蒙泰5.0加密狗破解過程 (6千字)

看雪資料發表於2001-10-11

又到殺狗的時間了,呵呵,這次的瘋狗的是什麼呢?小弟是廣告界的,當然先拿噴繪軟體來開刀了,蒙泰5.0應該是國內用得最多的一個噴繪軟體吧,好,這次就拿它來試刀了。

工具:trw2000
      w32dasm8.93黃金版
      hview

蒙泰在執行時如果沒有加密狗,就會彈出一個對話方塊,好,我們就從這個對話方塊入手。執行trw2000,然後執行蒙泰,會

出現對話方塊,切入trw2000(ctrl+N),下斷點bpx enddialog,返回主程式,按下“確定”按鈕,Boom,被攔下來的,暫停

斷點(BD *),接著就一直按F12和F10,直到返回到下面的程式碼處:

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00490D53(C)
|
:00490D5D 8B1B                    mov ebx, dword ptr [ebx]
:00490D5F 85DB                    test ebx, ebx
:00490D61 75EC                    jne 00490D4F

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00490D47(C), :00490D4D(C)
|
:00490D63 833D80AC630007          cmp dword ptr [0063AC80], 00000007  <=====我們想辦法讓[0063AC80]不等於7
:00490D6A 750E                    jne 00490D7A
:00490D6C 833D20C6650000          cmp dword ptr [0065C620], 00000000
:00490D73 7505                    jne 00490D7A
:00490D75 E836FFFFFF              call 00490CB0  <=====出錯對話方塊

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00490D6A(C), :00490D73(C)
|
:00490D7A B801000000              mov eax, 00000001  <=====返回到這裡

我們往上看,有兩條跳轉指令,程式是透過地址63ac80和65c620的內容來決定是否顯示出錯對話方塊的,好,退出蒙泰,我們再

下斷點bpm 63ac80,看會斷在什麼地方:

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B67AC(C)
|
:004B67CD C743109A010000          mov [ebx+10], 0000019A
:004B67D4 C743145C000000          mov [ebx+14], 0000005C
:004B67DB 33D2                    xor edx, edx
:004B67DD 895318                  mov dword ptr [ebx+18], edx
:004B67E0 C7431C07000000          mov [ebx+1C], 00000007    <=====這裡就是給63ac80賦值的地方,當走到這裡的

時候就GAME OVER了,所以我們往上看什麼地方可以跳過這裡
:004B67E7 68606D0000              push 00006D60  <======中斷在此
:004B67EC E85EF10E00              call 005A594F

我們往上看,是4B67AC這個地址呼叫的:

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B6792(C)
|
:004B67A4 83BC240402000004        cmp dword ptr [esp+00000204], 00000004  <=====當[esp+00000204]小於4時,

就會跳到4B67CD,如果沒有狗,這個地址的內容為0,同時這裡也是判斷版本號的地方,當大於等於4時,就是通用版
:004B67AC 7C1F                    jl 004B67CD
:004B67AE C705D443630001000000    mov dword ptr [006343D4], 00000001
:004B67B8 33C0                    xor eax, eax
:004B67BA C743148C000000          mov [ebx+14], 0000008C
:004B67C1 894318                  mov dword ptr [ebx+18], eax
:004B67C4 C7431C05000000          mov [ebx+1C], 00000005  <=====[63AC80]=5
:004B67CB EB55                    jmp 004B6822

再往上看地址4B6792:

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B66EB(U)
|
:004B6757 83BC24040200000C        cmp dword ptr [esp+00000204], 0000000C  <=====大於等於0C時,是專業版
:004B675F 7C0C                    jl 004B676D
:004B6761 C7431C01000000          mov [ebx+1C], 00000001
:004B6768 E9B5000000              jmp 004B6822

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B675F(C)
|
:004B676D 83BC24040200000A        cmp dword ptr [esp+00000204], 0000000A  <=====大於等於0A時,是專業版S(哪

位朋友知道專業版S和專業版有什麼區別)
:004B6775 7C13                    jl 004B678A
:004B6777 C74314C2010000          mov [ebx+14], 000001C2
:004B677E C7431C02000000          mov [ebx+1C], 00000002
:004B6785 E998000000              jmp 004B6822

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B6775(C)
|
:004B678A 83BC240402000006        cmp dword ptr [esp+00000204], 00000006  <=====當大於等於6時,是標準版
:004B6792 7C10                    jl 004B67A4
:004B6794 C743142C010000          mov [ebx+14], 0000012C
:004B679B C7431C04000000          mov [ebx+1C], 00000004
:004B67A2 EB7E                    jmp 004B6822

好了,我們快要接近目標了,再往上看:


:004B6722 51                      push ecx
:004B6723 E8EAE11000              call 005C4912
:004B6728 85C0                    test eax, eax  <=====注意了,這裡就是關鍵的地方,當沒有狗時,EAX=0
:004B672A 740E                    je 004B673A
:004B672C 8B842408020000          mov eax, dword ptr [esp+00000208]
:004B6733 A320C66500              mov dword ptr [0065C620], eax
:004B6738 EB09                    jmp 004B6743

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004B6702(C), :004B672A(C)
|
:004B673A 33D2                    xor edx, edx    <=====EDX=0
:004B673C 89942404020000          mov dword ptr [esp+00000204], edx  <=====放標誌了,[ESP+00000204]=0

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B6738(U)
|
:004B6743 6800010000              push 00000100
:004B6748 6A00                    push 00000000
:004B674A 8D4C240C                lea ecx, dword ptr [esp+0C]
:004B674E 51                      push ecx
:004B674F E8A8EF1000              call 005C56FC
:004B6754 83C40C                  add esp, 0000000C

好了,我們找到關鍵的地方了,我們要讓[ESP+00000204]不為0,我的改法是:

004B6722 51                      push ecx
:004B6723 E8EAE11000              call 005C4912
:004B6728 85C0                    test eax, eax  <=====改為push 0c(我需要專業版嘛,如果你要通用版,就用04好

了,我想你不會那麼笨吧,呵呵)
:004B672A 740E                    je 004B673A    <=====改為JMPS 004B673A
:004B672C 8B842408020000          mov eax, dword ptr [esp+00000208]
:004B6733 A320C66500              mov dword ptr [0065C620], eax
:004B6738 EB09                    jmp 004B6743

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004B6702(C), :004B672A(C)
|
:004B673A 33D2                    xor edx, edx    <=====改為POP EDX; NOP(POP指令只有一個位元組,所以要加NOP補

足)
:004B673C 89942404020000          mov dword ptr [esp+00000204], edx 

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B6738(U)
|
:004B6743 6800010000              push 00000100
:004B6748 6A00                    push 00000000
:004B674A 8D4C240C                lea ecx, dword ptr [esp+0C]
:004B674E 51                      push ecx
:004B674F E8A8EF1000              call 005C56FC
:004B6754 83C40C                  add esp, 0000000C

好長啊,終於寫完了。哪位朋友對解HASP外殼狗有經驗的,能否給我一份破解過程呢?小弟很需要這方面的知識的,謝謝了。

本文章可以自由張貼,但請保持此文章的完整性,謝謝

相關文章