软件名称:BrainsBreaker 版本:2.5 大小:953KB
软件介绍:一款拼图游戏,实在是精品中的精品!
下载地址:http://www.brainsbreaker.com
破解时请注意以下几点:
1、该软件没有用任何软件加壳,修改代码后运行程序会发现自己被修改过,但不影响运行.
2、进入界面后直接按"CTRL+F8"来呼出“注册信息框”,形式如下:
PACK: Full
NAME: The GodFader
YOUR ID: PZCRACKTEAM
KEY: 77473408754
3、我参考了国外一个2.3版本破解的补丁,他是先将主程序打个补丁,
再在“注册信息框”中输入相应的注册信息,如上所示。大家可按这个
思路来考虑。
标 题:Sunli,我已破掉完整性检验和DEMO字样显示,不知你的修改步长始终为0是怎样做的,能否具体告知,也好使该破...
(233字)
发信人:guest
时 间:2000-7-12 21:48:19
详细信息:
标题: Sunli,我已破掉完整性检验和DEMO字样显示,不知你的修改步长始终为0是怎样做的,能否具体告知,也好使该破解完整。
内容:
Sunli,我已破掉完整性检验和DEMO字样显示,不知你的修改步长始终为0是怎样做的,能否具体告知,也好使该破解完整。
标 题:关于步长的描述(进来) (943字)
发信人:SunLi
时 间:2000-7-13 21:21:53
详细信息:
我又把这个软件找出来跟踪了一下,我已记不得是如何找到这个地址的了,反正是截获的ShowWindow,然后向上反了好几层。好在我还保存有改过的版本,下面是一些关于该软件中已走的步数的信息:
1,当前已走的步数保存地址:bbrk32!data+44F0,长度为long型
2,每走一步,该计数器加1,若按F5,计算机自动走一步,计数器加2,相应的代码地址为:bbrk32!text+0001A40B,代码如下:
8B 44 24 04 mov eax,[esp+04] ; 当前计数器加几
6A 01 push 01
01 41 38 add [ecx+38],eax ; 关键代码,将该语句置空即可
E8 25 00 00 00 call 0041b43e ; 没跟踪该调用的含义
C2 04 00 ret 04 ; 返回,该子程序结束
注:跟踪软件对该计数器的使用,应该可以找到一些关键的判断语句,使其可以继续玩下去,象我这样将add [ecx+38],eax语句改为nop nop nop,是能保证可以继续玩,但要存储玩的进度就比较讨厌,因为存储的结果都是已走步数为0。我对协处理器的指令不太熟,所以没有认真地分析后面的计算,希望你能继续下去。
完成后请给一个说明,我也很喜欢这个软件。
标 题:DEMO字样及完整性检验破解 (615字)
发信人:guest
时 间:2000-7-14 21:13:11
详细信息:
以下地址请用Hexwork修改,若要跟踪请在各地址前加4:
1、DEMO字样去除
39911:7407改为EB07
2、完整性检验
共四处,地址分别为:06D80、07C51、110BF、4B31E
第一处为程序启动检验,可修改8C459:7427为EB27
其它三处为中间检验,我是按如下修改的,今天在测试过程中发现,尚存在一些问题,就是改完后有时屏幕方块画面会覆盖一些小马赛克,请高手协助跟踪一下,看如何解决。
第二处:07AF1:0F84F5000000改为909090909090
第三处:11032:0F850B220000改为90E90B220000
第四处:4B161:0F8454010000改为909090909090
感谢Sunli对步长的破解,因明日出差,暂时先把做的这些公布出来,这两天谁有时间再完善一下吧,我暂时尚无时间整理。
标 题:大家请看... (161字)
发信人:liangs
时 间:2000-7-15 14:54:26
详细信息:
如果去掉00404D09处的启动完整性检验提示,就会在拼图时出现
马赛克现象.guest在上面的破解只去掉了主界面上的Demo显示,
并没有去掉进入拼图界面里的图片上的Demo显示.
附:冰毒的一篇破解参考:(软件手术室)
|
BrainsBreaker 2.5.01 --- 不成功的破解 |
| 目标程序:BrainsBreaker 2.5.01 程序 址:http://www.brainsbreaker.com 或者 http://jtrujillo.pair.com/bb 文件大小:文件包 929KB;主文件 BBrk32.exe 700KB |
| 教程写作: Breakice 写作日期: 2000年6月18日 使用工具:Softice 3.23; W32Dasm 8.9 |
| 特别声明: 本文只作技术交流用途. 转贴请保持完整 |
| 1. 引言 |
| BrainsBreaker是一款很棒的拼图游戏. 未注册版本有注册提示; 部分拼图有Demo字样,这些拼图会限定所拼的块数. 软件保护做得很好,对于水平仍旧很菜的我而言,尚不能搞定它. 但因为最近没做别的破解,就把大致过程写出来凑个数,另外也是抛砖引玉,希望感兴趣的朋友们试试. 期待高手做出完美的破解来. |
| 2. 破解过程 |
1. 去除"Demo"字样: 最容易的部分. 用Hex Editor打开BBrk32.EXE,找"Demo". 把找到的第二处Null掉. 再找"(Demo mode)",同样Null掉. 再看拼图画面,干净了许多. 但是那些本来有"Demo"标志的拼图上还有个小的透明框. 2. 去掉透明框: :004318B2 85C0 test eax, eax
:004318B4 0F84EF000000 je 004319A9 /改jmp
3. 去掉拼图开始及结束时的NAG :0043BF86 E889D80300 call 00479814
:0043BF8B 395D0C cmp dword ptr [ebp+0C], ebx
:0043BF8E 7532 jne 0043BFC2 /改jmp
4. 去掉块数限制: * Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00412A9C(U)
|
:004129C2 0FBE435C movsx eax, byte ptr [ebx+5C]
:004129C6 0FBE735C movsx esi, byte ptr [ebx+5C]
:004129CA 0FBF444350 movsx eax, word ptr [ebx+2*eax+50]
:004129CF 0FBF747344 movsx esi, word ptr [ebx+2*esi+44]
:004129D4 8D3C85FEFFFFFF lea edi, dword ptr [4*eax+FFFFFFFE]
:004129DB 03C0 add eax, eax
:004129DD 0FAFF7 imul esi, edi
:004129E0 0FBF55C8 movsx edx, word ptr [ebp-38]
:004129E4 2BF0 sub esi, eax
:004129E6 8955EC mov dword ptr [ebp-14], edx
:004129E9 3BD6 cmp edx, esi
:004129EB 0F8DB0000000 jnl 00412AA1
:004129F1 0FBE435C movsx eax, byte ptr [ebx+5C]
:004129F5 0FBF544344 movsx edx, word ptr [ebx+2*eax+44]
:004129FA 0FBE435C movsx eax, byte ptr [ebx+5C]
:004129FE 8D3495FEFFFFFF lea esi, dword ptr [4*edx+FFFFFFFE]
:00412A05 03D2 add edx, edx
:00412A07 668B444350 mov ax, word ptr [ebx+2*eax+50]
:00412A0C 660FAFC6 imul ax, si
:00412A10 2BC2 sub eax, edx
:00412A12 6685C0 test ax, ax
:00412A15 741F je 00412A36
:00412A17 DB45EC fild dword ptr [ebp-14]
:00412A1A 0FBFC0 movsx eax, ax
:00412A1D DC0DF0C74900 fmul qword ptr [0049C7F0]
:00412A23 8945F8 mov dword ptr [ebp-08], eax
:00412A26 DB45F8 fild dword ptr [ebp-08]
:00412A29 DEF9 fdivp st(1), st(0)
:00412A2B D81D40C74900 fcomp dword ptr [0049C740]
:00412A31 DFE0 fstsw ax
:00412A33 9E sahf
:00412A34 7707 ja 00412A3D
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00412A15(C)
|
:00412A36 66837DC878 cmp word ptr [ebp-38], 0078 /*
:00412A3B 7E58 jle 00412A95
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00412A34(C)
|
:00412A3D 66837DC828 cmp word ptr [ebp-38], 0028 /*
:00412A42 7F45 jg 00412A89
:00412A44 0FBE435C movsx eax, byte ptr [ebx+5C]
:00412A48 0FBF544344 movsx edx, word ptr [ebx+2*eax+44]
:00412A4D 0FBE435C movsx eax, byte ptr [ebx+5C]
:00412A51 8D3495FEFFFFFF lea esi, dword ptr [4*edx+FFFFFFFE]
:00412A58 03D2 add edx, edx
:00412A5A 668B444350 mov ax, word ptr [ebx+2*eax+50]
:00412A5F 660FAFC6 imul ax, si
:00412A63 2BC2 sub eax, edx
:00412A65 6685C0 test ax, ax
:00412A68 742B je 00412A95
:00412A6A DB45EC fild dword ptr [ebp-14]
:00412A6D 0FBFC0 movsx eax, ax
:00412A70 DC0DF0C74900 fmul qword ptr [0049C7F0]
:00412A76 8945F8 mov dword ptr [ebp-08], eax
:00412A79 DB45F8 fild dword ptr [ebp-08]
:00412A7C DEF9 fdivp st(1), st(0)
:00412A7E D81D90C84900 fcomp dword ptr [0049C890]
:00412A84 DFE0 fstsw ax
:00412A86 9E sahf
:00412A87 760C jbe 00412A95
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00412A42(C)
|
:00412A89 8B45C0 mov eax, dword ptr [ebp-40]
:00412A8C 83B87801000032 cmp dword ptr [eax+00000178], 00000032 /*
:00412A93 7F0C jg 00412AA1 /这里nop掉
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00412A3B(C), :00412A68(C), :00412A87(C)
|
:00412A95 FF45E4 inc [ebp-1C]
:00412A98 8345C802 add dword ptr [ebp-38], 00000002
:00412A9C E921FFFFFF jmp 004129C2
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004129EB(C), :00412A93(C)
|
:00412AA1 0FBE435C movsx eax, byte ptr [ebx+5C]
:00412AA5 0FBE735C movsx esi, byte ptr [ebx+5C]
:00412AA9 0FBF444350 movsx eax, word ptr [ebx+2*eax+50]
:00412AAE 0FBF747344 movsx esi, word ptr [ebx+2*esi+44]
:00412AB3 0FBF55E4 movsx edx, word ptr [ebp-1C]
:00412AB7 8D3C85FEFFFFFF lea edi, dword ptr [4*eax+FFFFFFFE]
:00412ABE 8955F8 mov dword ptr [ebp-08], edx
:00412AC1 0FAFF7 imul esi, edi
:00412AC4 03D2 add edx, edx
:00412AC6 03C0 add eax, eax
:00412AC8 2BF0 sub esi, eax
:00412ACA 8D040A lea eax, dword ptr [edx+ecx]
:00412ACD 3BC6 cmp eax, esi
:00412ACF 0F848F000000 je 00412B64
* Reference To: WINMM.timeGetTime, Ord:0098h
|
:00412AD5 8B354CC54900 mov esi, dword ptr [0049C54C]
:00412ADB 3BD1 cmp edx, ecx
:00412ADD 7C07 jl 00412AE6
:00412ADF 66837DE419 cmp word ptr [ebp-1C], 0019 /*
:00412AE4 7D0F jge 00412AF5
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00412ADD(C)
|
:00412AE6 FFD6 call esi
:00412AE8 2B05109A4A00 sub eax, dword ptr [004A9A10]
:00412AEE 3D30750000 cmp eax, 00007530
:00412AF3 730B jnb 00412B00
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00412AE4(C)
|
:00412AF5 66837DE408 cmp word ptr [ebp-1C], 0008 /*
:00412AFA 0F8F11010000 jg 00412C11
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00412AF3(C)
|
:00412B00 FFD6 call esi /nag
:00412B02 6A30 push 00000030
:00412B04 A3109A4A00 mov dword ptr [004A9A10], eax
:00412B09 E87F690600 call 0047948D
:00412B0E 8BF0 mov esi, eax
:00412B10 59 pop ecx
:00412B11 85F6 test esi, esi
:00412B13 7435 je 00412B4A
:00412B15 FF75F8 push [ebp-08]
:00412B18 66C745EC5C02 mov [ebp-14], 025C
把00412A93行nop掉以后,提醒你还有多少可玩的nag不会出现了,但是无论你用作弊(F5)还是自己拼图,还是无法再多玩一块. 5. 让作弊方式(F5)可以继续: :0044A238 FF5614 call [esi+14]
:0044A23B F6460C02 test [esi+0C], 02
:0044A23F 7503 jne 0044A244
:0044A241 FF5618 call [esi+18]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0044A23F(C)
|
:0044A244 F6460C04 test [esi+0C], 04
:0044A248 7415 je 0044A25F /这里改为jmp
:0044A24A 85F6 test esi, esi
:0044A24C 0F84AC060000 je 0044A8FE
:0044A252 8B06 mov eax, dword ptr [esi]
这样F5可以一直玩到结束了. 但试自己拼图时,还是不行. 6. 使自己拼图可以继续: :00411F5B FF559C call [ebp-64]
:00411F5E F6459402 test [ebp-6C], 02
:00411F62 7503 jne 00411F67
:00411F64 FF55A0 call [ebp-60]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00411F62(C)
|
:00411F67 F6459404 test [ebp-6C], 04
:00411F6B 7507 jne 00411F74 /这里nop掉
:00411F6D 8BCF mov ecx, edi
:00411F6F E8DCDCFFFF call 0040FC50
这样可以玩了,但很快便发现选中放下的拼图块会莫名其妙的消失,用作弊方式拼图也会一团糟. 7. 让一切恢 正常: :00412E21 8B45C0 mov eax, dword ptr [ebp-40]
:00412E24 8B7508 mov esi, dword ptr [ebp+08]
:00412E27 83B87801000032 cmp dword ptr [eax+00000178], 00000032
:00412E2E 7F06 jg 00412E36 /这里nop掉
:00412E30 837E2000 cmp dword ptr [esi+20], 00000000
:00412E34 7466 je 00412E9C
于是一切看来又正常了. 只是程序启动时和拼图过程中会有文件被改动的nag. 8. 去掉启动时的nag * Possible StringData Ref from Data Obj ->"mbbrk32"
|
:00406B66 689C5A4A00 push 004A5A9C
:00406B6B 53 push ebx
:00406B6C 53 push ebx
:00406B6D A358984A00 mov dword ptr [004A9858], eax
:00406B72 33FF xor edi, edi
:00406B74 E854020800 call 00486DCD
:00406B79 83C40C add esp, 0000000C
:00406B7C 3D22334455 cmp eax, 55443322 /Magic Number
:00406B81 7403 je 00406B86 /改jmp
这样启动时一般不再出现文件被改动的nag,但拼图时还有随 弹出的nag. 9. 难以去掉的随 的nag * Referenced by a CALL at Addresses:
|:00406D80 , :00407C51 , :0040D1C4 , :004110BF , :00413B1D
|:00424D55 , :0043A1A7 , :0044B31E
|
:00404CCC 56 push esi
:00404CCD 8BF1 mov esi, ecx
:00404CCF 68D8000000 push 000000D8
:00404CD4 E8B4470700 call 0047948D
:00404CD9 85C0 test eax, eax
:00404CDB 59 pop ecx
:00404CDC 740A je 00404CE8
:00404CDE 56 push esi
:00404CDF 8BC8 mov ecx, eax
:00404CE1 E88C030000 call 00405072
:00404CE6 EB02 jmp 00404CEA
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00404CDC(C)
|
:00404CE8 33C0 xor eax, eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00404CE6(U)
|
:00404CEA 837C240800 cmp dword ptr [esp+08], 00000000
:00404CEF 7407 je 00404CF8
:00404CF1 80888500000010 or byte ptr [eax+00000085], 10
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00404CEF(C)
|
:00404CF8 8B4E1C mov ecx, dword ptr [esi+1C]
:00404CFB 894820 mov dword ptr [eax+20], ecx
:00404CFE 8B4E70 mov ecx, dword ptr [esi+70]
:00404D01 898880000000 mov dword ptr [eax+00000080], ecx
:00404D07 8BC8 mov ecx, eax
:00404D09 E858130000 call 00406066 /这里产生对话框
:00404D0E 5E pop esi
:00404D0F C20400 ret 0004
00406D80的Call是产生启动时的nag,前面的patch后已经跳过; 00407C51,004110BF两处的Call产生随 的NAG,不能nop掉. 如果追进00404D09行的Call,里面还有几处子例程的调用,但这几处也被用于产生别的对话框. 只能在00404D09行打补丁. 但patch后会见到不少图块上带有"划痕". :( 这块补丁打不打,只好自个儿权衡了. |
| 3. 结语 |
| 这是一次失败的破解. 不仅没有解决随 弹出的文件被改动的nag,而且自己制做的新拼图在选择超过50块以上的拼图时,虽然作弊模式一般没问题,但若自己拼图到一定块数时程序多半会崩溃. :( 找出有效的注册序号,写出相应的注册 才是克锐客(Cracker)应当追求的目标和境界. |