習!) (1千字)2001-05-02ASM
- 加密精靈V2.2破解過程 (9千字)2001-10-28加密
- 破解 OverNimble Localize Plus 1.04
全過程! (13千字)2015-11-15
- 我終於破解了魔裝網神了,破解過程!!,不過是用2.70破解的。 (1千字)2001-10-15