又到殺狗的時間了,呵呵,這次的瘋狗的是什麼呢?小弟是廣告界的,當然先拿噴繪軟體來開刀了,蒙泰5.0應該是國內用得最多的一個噴繪軟體吧,好,這次就拿它來試刀了。
工具:trw2000
w32dasm8.93黃金版
hview
蒙泰在執行時如果沒有加密狗,就會彈出一個對話方塊,好,我們就從這個對話方塊入手。執行trw2000,然後執行蒙泰,會
出現對話方塊,切入trw2000(ctrl+N),下斷點bpx enddialog,返回主程式,按下“確定”按鈕,Boom,被攔下來的,暫停
斷點(BD *),接著就一直按F12和F10,直到返回到下面的程式碼處:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00490D53(C)
|
:00490D5D 8B1B
mov ebx, dword ptr [ebx]
:00490D5F 85DB
test ebx, ebx
:00490D61 75EC
jne 00490D4F
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00490D47(C), :00490D4D(C)
|
:00490D63 833D80AC630007 cmp dword ptr [0063AC80],
00000007 <=====我們想辦法讓[0063AC80]不等於7
:00490D6A 750E
jne 00490D7A
:00490D6C 833D20C6650000 cmp dword ptr [0065C620],
00000000
:00490D73 7505
jne 00490D7A
:00490D75 E836FFFFFF call 00490CB0
<=====出錯對話方塊
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00490D6A(C), :00490D73(C)
|
:00490D7A B801000000 mov eax,
00000001 <=====返回到這裡
我們往上看,有兩條跳轉指令,程式是透過地址63ac80和65c620的內容來決定是否顯示出錯對話方塊的,好,退出蒙泰,我們再
下斷點bpm 63ac80,看會斷在什麼地方:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B67AC(C)
|
:004B67CD C743109A010000 mov [ebx+10], 0000019A
:004B67D4 C743145C000000 mov [ebx+14], 0000005C
:004B67DB 33D2
xor edx, edx
:004B67DD 895318
mov dword ptr [ebx+18], edx
:004B67E0 C7431C07000000 mov [ebx+1C], 00000007
<=====這裡就是給63ac80賦值的地方,當走到這裡的
時候就GAME OVER了,所以我們往上看什麼地方可以跳過這裡
:004B67E7 68606D0000 push 00006D60
<======中斷在此
:004B67EC E85EF10E00 call 005A594F
我們往上看,是4B67AC這個地址呼叫的:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B6792(C)
|
:004B67A4 83BC240402000004 cmp dword ptr [esp+00000204],
00000004 <=====當[esp+00000204]小於4時,
就會跳到4B67CD,如果沒有狗,這個地址的內容為0,同時這裡也是判斷版本號的地方,當大於等於4時,就是通用版
:004B67AC 7C1F
jl 004B67CD
:004B67AE C705D443630001000000 mov dword ptr [006343D4], 00000001
:004B67B8 33C0
xor eax, eax
:004B67BA C743148C000000 mov [ebx+14], 0000008C
:004B67C1 894318
mov dword ptr [ebx+18], eax
:004B67C4 C7431C05000000 mov [ebx+1C], 00000005
<=====[63AC80]=5
:004B67CB EB55
jmp 004B6822
再往上看地址4B6792:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B66EB(U)
|
:004B6757 83BC24040200000C cmp dword ptr [esp+00000204],
0000000C <=====大於等於0C時,是專業版
:004B675F 7C0C
jl 004B676D
:004B6761 C7431C01000000 mov [ebx+1C], 00000001
:004B6768 E9B5000000 jmp 004B6822
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B675F(C)
|
:004B676D 83BC24040200000A cmp dword ptr [esp+00000204],
0000000A <=====大於等於0A時,是專業版S(哪
位朋友知道專業版S和專業版有什麼區別)
:004B6775 7C13
jl 004B678A
:004B6777 C74314C2010000 mov [ebx+14], 000001C2
:004B677E C7431C02000000 mov [ebx+1C], 00000002
:004B6785 E998000000 jmp 004B6822
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B6775(C)
|
:004B678A 83BC240402000006 cmp dword ptr [esp+00000204],
00000006 <=====當大於等於6時,是標準版
:004B6792 7C10
jl 004B67A4
:004B6794 C743142C010000 mov [ebx+14], 0000012C
:004B679B C7431C04000000 mov [ebx+1C], 00000004
:004B67A2 EB7E
jmp 004B6822
好了,我們快要接近目標了,再往上看:
:004B6722 51
push ecx
:004B6723 E8EAE11000 call 005C4912
:004B6728 85C0
test eax, eax <=====注意了,這裡就是關鍵的地方,當沒有狗時,EAX=0
:004B672A 740E
je 004B673A
:004B672C 8B842408020000 mov eax, dword ptr
[esp+00000208]
:004B6733 A320C66500 mov dword
ptr [0065C620], eax
:004B6738 EB09
jmp 004B6743
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004B6702(C), :004B672A(C)
|
:004B673A 33D2
xor edx, edx <=====EDX=0
:004B673C 89942404020000 mov dword ptr [esp+00000204],
edx <=====放標誌了,[ESP+00000204]=0
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B6738(U)
|
:004B6743 6800010000 push 00000100
:004B6748 6A00
push 00000000
:004B674A 8D4C240C lea
ecx, dword ptr [esp+0C]
:004B674E 51
push ecx
:004B674F E8A8EF1000 call 005C56FC
:004B6754 83C40C
add esp, 0000000C
好了,我們找到關鍵的地方了,我們要讓[ESP+00000204]不為0,我的改法是:
004B6722 51
push ecx
:004B6723 E8EAE11000 call 005C4912
:004B6728 85C0
test eax, eax <=====改為push 0c(我需要專業版嘛,如果你要通用版,就用04好
了,我想你不會那麼笨吧,呵呵)
:004B672A 740E
je 004B673A <=====改為JMPS 004B673A
:004B672C 8B842408020000 mov eax, dword ptr
[esp+00000208]
:004B6733 A320C66500 mov dword
ptr [0065C620], eax
:004B6738 EB09
jmp 004B6743
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004B6702(C), :004B672A(C)
|
:004B673A 33D2
xor edx, edx <=====改為POP EDX; NOP(POP指令只有一個位元組,所以要加NOP補
足)
:004B673C 89942404020000 mov dword ptr [esp+00000204],
edx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B6738(U)
|
:004B6743 6800010000 push 00000100
:004B6748 6A00
push 00000000
:004B674A 8D4C240C lea
ecx, dword ptr [esp+0C]
:004B674E 51
push ecx
:004B674F E8A8EF1000 call 005C56FC
:004B6754 83C40C
add esp, 0000000C
好長啊,終於寫完了。哪位朋友對解HASP外殼狗有經驗的,能否給我一份破解過程呢?小弟很需要這方面的知識的,謝謝了。
本文章可以自由張貼,但請保持此文章的完整性,謝謝