完美破解ip-tools2.04多谢炎兄的提示啊!!!
------------------------
这个东西好像真的不错,可是不注册在启动的时候会有个让你注册的对话框,让你等的很烦!!!
好!让我们试着crack掉他!
工具: trw2000 windasm ultraedit32
下bpx sendmessage 中断,然后小心安F10,来到004E881E
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D87DA(C)
|
:004D8817 8B03
mov eax, dword ptr [ebx]
:004D8819 E8E6A8F2FF call 00403104
:004D881E E875F1FFFF call 004D7998<------出现那个注册框,在这里安F9设断.f8进
:004D8823 8B06
mov eax, dword ptr [esi]
:004D8825 E89EB5F5FF call 00433DC8
------------------------------------------------------------------------
* Referenced by a CALL at Address:
|:004D881E
|
:004D7998 55
push ebp
:004D7999 8BEC
mov ebp, esp
:004D799B 33C9
xor ecx, ecx
:004D799D 51
push ecx
:004D799E 51
push ecx
:004D799F 51
push ecx
:004D79A0 51
push ecx
:004D79A1 51
push ecx
:004D79A2 51
push ecx
:004D79A3 53
push ebx
:004D79A4 56
push esi
.
.
.
.
.
.小心安f10来到这里
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D7C95(C)
|
:004D7CA8 6A00
push 00000000
:004D7CAA B81E000000 mov eax,
0000001E
:004D7CAF E8B4B0F2FF call 00402D68
:004D7CB4 8BD0
mov edx, eax
:004D7CB6 6683C205 add
dx, 0005
:004D7CBA 66B91400 mov
cx, 0014
:004D7CBE 66B80100 mov
ax, 0001
:004D7CC2 E80910F3FF call 00408CD0
:004D7CC7 A124134E00 mov eax,
dword ptr [004E1324]
:004D7CCC DD18
fstp qword ptr [eax]
:004D7CCE 9B
wait
:004D7CCF E8E4FBFFFF call 004D78B8
:004D7CD4 84C0
test al, al
:004D7CD6 740D
je 004D7CE5<------跳到烦人窗口,nop掉.
:004D7CD8 B80A000000 mov eax,
0000000A
:004D7CDD E886B0F2FF call 00402D68
:004D7CE2 48
dec eax
:004D7CE3 7544
jne 004D7D29<------跳过烦人窗口 改为jmp
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D7CD6(C)
|
:004D7CE5 B001
mov al, 01
:004D7CE7 E89844FDFF call 004AC184<---------出现烦人窗口
:004D7CEC EB3B
jmp 004D7D29
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D7C8B(C)
|
:004D7CEE 6A00
push 00000000
:004D7CF0 B82D000000 mov eax,
0000002D
:004D7CF5 E86EB0F2FF call 00402D68
好了该他的校验了问题了.
用windasm查找 programe was corrupted
* Possible StringData Ref from Code Obj ->"] SelfTest .."
|
:004D84BA 689C884D00 push 004D889C
:004D84BF 8D45F0
lea eax, dword ptr [ebp-10]
:004D84C2 BA03000000 mov edx,
00000003
:004D84C7 E83CBBF2FF call 00404008
:004D84CC 8B55F0
mov edx, dword ptr [ebp-10]
:004D84CF 8B03
mov eax, dword ptr [ebx]
:004D84D1 8B80DC010000 mov eax, dword
ptr [eax+000001DC]
:004D84D7 8B8030010000 mov eax, dword
ptr [eax+00000130]
:004D84DD 8B08
mov ecx, dword ptr [eax]
:004D84DF FF5134
call [ecx+34]
:004D84E2 E861CEFBFF call 00495348
F8追进这个call(1)
:004D84E7 8B1590124E00 mov edx, dword
ptr [004E1290]
:004D84ED 3B82B4000000 cmp eax, dword
ptr [edx+000000B4]<---注意这个eax的值.如果你
crack了他,eax返回值不是33
fe9a19
:004D84F3 740F
je 004D8504<-------跳过校验.可以让程序运行了.
* Possible StringData Ref from Code Obj ->"Program was corrupted !"
|
:004D84F5 B8B4884D00 mov eax,
004D88B4
:004D84FA E801C2F6FF call 00444700
:004D84FF E926030000 jmp 004D882A
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D84F3(C)
|
:004D8504 687C884D00 push 004D887C
:004D8509 E8F60BF3FF call 00409104
:004D850E 83C4F8
add esp, FFFFFFF8
:004D8511 DD1C24
fstp qword ptr [esp]
:004D8514 9B
wait
:004D8515 8D45EC
lea eax, dword ptr [ebp-14]
------------------------------------------------------------------------------
(1)
暗F10慢慢来到这个地方
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00495479(C)
|
:004953F8 8D85F4BFFFFF lea eax, dword
ptr [ebp+FFFFBFF4]
:004953FE 33C9
xor ecx, ecx
:00495400 BA00400000 mov edx,
00004000
:00495405 E83ED9F6FF call 00402D48
:0049540A 8D45F8
lea eax, dword ptr [ebp-08]
:0049540D 50
push eax
:0049540E 8D95F4BFFFFF lea edx, dword
ptr [ebp+FFFFBFF4]
:00495414 B900400000 mov ecx,
00004000
:00495419 8D85A8BEFFFF lea eax, dword
ptr [ebp+FFFFBEA8]
:0049541F E83800F7FF call 0040545C
:00495424 8B75F8
mov esi, dword ptr [ebp-08]
:00495427 85F6
test esi, esi
:00495429 7903
jns 0049542E
:0049542B 83C603
add esi, 00000003
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00495429(C)
|
:0049542E C1FE02
sar esi, 02
:00495431 46
inc esi
:00495432 85F6
test esi, esi
:00495434 7E36
jle 0049546C
:00495436 BF01000000 mov edi,
00000001
:0049543B 8D9DF4BFFFFF lea ebx, dword
ptr [ebp+FFFFBFF4]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0049546A(C)
|
:00495441 89BDA0BEFFFF mov dword ptr
[ebp+FFFFBEA0], edi
:00495447 DB85A0BEFFFF fild dword ptr
[ebp+FFFFBEA0]
:0049544D DB2DC8544900 fld tbyte ptr
[004954C8]
:00495453 DEC9
fmulp st(1), st(0)
:00495455 D805D4544900 fadd dword ptr
[004954D4]
:0049545B E810D7F6FF call 00402B70
:00495460 F72B
imul dword ptr [ebx]
:00495462 0145FC
add dword ptr [ebp-04], eax
:00495465 47
inc edi
:00495466 83C304
add ebx, 00000004
:00495469 4E
dec esi
:0049546A 75D5
jne 00495441
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004953F6(U), :00495434(C)
|
:0049546C 8D85A8BEFFFF lea eax, dword
ptr [ebp+FFFFBEA8]
:00495472 E8E900F7FF call 00405560
:00495477 84C0
test al, al
:00495479 0F8479FFFFFF je 004953F8<-----------这个循环是自校验部分.得出eax值.判断程序
:0049547F 8A45F4
mov al, byte ptr [ebp-0C] 是否改动过.
:00495482 8B15FC164E00 mov edx, dword
ptr [004E16FC]
:00495488 8802
mov byte ptr [edx], al
:0049548A 8D85A8BEFFFF lea eax, dword
ptr [ebp+FFFFBEA8]在此处ebp-04应该为33fe9a19
:00495490 E88F00F7FF call 00405524
改为 mov eax,33fe9a19
:00495495 8B45FC
mov eax, dword ptr [ebp-04]此处nop掉.改为909090
:00495498 A3E0CA4D00 mov dword
ptr [004DCAE0], eax 这个004dcae0就是为什么我们crack
^^^^^^^^^^后一些功能受限制的罪魁祸首的地方.
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004953CA(C), :004953F0(C)
|
:0049549D 33C0
xor eax, eax
:0049549F 5A
pop edx
:004954A0 59
pop ecx
:004954A1 59
pop ecx
:004954A2 648910
mov dword ptr fs:[eax], edx
:004954A5 68BD544900 push 004954BD
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004954BB(U)
|
:004954AA 8D85A4BEFFFF lea eax, dword
ptr [ebp+FFFFBEA4]
:004954B0 E817E8F6FF call 00403CCC
:004954B5 C3
ret
:004954B6 E915E2F6FF jmp 004036D0
:004954BB EBED
jmp 004954AA
:004954BD 8B45FC
mov eax, dword ptr [ebp-04]
:004954C0 5F
pop edi
:004954C1 5E
pop esi
:004954C2 5B
pop ebx
:004954C3 8BE5
mov esp, ebp
:004954C5 5D
pop ebp
:004954C6 C3
ret
ping的功能可以用了,爽啊!嘿嘿~~~~~~但是好像大家都有注册码啊!!!呵呵~~~~~~~~
不对之处请大家指正!!!
- 标 题:完美破解ip-tools2.04,不对之处请大家指正. (8千字)
- 作 者:雁南飞
- 时 间:2002-2-5 14:06:44
- 链 接:http://bbs.pediy.com