• 推箱子2.32

www.3q1.com

如果程序发现你改了它,会重启你的Windows的:

00404811 7417 -> EB17
00404F9D 741E -> EB1E

Keyfile: \system\syscagd.dat 保护

  • 标 题:1-15关过关文档 (2千字)
  • 作 者:★morning★
  • 时 间:2001-9-7 20:08:25

1 97
LLDDDDLDDRRULDLURULLLDLUUDRRRRUUUURRDLULDDDDLDDRRULDLURULLLDLUDURRRRUUUURRDDLULDDDLDDRRULDLURULLL

2 55
LDLLDDLDDRRURRDRUDULLLDUDLLUURUURRDDUULLDDLDDRRURRLLDRR

3 149
DRRRRUULUURRRURDDDUULLLLDDRULURRURDDDUULLLDDLLURRDRULURRRURDDULLLDDDDLUULURDRULURRURDDULLLDDDDLLLUURUULLDRRRRDRULURRRURDLLLLDDLLLDDRULURRRDRUULURRURD

4 82
DRDRRRLLLULDDLLDDRRUUUULURRRLDDLDDDLLURDRUUUULURRDDRRRDDLLUDRRUULLLULDDLDDRUUUULUR

5 237
DRRURURRDDLURULDLUDLDLLURRRURRDDLUUDRDRRRULLDULDLURULDLLLUUDDRRRRRRRLUUULULLLULLDDDDUUUURRDRRRDRDDDDLLULLLDLLURRRLRRDRUUDLLRRRRUUULULLLLULDDDDUUURRRRRDRDDDLLLLLDLLURRRLLUUUURRRRRDRDDDDLLLULLLUUUUURRDRRRURDDDDUUULLLLLLDDDDDRURRDRRRRULLDLU

6 71
RRRLLLDDDUDDUUUUDDRRDRRRLUDLLURRRLLLLLLRUURRRDULLLDDRRRRLURLDLLLLRDRRRR

7 74
DLLLUUDDDUUULLLDDDDRRRLRUURRRUULLLRRRDDLURULDDLLDDLLLUURRRLLDLDRULUUURDLDR

8 118
LLLDDLLURLURUURRRRDDDUUULLLLDDRRRLLLUURRRRDDRDLULDULLLDDRULURRRLLLUURRRRDDRDLULLLLLLURDRRRRRUULLLLDUDLDRRRRLLLUURRRRDD

9 66
DURRRRRRRRDDDLLLULLLRRRRDRRDDLLLLLUULURDRRRLLLDDRRRRRUUUUULLLDDRDL

10 330
RUDLLULUUURRRRRUURRDRDDRDDUULUULULLDDDLULLLLDDDRDRRURRRRLLLLDLLULUUURRRRRUURRDRDDLLRRUULULLDDLLLLLDDDRDRRURRRRUDLLLLDLLULUUURRRRRUURRDRDDLRUULULLDDLLLLLDDDRDRRURUUDDLDLLULUUUURDRRRLLLLDDDRUULURRRLLLDDDRDRRURRRRUURRDULLDDLLLULLRDDLLUUULURRLLDDRRRRDRRRUURRDDLLLLLULLLDDRRURULLRDDLLUUULURDDRRRDRRRRRDDLLUDRRUULLLLLULLLDDRRUDLLUURRDRU

11 84
UUUURURRRDDRDLDRRLUULLLDDDRDRRRRUULLLUUURDRUDLLDLULDDURRUUUULLLDDLDDDDRRUUURURULLULD

12 176
URRRRDDRRUULDDRRUDRRRRRRUULLLLLLLDDLLLLUULLDDRRRRRLLLLRUULLRDLDURRDRRRRRLLLLLUULLDDRRRRURRDLURRURRRRRRDDLLLLLLLRRRUDRRRRUULLDULLLLRRDLLLLRRRRURRDLLLLLRRRRURRRDLLLLLLRRRRRDLLLLL

13 285
ULLLUUULULLDLLDDDRRRRRRRRRRRURDLDRRLLULLLLLLLLLLLULLDRRRRRRRRRRRRRDRULURRDLLLLLLLLLRUUULULLDDDUULLDDDRRRRRRRRRRRRRLLLLLLLLUUULULLRUULDDDDDUULLDDDRRRRRRRRRRRDRULURDLLLLLLLUUULLULDDDDRRRRDDLLLLUDRRRRUULUUULLLLLDDDRRRRRRRRRRRURDLDRLULLLLLLUUULLUUURDDLLDDDDRRRUUULLULDDDUULLDDDRRRRRRRRRRRR

14 37
RDLLLULLUURRDDRDRRULLLUURDDUULLLDRURD

15 79
DRRDDUULRDRRULLULLDDUURRDDUULLDDRLUURRDLRRDLDDLLURURUULRDDLDLLURRRUULLDURRDRRDL

小弟出不上什么力,写个攻略吧,呵呵

  • 标 题:怎样在内存中找到它的注册码: (2千字)
  • 作 者:6767[BCG]
  • 时 间:2001-9-7 16:05:23

怎样在内存中找到它的注册码:
by Fpc[CCG]/6767[BCG]


一切的计算来自于这个call中:

Exported fn(): Regist::RegTwoWar(void()) - Ord:0018h
:00401600 55                      push ebp
:00401601 8BEC                    mov ebp, esp
:00401603 81C4BCFCFFFF            add esp, FFFFFCBC
:00401609 33C0                    xor eax, eax
... ...

更正一点:lijing是对的,Msimgsiz.cfg(在windows文件夹下)是keyfile。

经过努力,找到注册码的计算方法,先看下面这一段:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401E15(C)
|
:00401DF9 8B45FC                  mov eax, dword ptr [ebp-04]
:00401DFC 8A80270D4B00            mov al, byte ptr [eax+004B0D27]        <- keyfile的一部分内容
:00401E02 2C64                    sub al, 64                    <- al-=0x64
:00401E04 8B55FC                  mov edx, dword ptr [ebp-04]
:00401E07 8884152AFFFFFF          mov byte ptr [ebp+edx-000000D6], al        <- 保存,下面比较时用到
:00401E0E FF45FC                  inc [ebp-04]
:00401E11 837DFC07                cmp dword ptr [ebp-04], 00000007        <- 7个字节(其实用到6个)
:00401E15 75E2                    jne 00401DF9
:00401E17 C6458F0E                mov [ebp-71], 0E

那么先怎么作呢?用symble Loader载入,下:bpx 401dfc do "d eax+4b0d27"。拦下后记下数据窗口中显示的前6个字节。


bd *关断点,下:bpx 401ff8 do "d eax+ebp-13b",因为:

:00401FEE C745FC01000000          mov [ebp-04], 00000001

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402035(C)
|
:00401FF5 8B45FC                  mov eax, dword ptr [ebp-04]
:00401FF8 8A8405C5FEFFFF          mov al, byte ptr [ebp+eax-0000013B]        <- 从keyfile生成的一个字串
:00401FFF 8B55FC                  mov edx, dword ptr [ebp-04]
:00402002 3A84152AFFFFFF          cmp al, byte ptr [ebp+edx-000000D6]        <- 上面的字串,比较
:00402009 7423                    je 0040202E                    <- 一致则继续比较

:0040200B C605C40B4B0000          mov byte ptr [004B0BC4], 00            <- 否则标志置0
:00402012 C6052E0D4B0000          mov byte ptr [004B0D2E], 00
:00402019 A1C00B4B00              mov eax, dword ptr [004B0BC0]
:0040201E 8B80E8020000            mov eax, dword ptr [eax+000002E8]
:00402024 33D2                    xor edx, edx
:00402026 89500C                  mov dword ptr [eax+0C], edx
:00402029 E91D030000              jmp 0040234B                    <- 跳下去,返回,byebye crackerz

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402009(C)
|
:0040202E FF45FC                  inc [ebp-04]
:00402031 837DFC07                cmp dword ptr [ebp-04], 00000007
:00402035 75BE                    jne 00401FF5                    <- 比较下一字节
:00402037 803DC40B4B0000          cmp byte ptr [004B0BC4], 00

拦下后,把数据窗口的前六个字节分别都加上 0x64,记下结果。Bd *关断点。F5让程序运行,退出。

用ultraedit打开Msimgsiz.cfg,到文件偏移0x220处,你会发现此处与你第一次记下的六个字节相同,把他们改为上面加0x64所得到和,存盘,退出。

运行目标,关于对话框的注册项消失,target beaten!!

BTW: 还没有玩到15关,聪明人请快测试。

  • 标 题:我知道在哪里输入注册码了! (46字)
  • 作 者:pzero
  • 时 间:2001-9-7 17:30:58

在About对话框里,只不过是Visible = False,嘿嘿 ,可以用eXeScope调出来,不过得先把重启代码干掉!