½ñÌìÎÒcrackingÁËÓÐÉùÓÐÉ« 3.10£¬ ÏÂÔصصãhttp://www.newhua.com.cn/down/you310.zip, ËüÊÇÓÃaspack 2.1¼ÓµÄ¿Ç£¬ÎÒÒѳɹ¦µØ½«Ëüunpack, crack down, µ«ÎÒÏëÏÖÔÚÏëдһ¸öpatch, Ò»¸öÖ±½ÓÔÚËüµÄÔ­ÎļþMusRea.exeÉÏдÉÏpatch´úÂ룬¼´ÔÚ.Aspack section×îºóµÄÎÞ´úÂ벿·Ö¼ÓÉÏÎÒµÄpatch´úÂ룬µ«Ëƺõ²»³É¹¦£¬Íû¸ßÊÖÄܴͽ̣º

·ÖÎö¹ý³ÌÈçÏ£º

ÔÚ.Aspack sectionÒ»½Ú, ×îºóÒª·µ»ØÔ­³ÌÐòentry pointÇ°µÄ·´»ã±à´úÂëÈçÏ£º


:004CC4F3 61                      popad
:004CC4F4 7508                    jne 004CC4FE

* Possible Reference to String Resource ID=00001: "™™™DDDD™™™™DDA™™™™™DD™™™™™DD™™™™™DD™™™™Ÿ™D™Ÿ™™ÿ™‘D?ù™ÿ?
                                  |
:004CC4F6 B801000000              mov eax, 00000001
:004CC4FB C20C00                  ret 000C



* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004CC4F4(C)
|
:004CC4FE 6800000000              push 00000000  <==½«´Ë´¦¸ÄΪE99D1F0000
:004CC503 C3                      ret    <==´Ó´Ë·µ»ØÔ­³ÌÐòentry point

ÎÒµÄ˼·½«:004CC4FE´¦´úÂë¸ÄΪ jmp 004ce434, :004ce434Ϊ.Aspack sectionÒ»½ÚÎÞ´úÂë´¦£¬ÔÚ´Ë´¦ÎÒдÈëÎÒµÄpatch´úÂ룬¼´:
mov dword ptr [0048A4E1], 90E98002
push 00000000
ret

HEXÖµ£ºC705E1A448000280E9906800000000C3,
ÕâÖÖ˼·ÎÒÔÚÀÏÍâµÄtutorÀï¿´µ½¹ý£¬µ«ÎҵIJâÊÔδͨ¹ý£¬Çë¸ßÈËÖ¸µã¡£

¸½£ºÎÒдµÄ¹ØÓÚÈçºÎÆƽâÓÐÉùÓÐÉ« 3.10µÄtutor

Target file : MusRea.exe
Packer: Aspack 2.1
Compiler: Delphi 5.0

cracking tutorial:

1.unpacking target file with your favorite tools , eg. softice or trw, I prefer to use UnAspack 1.0.9.1
2.Using ProcDump change the Section Characteristics for the CODE section to 0xE0000020. (you must master PE file format, or you don't understand it. :-()
3.Disassemble the target file
4.anlysis the source code:
:0048A4D4 8B8318050000            mov eax, dword ptr [ebx+00000518]
:0048A4DA 83B8380100001E          cmp dword ptr [eax+00000138], 0000001E  <== see if you have  used 30 times
:0048A4E1 0F8498000000            je 0048A57F
:0048A4E7 8B831C050000            mov eax, dword ptr [ebx+0000051C]
:0048A4ED 8B10                    mov edx, dword ptr [eax]
:0048A4EF FF92B4000000            call dword ptr [edx+000000B4]
:0048A4F5 3C01                    cmp al, 01
:0048A4F7 0F8482000000            je 0048A57F
:0048A4FD 8B8324050000            mov eax, dword ptr [ebx+00000524]
:0048A503 8B10                    mov edx, dword ptr [eax]
:0048A505 FF92B4000000            call dword ptr [edx+000000B4]
:0048A50B 3C01                    cmp al, 01
:0048A50D 7470                    je 0048A57F
:0048A50F 8B8328050000            mov eax, dword ptr [ebx+00000528]
:0048A515 8B10                    mov edx, dword ptr [eax]
:0048A517 FF92B4000000            call dword ptr [edx+000000B4]
:0048A51D 3C01                    cmp al, 01
:0048A51F 745E                    je 0048A57F
:0048A521 8B832C050000            mov eax, dword ptr [ebx+0000052C]
:0048A527 8B10                    mov edx, dword ptr [eax]
:0048A529 FF92B4000000            call dword ptr [edx+000000B4]
:0048A52F 3C01                    cmp al, 01
:0048A531 744C                    je 0048A57F
:0048A533 8B8330050000            mov eax, dword ptr [ebx+00000530]
:0048A539 8B10                    mov edx, dword ptr [eax]
:0048A53B FF92B4000000            call dword ptr [edx+000000B4]
:0048A541 3C01                    cmp al, 01
:0048A543 743A                    je 0048A57F
:0048A545 8B8330050000            mov eax, dword ptr [ebx+00000530]
:0048A54B 8B10                    mov edx, dword ptr [eax]
:0048A54D FF92B4000000            call dword ptr [edx+000000B4]
:0048A553 3C01                    cmp al, 01
:0048A555 7428                    je 0048A57F
:0048A557 8B8334050000            mov eax, dword ptr [ebx+00000534]
:0048A55D 8B10                    mov edx, dword ptr [eax]
:0048A55F FF92B4000000            call dword ptr [edx+000000B4]
:0048A565 3C01                    cmp al, 01
:0048A567 7416                    je 0048A57F
:0048A569 8B833C050000            mov eax, dword ptr [ebx+0000053C]
:0048A56F 8B10                    mov edx, dword ptr [eax]
:0048A571 FF92B4000000            call dword ptr [edx+000000B4]
:0048A577 3C01                    cmp al, 01
:0048A579 0F85E2010000            jne 0048A761  <==if everything OK,  you should jump to 0048A761 from it.

    Through the analysis, you can change the code at :0048A4DA to jmp 0048A761, I think you know how to modify HEX value, do it yourself. Do you understand? let me know.
5.run the target file again, see what happen? Bingo!  The limit use 30 times is removed.

DO NOT USE THIS TUTOR FOR COMMERICAL PURPOSE, IF YOU LIKE THIS PROGRAM, PLEASE PAY THE AUTHOR'S HARD WORK, THE REGISTER FEE IS ONLY TEN YUAN.

ÈçºÎpatchÓÐÉùÓÐÉ«3.10
    ÄѵýñÌìÐÄÇé±È½ÏºÃ, ×¼±¸Ñ§Ï°SEH; ÄÃÓÐÉùÓÐÉ«3.10¿ªµ¶( ÓÐÈËÒѾ­ÆƽâÁË, ²»±ØÔÙÈ¥ÕÒCODE).
    1. ÓÃPRODUMPÔØÈëÖ÷³ÌÐòMUSREA.EXE, ÖªµÀ»ùµØַΪ00400000,ΪÁËÕÒ³ÌÐòÈë¿Úµã, ÓÃÉÏD.BOYµÄ³å»÷²¨2000, ÕÒµ½Îª0048A410. ËùÒÔoffset = 0048a410-00400000 = 0008a410. ÓÃULTRAEDITËÑË÷ 10 a4 08, ÕÒµ½Î©Ò»µØÖ·0004c49d. ÒòΪÎÒ×¼±¸ÈÃËýÏÈÔËÐÐÎÒµÄPATCH CODE, ËùÒÔ×¼±¸ÔÚ000003d0´¦ÐÞ²¹,ÓÚÊÇÔÚ0004c49d´¦½«10 a4 08¸ÄΪd0 03 00.
   
    2. patch code.
      Ê×ÏȸÐлʮÈýÉÙÓëdREAMtHEATERµÄ¹¤×÷, ÎÒÖªµÀÒªÔÚ
        cs:0048A4E1 0F8498000000      je  0048A57F ¸ÄΪ
                    eb74              jmp 0048A561
                    9090              nop
                    9090              nop

      ÓëÎÒ¼ûµ½µÄ[PC/MFD]дµÄÎÄÕÂ**** iNLiNE pATCHiNG A pROGRAM pACKED WiTH ASProtect - by Predator ²»Í¬, ÎÒ·¢ÏÖÒªÕâÑùÐÞ¸Ä.
 
      ÔÚ000003d0´¦: ÓÃhiewдÉÏÈçÏ´úÂë
      000003d0:  0000                ÎÒ·¢ÏÖÌøµ½ÕâÀïºó²»ÄÜÖ±½Ó
                                      дpatch,±ØÐë¹ý¶ÉÒ»ÏÂ.
      000003d2:  66c705e1a44800eb74  patch code 1
      000003db:  66c705e3a448009090  patch code 2
      000003e4:  66c705e5a448009090  patch code 3
      000003ed:  6810e44800          ·ÅÈëÕæʵµÄÈë¿Úµã
      000003f2:  c3                  ·µ»Ø

    ok, job done.
    Íê³ÉÁË×Ô¼ºµÄµÚÒ»¸öSEH×÷Æ·.
    ͬʱ½ñÌì×Ô¼ºÒ²ÊǵÚÒ»´ÎÆƽâVB6³ÌÐò--Dr salamn's powertools³É¹¦µÄÈÕ×Ó.

000003d2:  66c705e1a44800e9eb  patch code 1
      000003db:  66c705e3a448000200  patch code 2
      000003e4:  66c705e5a448000090  patch code 3