½ñÌìÎÒcrackingÁËÓÐÉùÓÐÉ« 3.10£¬ ÏÂÔØµØµãhttp://www.newhua.com.cn/down/you310.zip,
ËüÊÇÓÃaspack 2.1¼ÓµÄ¿Ç£¬ÎÒÒѳɹ¦µØ½«Ëüunpack, crack down, µ«ÎÒÏëÏÖÔÚÏëдһ¸öpatch, Ò»¸öÖ±½ÓÔÚËüµÄÔÎļþMusRea.exeÉÏдÉÏpatch´úÂ룬¼´ÔÚ.Aspack
section×îºóµÄÎÞ´úÂ벿·Ö¼ÓÉÏÎÒµÄpatch´úÂ룬µ«Ëƺõ²»³É¹¦£¬Íû¸ßÊÖÄܴͽ̣º
·ÖÎö¹ý³ÌÈçÏ£º
ÔÚ.Aspack sectionÒ»½Ú, ×îºóÒª·µ»ØÔ³ÌÐòentry pointǰµÄ·´»ã±à´úÂëÈçÏ£º
:004CC4F3 61
popad
:004CC4F4 7508
jne 004CC4FE
* Possible Reference to String Resource ID=00001: "™™™DDDD™™™™DDA™™™™™DD™™™™™DD™™™™™DD™™™™Ÿ™D™Ÿ™™ÿ™‘D?ù™ÿ?
|
:004CC4F6 B801000000 mov eax,
00000001
:004CC4FB C20C00
ret 000C
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004CC4F4(C)
|
:004CC4FE 6800000000 push 00000000
<==½«´Ë´¦¸ÄΪE99D1F0000
:004CC503 C3
ret <==´Ó´Ë·µ»ØÔ³ÌÐòentry point
ÎÒµÄ˼·½«:004CC4FE´¦´úÂë¸ÄΪ jmp 004ce434, :004ce434Ϊ.Aspack sectionÒ»½ÚÎÞ´úÂë´¦£¬ÔÚ´Ë´¦ÎÒдÈëÎÒµÄpatch´úÂ룬¼´:
mov dword ptr [0048A4E1], 90E98002
push 00000000
ret
HEXÖµ£ºC705E1A448000280E9906800000000C3,
ÕâÖÖ˼·ÎÒÔÚÀÏÍâµÄtutorÀï¿´µ½¹ý£¬µ«ÎҵIJâÊÔδͨ¹ý£¬Çë¸ßÈËÖ¸µã¡£
¸½£ºÎÒдµÄ¹ØÓÚÈçºÎÆÆ½âÓÐÉùÓÐÉ« 3.10µÄtutor
Target file : MusRea.exe
Packer: Aspack 2.1
Compiler: Delphi 5.0
cracking tutorial:
1.unpacking target file with your favorite tools , eg. softice or trw, I prefer
to use UnAspack 1.0.9.1
2.Using ProcDump change the Section Characteristics for the CODE section to
0xE0000020. (you must master PE file format, or you don't understand it. :-()
3.Disassemble the target file
4.anlysis the source code:
:0048A4D4 8B8318050000 mov eax, dword
ptr [ebx+00000518]
:0048A4DA 83B8380100001E cmp dword ptr [eax+00000138],
0000001E <== see if you have used 30 times
:0048A4E1 0F8498000000 je 0048A57F
:0048A4E7 8B831C050000 mov eax, dword
ptr [ebx+0000051C]
:0048A4ED 8B10
mov edx, dword ptr [eax]
:0048A4EF FF92B4000000 call dword ptr
[edx+000000B4]
:0048A4F5 3C01
cmp al, 01
:0048A4F7 0F8482000000 je 0048A57F
:0048A4FD 8B8324050000 mov eax, dword
ptr [ebx+00000524]
:0048A503 8B10
mov edx, dword ptr [eax]
:0048A505 FF92B4000000 call dword ptr
[edx+000000B4]
:0048A50B 3C01
cmp al, 01
:0048A50D 7470
je 0048A57F
:0048A50F 8B8328050000 mov eax, dword
ptr [ebx+00000528]
:0048A515 8B10
mov edx, dword ptr [eax]
:0048A517 FF92B4000000 call dword ptr
[edx+000000B4]
:0048A51D 3C01
cmp al, 01
:0048A51F 745E
je 0048A57F
:0048A521 8B832C050000 mov eax, dword
ptr [ebx+0000052C]
:0048A527 8B10
mov edx, dword ptr [eax]
:0048A529 FF92B4000000 call dword ptr
[edx+000000B4]
:0048A52F 3C01
cmp al, 01
:0048A531 744C
je 0048A57F
:0048A533 8B8330050000 mov eax, dword
ptr [ebx+00000530]
:0048A539 8B10
mov edx, dword ptr [eax]
:0048A53B FF92B4000000 call dword ptr
[edx+000000B4]
:0048A541 3C01
cmp al, 01
:0048A543 743A
je 0048A57F
:0048A545 8B8330050000 mov eax, dword
ptr [ebx+00000530]
:0048A54B 8B10
mov edx, dword ptr [eax]
:0048A54D FF92B4000000 call dword ptr
[edx+000000B4]
:0048A553 3C01
cmp al, 01
:0048A555 7428
je 0048A57F
:0048A557 8B8334050000 mov eax, dword
ptr [ebx+00000534]
:0048A55D 8B10
mov edx, dword ptr [eax]
:0048A55F FF92B4000000 call dword ptr
[edx+000000B4]
:0048A565 3C01
cmp al, 01
:0048A567 7416
je 0048A57F
:0048A569 8B833C050000 mov eax, dword
ptr [ebx+0000053C]
:0048A56F 8B10
mov edx, dword ptr [eax]
:0048A571 FF92B4000000 call dword ptr
[edx+000000B4]
:0048A577 3C01
cmp al, 01
:0048A579 0F85E2010000 jne 0048A761
<==if everything OK, you should jump to 0048A761 from it.
Through the analysis, you can change the code at :0048A4DA to
jmp 0048A761, I think you know how to modify HEX value, do it yourself. Do you
understand? let me know.
5.run the target file again, see what happen? Bingo! The limit use 30
times is removed.
DO NOT USE THIS TUTOR FOR COMMERICAL PURPOSE, IF YOU LIKE THIS PROGRAM, PLEASE
PAY THE AUTHOR'S HARD WORK, THE REGISTER FEE IS ONLY TEN YUAN.
- ±ê Ì⣺how to write patch for ÓÐÉùÓÐÉ« 3.10.txt (4ǧ×Ö)
- ×÷ ÕߣºdREAMtHEATER
- ʱ ¼ä£º2000-8-20 20:24:26
- Á´ ½Ó£ºhttp://bbs.pediy.com