好友
阅读权限10
听众
最后登录1970-1-1
|
纯技术交流,如需使用,请购买正版,原创东西禁止转载!
这是一个制作图片说明文档的软件,软件下载地址http://www.moodysoft.com/studio/
此网站还有1款比较方便的截图软件,看完此贴可自行研究哦
 2012-7-26 21:18 上传
下载附件 (65.11 KB)
首先安装该软件,或者可用UniExtract这个软件进行解压缩
1.查壳 Borland Delphi 6.0 - 7.0
2.既然没有壳就直接破解吧,OD载入如下:
004C5E70 > $ 55 push ebp
004C5E71 . 8BEC mov ebp,esp
004C5E73 . 83C4 F0 add esp,-10
004C5E76 . B8 785B4C00 mov eax,Studio.004C5B78 ; ^
004C5E7B . E8 740BF4FF call Studio.004069F4
004C5E80 . 68 D45E4C00 push Studio.004C5ED4 ; SPX Studio
004C5E85 . 6A FF push -1
004C5E87 . 6A 00 push 0
004C5E89 . E8 7A0DF4FF call Studio.00406C08
确实无壳,那我们开始破解吧,用注册名注册,找到如下代码
004BAF58 /$ 55 push ebp
004BAF59 |. 8BEC mov ebp,esp
004BAF5B |. B9 04000000 mov ecx,4
004BAF60 |> 6A 00 /push 0
004BAF62 |. 6A 00 |push 0
004BAF64 |. 49 |dec ecx
004BAF65 |.^ 75 F9 \jnz short Studio.004BAF60
004BAF67 |. 51 push ecx
004BAF68 |. 53 push ebx
004BAF69 |. 8BD8 mov ebx,eax
004BAF6B |. 33C0 xor eax,eax
004BAF6D |. 55 push ebp
004BAF6E |. 68 EAB04B00 push Studio.004BB0EA
004BAF73 |. 64:FF30 push dword ptr fs:[eax]
004BAF76 |. 64:8920 mov dword ptr fs:[eax],esp
004BAF79 |. 8D55 FC lea edx,[local.1]
004BAF7C |. 8B83 18030000 mov eax,dword ptr ds:[ebx+318]
004BAF82 |. E8 F1BCF8FF call Studio.00446C78
004BAF87 |. 837D FC 00 cmp [local.1],0
004BAF8B |. 74 14 je short Studio.004BAFA1
004BAF8D |. 8D55 F8 lea edx,[local.2]
004BAF90 |. 8B83 28030000 mov eax,dword ptr ds:[ebx+328]
004BAF96 |. E8 DDBCF8FF call Studio.00446C78
004BAF9B |. 837D F8 00 cmp [local.2],0 ;
004BAF9F |. 75 34 jnz short Studio.004BAFD5
004BAFA1 |> 6A 30 push 30
004BAFA3 |. 8D55 F4 lea edx,[local.3]
004BAFA6 |. A1 4CB24C00 mov eax,dword ptr ds:[4CB24C]
004BAFAB |. 8B00 mov eax,dword ptr ds:[eax] ; Studio.004BA2D0
004BAFAD |. E8 4EBFFAFF call Studio.00466F00
004BAFB2 |. 8B45 F4 mov eax,[local.3]
004BAFB5 |. E8 D69AF4FF call Studio.00404A90
004BAFBA |. 50 push eax ; |Title = "孝K"
004BAFBB |. 68 F8B04B00 push Studio.004BB0F8 ; |To obtain your UserName and Product ID please buy a licence.
004BAFC0 |. A1 4CB24C00 mov eax,dword ptr ds:[4CB24C] ; |
004BAFC5 |. 8B00 mov eax,dword ptr ds:[eax] ; |Studio.004BA2D0
004BAFC7 |. 8B40 30 mov eax,dword ptr ds:[eax+30] ; |
004BAFCA |. 50 push eax ; |hOwner = 01398D20
004BAFCB |. E8 18C5F4FF call <jmp.&user32.MessageBoxA> ; \MessageBoxA
004BAFD0 |. E9 D8000000 jmp Studio.004BB0AD
004BAFD5 |> 66:83BB 3A030>cmp word ptr ds:[ebx+33A],0
004BAFDD |. 0F84 CA000000 je Studio.004BB0AD
004BAFE3 |. 6A 01 push 1
004BAFE5 |. 8D55 F0 lea edx,[local.4]
004BAFE8 |. 8B83 28030000 mov eax,dword ptr ds:[ebx+328]
004BAFEE |. E8 85BCF8FF call Studio.00446C78 ; 出假码
004BAFF3 |. 8B45 F0 mov eax,[local.4]
004BAFF6 |. 50 push eax
004BAFF7 |. 8D55 EC lea edx,[local.5]
004BAFFA |. 8B83 18030000 mov eax,dword ptr ds:[ebx+318]
004BB000 |. E8 73BCF8FF call Studio.00446C78
004BB005 |. 8B55 EC mov edx,[local.5] ; 出现用户名
004BB008 |. 59 pop ecx
004BB009 |. 8B83 3C030000 mov eax,dword ptr ds:[ebx+33C] ; 假码及用户名入ECX和EDX
004BB00F |. FF93 38030000 call dword ptr ds:[ebx+338] ; 关键CALL
004BB015 |. 84C0 test al,al
004BB017 |. 74 65 je short Studio.004BB07E ; 跳到错误,关键跳不能跳
004BB019 |. 6A 30 push 30
004BB01B |. 8D55 E8 lea edx,[local.6]
004BB01E |. A1 4CB24C00 mov eax,dword ptr ds:[4CB24C]
004BB023 |. 8B00 mov eax,dword ptr ds:[eax] ; Studio.004BA2D0
004BB025 |. E8 D6BEFAFF call Studio.00466F00
004BB02A |. 8B45 E8 mov eax,[local.6]
004BB02D |. E8 5E9AF4FF call Studio.00404A90
004BB032 |. 50 push eax
004BB033 |. 68 40B14B00 push Studio.004BB140 ; Thank you for registering
004BB038 |. 8D55 E0 lea edx,[local.8]
004BB03B |. A1 4CB24C00 mov eax,dword ptr ds:[4CB24C]
004BB040 |. 8B00 mov eax,dword ptr ds:[eax] ; Studio.004BA2D0
004BB042 |. E8 B9BEFAFF call Studio.00466F00
004BB047 |. FF75 E0 push [local.8]
004BB04A |. 68 64B14B00 push Studio.004BB164 ; .
004BB04F |. 8D45 E4 lea eax,[local.7]
004BB052 |. BA 03000000 mov edx,3
004BB057 |. E8 FC98F4FF call Studio.00404958
004BB05C |. 8B45 E4 mov eax,[local.7]
004BB05F |. E8 2C9AF4FF call Studio.00404A90
004BB064 |. 50 push eax ; |Text = "孝K"
004BB065 |. A1 4CB24C00 mov eax,dword ptr ds:[4CB24C] ; |
004BB06A |. 8B00 mov eax,dword ptr ds:[eax] ; |Studio.004BA2D0
004BB06C |. 8B40 30 mov eax,dword ptr ds:[eax+30] ; |
004BB06F |. 50 push eax ; |hOwner = 01398D20
004BB070 |. E8 73C4F4FF call <jmp.&user32.MessageBoxA> ; \MessageBoxA
004BB075 |. 8BC3 mov eax,ebx
004BB077 |. E8 208CFAFF call Studio.00463C9C
004BB07C |. EB 2F jmp short Studio.004BB0AD
004BB07E |> 6A 30 push 30
004BB080 |. 8D55 DC lea edx,[local.9]
004BB083 |. A1 4CB24C00 mov eax,dword ptr ds:[4CB24C]
004BB088 |. 8B00 mov eax,dword ptr ds:[eax] ; Studio.004BA2D0
004BB08A |. E8 71BEFAFF call Studio.00466F00
004BB08F |. 8B45 DC mov eax,[local.9]
004BB092 |. E8 F999F4FF call Studio.00404A90
004BB097 |. 50 push eax ; |Title = "孝K"
004BB098 |. 68 68B14B00 push Studio.004BB168 ; |Invalid User Name or Product ID. Please try again.
004BB09D |. A1 4CB24C00 mov eax,dword ptr ds:[4CB24C] ; |
004BB0A2 |. 8B00 mov eax,dword ptr ds:[eax] ; |Studio.004BA2D0
004BB0A4 |. 8B40 30 mov eax,dword ptr ds:[eax+30] ; |
004BB0A7 |. 50 push eax ; |hOwner = 01398D20
004BB0A8 |. E8 3BC4F4FF call <jmp.&user32.MessageBoxA> ; \错误
004BB0AD |> 33C0 xor eax,eax
004BB0AF |. 5A pop edx
004BB0B0 |. 59 pop ecx
004BB0B1 |. 59 pop ecx
004BB0B2 |. 64:8910 mov dword ptr fs:[eax],edx
004BB0B5 |. 68 F1B04B00 push Studio.004BB0F1
004BB0BA |> 8D45 DC lea eax,[local.9]
004BB0BD |. BA 04000000 mov edx,4
004BB0C2 |. E8 3D95F4FF call Studio.00404604
004BB0C7 |. 8D45 EC lea eax,[local.5]
004BB0CA |. BA 02000000 mov edx,2
004BB0CF |. E8 3095F4FF call Studio.00404604
004BB0D4 |. 8D45 F4 lea eax,[local.3]
004BB0D7 |. E8 0495F4FF call Studio.004045E0
004BB0DC |. 8D45 F8 lea eax,[local.2]
004BB0DF |. BA 02000000 mov edx,2
004BB0E4 |. E8 1B95F4FF call Studio.00404604
004BB0E9 \. C3 retn
经过分析004BB017 |. 74 65 je short Studio.004BB07E ; 为关键跳不能跳,跳了就到错误
由此上面的CALL 004BB00F |. FF93 38030000 call dword ptr ds:[ebx+338] ; 为关键CALL
我们下断 F7跟进重新进行分析
004BA7AC /$ 55 push ebp
004BA7AD |. 8BEC mov ebp,esp
004BA7AF |. 6A 00 push 0
004BA7B1 |. 6A 00 push 0
004BA7B3 |. 6A 00 push 0
004BA7B5 |. 6A 00 push 0
004BA7B7 |. 6A 00 push 0
004BA7B9 |. 6A 00 push 0
004BA7BB |. 6A 00 push 0
004BA7BD |. 53 push ebx
004BA7BE |. 56 push esi ; Studio.0046BEB8
004BA7BF |. 57 push edi
004BA7C0 |. 894D F8 mov [local.2],ecx
004BA7C3 |. 8955 FC mov [local.1],edx
004BA7C6 |. 8BD8 mov ebx,eax
004BA7C8 |. 8B45 FC mov eax,[local.1]
004BA7CB |. E8 B0A2F4FF call Studio.00404A80
004BA7D0 |. 8B45 F8 mov eax,[local.2]
004BA7D3 |. E8 A8A2F4FF call Studio.00404A80
004BA7D8 |. 33C0 xor eax,eax
004BA7DA |. 55 push ebp
004BA7DB |. 68 25A94B00 push Studio.004BA925
004BA7E0 |. 64:FF30 push dword ptr fs:[eax]
004BA7E3 |. 64:8920 mov dword ptr fs:[eax],esp
004BA7E6 |. C645 F7 00 mov byte ptr ss:[ebp-9],0
004BA7EA |. A0 38A94B00 mov al,byte ptr ds:[4BA938]
004BA7EF |. 50 push eax
004BA7F0 |. 8D45 E4 lea eax,[local.7]
004BA7F3 |. 50 push eax
004BA7F4 |. 33C9 xor ecx,ecx
004BA7F6 |. BA 44A94B00 mov edx,Studio.004BA944
004BA7FB |. 8B45 FC mov eax,[local.1] ; 出现注册名
004BA7FE |. E8 B533F5FF call Studio.0040DBB8
004BA803 |. 8B45 E4 mov eax,[local.7]
004BA806 |. 8D55 E8 lea edx,[local.6]
004BA809 |. E8 1AE1F4FF call Studio.00408928 ; 用户名算法CALL
004BA80E |. 837D E8 00 cmp [local.6],0
004BA812 |. 0F84 E5000000 je Studio.004BA8FD
004BA818 |. 837D F8 00 cmp [local.2],0
004BA81C |. 0F84 DB000000 je Studio.004BA8FD
004BA822 |. 8D45 F0 lea eax,[local.4]
004BA825 |. BA 50A94B00 mov edx,Studio.004BA950 ; life
004BA82A |. E8 499EF4FF call Studio.00404678
004BA82F |. 8D45 EC lea eax,[local.5]
004BA832 |. BA 60A94B00 mov edx,Studio.004BA960 ; is soft and moody
004BA837 |. E8 3C9EF4FF call Studio.00404678
004BA83C |. 33C9 xor ecx,ecx
004BA83E |. B2 01 mov dl,1
004BA840 |. A1 5C604B00 mov eax,dword ptr ds:[4B605C] ; 您K
004BA845 |. E8 FECCFFFF call Studio.004B7548
004BA84A |. 8BF0 mov esi,eax
004BA84C |. 8B0D D8754B00 mov ecx,dword ptr ds:[4B75D8] ; 瘤K
004BA852 |. 8B53 38 mov edx,dword ptr ds:[ebx+38] ; Studio.00460B60
004BA855 |. 8BC6 mov eax,esi ; Studio.0046BEB8
004BA857 |. E8 94E4FEFF call Studio.004A8CF0
004BA85C |. 8D4D F0 lea ecx,[local.4]
004BA85F |. 8B55 E8 mov edx,[local.6]
004BA862 |. 8BC6 mov eax,esi ; Studio.0046BEB8
004BA864 |. 8B38 mov edi,dword ptr ds:[eax] ; Studio.004024AD
004BA866 |. FF57 54 call dword ptr ds:[edi+54] ; ?????????????
004BA869 |. 8BC6 mov eax,esi ; Studio.0046BEB8
004BA86B |. 8B10 mov edx,dword ptr ds:[eax] ; Studio.004024AD
004BA86D |. FF52 44 call dword ptr ds:[edx+44]
004BA870 |. 8BC6 mov eax,esi ; Studio.0046BEB8
004BA872 |. E8 798FF4FF call Studio.004037F0
004BA877 |. 33C9 xor ecx,ecx
004BA879 |. B2 01 mov dl,1
004BA87B |. A1 68A94A00 mov eax,dword ptr ds:[4AA968] ; $@
004BA880 |. E8 B7E8FEFF call Studio.004A913C
004BA885 |. 8BF0 mov esi,eax
004BA887 |. 8B0D 08BA4A00 mov ecx,dword ptr ds:[4ABA08] ; Studio.004ABA54
004BA88D |. 8B53 3C mov edx,dword ptr ds:[ebx+3C]
004BA890 |. 8BC6 mov eax,esi ; Studio.0046BEB8
004BA892 |. E8 59E4FEFF call Studio.004A8CF0
004BA897 |. 8D4D EC lea ecx,[local.5]
004BA89A |. 8B55 F8 mov edx,[local.2]
004BA89D |. 8BC6 mov eax,esi ; Studio.0046BEB8
004BA89F |. 8B38 mov edi,dword ptr ds:[eax] ; Studio.004024AD
004BA8A1 |. FF57 58 call dword ptr ds:[edi+58] ; 假码算法在此
004BA8A4 |. 8BC6 mov eax,esi ; Studio.0046BEB8
004BA8A6 |. 8B10 mov edx,dword ptr ds:[eax] ; Studio.004024AD
004BA8A8 |. FF52 44 call dword ptr ds:[edx+44]
004BA8AB |. 8BC6 mov eax,esi ; Studio.0046BEB8
004BA8AD |. E8 3E8FF4FF call Studio.004037F0 ; ?
004BA8B2 |. 8B45 F0 mov eax,[local.4]
004BA8B5 |. 8B55 EC mov edx,[local.5]
004BA8B8 |. E8 1FA1F4FF call Studio.004049DC ; ?????
004BA8BD |. 0F94C0 sete al 完美破解点
004BA8C0 |. 8843 34 mov byte ptr ds:[ebx+34],al
004BA8C3 |. 807B 34 00 cmp byte ptr ds:[ebx+34],0
004BA8C7 |. 74 34 je short Studio.004BA8FD ; 不能跳 跳了上1层就会跳到错误代码
004BA8C9 |. 8D43 40 lea eax,dword ptr ds:[ebx+40]
004BA8CC |. 8B55 FC mov edx,[local.1]
004BA8CF |. B9 FF000000 mov ecx,0FF
004BA8D4 |. E8 9B9FF4FF call Studio.00404874
004BA8D9 |. 8D83 40010000 lea eax,dword ptr ds:[ebx+140]
004BA8DF |. 8B55 F8 mov edx,[local.2]
004BA8E2 |. B9 FF000000 mov ecx,0FF
004BA8E7 |. E8 889FF4FF call Studio.00404874
004BA8EC |. 807D 08 00 cmp byte ptr ss:[ebp+8],0
004BA8F0 |. 74 07 je short Studio.004BA8F9
004BA8F2 |. 8BC3 mov eax,ebx
004BA8F4 |. E8 4F020000 call Studio.004BAB48
004BA8F9 |> C645 F7 01 mov byte ptr ss:[ebp-9],1
004BA8FD |> 33C0 xor eax,eax
004BA8FF |. 5A pop edx ; 0012F6B8
004BA900 |. 59 pop ecx ; 0012F6B8
004BA901 |. 59 pop ecx ; 0012F6B8
004BA902 |. 64:8910 mov dword ptr fs:[eax],edx
004BA905 |. 68 2CA94B00 push Studio.004BA92C
004BA90A |> 8D45 E4 lea eax,[local.7]
004BA90D |. BA 04000000 mov edx,4
004BA912 |. E8 ED9CF4FF call Studio.00404604
004BA917 |. 8D45 F8 lea eax,[local.2]
004BA91A |. BA 02000000 mov edx,2
004BA91F |. E8 E09CF4FF call Studio.00404604
004BA924 \. C3 retn
004BA925 .^ E9 5A96F4FF jmp Studio.00403F84
004BA92A .^ EB DE jmp short Studio.004BA90A
004BA92C . 8A45 F7 mov al,byte ptr ss:[ebp-9]
004BA92F . 5F pop edi ; 0012F6B8
004BA930 . 5E pop esi ; 0012F6B8
004BA931 . 5B pop ebx ; 0012F6B8
004BA932 . 8BE5 mov esp,ebp
004BA934 . 5D pop ebp ; 0012F6B8
004BA935 . C2 0400 retn 4
经过分析004BA8BD |. 0F94C0 sete al 为完美破解点 改成SETNE即可,如要进一步分析,可跟进004BA8B8 |. E8 1FA1F4FF call Studio.004049DC 此CALL
 2012-7-26 21:56 上传
下载附件 (69.49 KB)
到此破解完成,有兴趣的可以自己追下注册码
|
|
发表于 2013-1-7 09:11
