www.3q1.com
如果程序发现你改了它,会重启你的Windows的:
00404811 7417 -> EB17
00404F9D 741E -> EB1EKeyfile: \system\syscagd.dat 保护
www.3q1.com
如果程序发现你改了它,会重启你的Windows的:
00404811 7417 -> EB17
00404F9D 741E -> EB1EKeyfile: \system\syscagd.dat 保护
1 97
LLDDDDLDDRRULDLURULLLDLUUDRRRRUUUURRDLULDDDDLDDRRULDLURULLLDLUDURRRRUUUURRDDLULDDDLDDRRULDLURULLL
2 55
LDLLDDLDDRRURRDRUDULLLDUDLLUURUURRDDUULLDDLDDRRURRLLDRR
3 149
DRRRRUULUURRRURDDDUULLLLDDRULURRURDDDUULLLDDLLURRDRULURRRURDDULLLDDDDLUULURDRULURRURDDULLLDDDDLLLUURUULLDRRRRDRULURRRURDLLLLDDLLLDDRULURRRDRUULURRURD
4 82
DRDRRRLLLULDDLLDDRRUUUULURRRLDDLDDDLLURDRUUUULURRDDRRRDDLLUDRRUULLLULDDLDDRUUUULUR
5 237
DRRURURRDDLURULDLUDLDLLURRRURRDDLUUDRDRRRULLDULDLURULDLLLUUDDRRRRRRRLUUULULLLULLDDDDUUUURRDRRRDRDDDDLLULLLDLLURRRLRRDRUUDLLRRRRUUULULLLLULDDDDUUURRRRRDRDDDLLLLLDLLURRRLLUUUURRRRRDRDDDDLLLULLLUUUUURRDRRRURDDDDUUULLLLLLDDDDDRURRDRRRRULLDLU
6 71
RRRLLLDDDUDDUUUUDDRRDRRRLUDLLURRRLLLLLLRUURRRDULLLDDRRRRLURLDLLLLRDRRRR
7 74
DLLLUUDDDUUULLLDDDDRRRLRUURRRUULLLRRRDDLURULDDLLDDLLLUURRRLLDLDRULUUURDLDR
8 118
LLLDDLLURLURUURRRRDDDUUULLLLDDRRRLLLUURRRRDDRDLULDULLLDDRULURRRLLLUURRRRDDRDLULLLLLLURDRRRRRUULLLLDUDLDRRRRLLLUURRRRDD
9 66
DURRRRRRRRDDDLLLULLLRRRRDRRDDLLLLLUULURDRRRLLLDDRRRRRUUUUULLLDDRDL
10 330
RUDLLULUUURRRRRUURRDRDDRDDUULUULULLDDDLULLLLDDDRDRRURRRRLLLLDLLULUUURRRRRUURRDRDDLLRRUULULLDDLLLLLDDDRDRRURRRRUDLLLLDLLULUUURRRRRUURRDRDDLRUULULLDDLLLLLDDDRDRRURUUDDLDLLULUUUURDRRRLLLLDDDRUULURRRLLLDDDRDRRURRRRUURRDULLDDLLLULLRDDLLUUULURRLLDDRRRRDRRRUURRDDLLLLLULLLDDRRURULLRDDLLUUULURDDRRRDRRRRRDDLLUDRRUULLLLLULLLDDRRUDLLUURRDRU
11 84
UUUURURRRDDRDLDRRLUULLLDDDRDRRRRUULLLUUURDRUDLLDLULDDURRUUUULLLDDLDDDDRRUUURURULLULD
12 176
URRRRDDRRUULDDRRUDRRRRRRUULLLLLLLDDLLLLUULLDDRRRRRLLLLRUULLRDLDURRDRRRRRLLLLLUULLDDRRRRURRDLURRURRRRRRDDLLLLLLLRRRUDRRRRUULLDULLLLRRDLLLLRRRRURRDLLLLLRRRRURRRDLLLLLLRRRRRDLLLLL
13 285
ULLLUUULULLDLLDDDRRRRRRRRRRRURDLDRRLLULLLLLLLLLLLULLDRRRRRRRRRRRRRDRULURRDLLLLLLLLLRUUULULLDDDUULLDDDRRRRRRRRRRRRRLLLLLLLLUUULULLRUULDDDDDUULLDDDRRRRRRRRRRRDRULURDLLLLLLLUUULLULDDDDRRRRDDLLLLUDRRRRUULUUULLLLLDDDRRRRRRRRRRRURDLDRLULLLLLLUUULLUUURDDLLDDDDRRRUUULLULDDDUULLDDDRRRRRRRRRRRR
14 37
RDLLLULLUURRDDRDRRULLLUURDDUULLLDRURD
15 79
DRRDDUULRDRRULLULLDDUURRDDUULLDDRLUURRDLRRDLDDLLURURUULRDDLDLLURRRUULLDURRDRRDL
小弟出不上什么力,写个攻略吧,呵呵
怎样在内存中找到它的注册码:
by Fpc[CCG]/6767[BCG]
一切的计算来自于这个call中:
Exported fn(): Regist::RegTwoWar(void()) - Ord:0018h
:00401600 55
push ebp
:00401601 8BEC
mov ebp, esp
:00401603 81C4BCFCFFFF add esp, FFFFFCBC
:00401609 33C0
xor eax, eax
... ...
更正一点:lijing是对的,Msimgsiz.cfg(在windows文件夹下)是keyfile。
经过努力,找到注册码的计算方法,先看下面这一段:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401E15(C)
|
:00401DF9 8B45FC
mov eax, dword ptr [ebp-04]
:00401DFC 8A80270D4B00 mov al, byte
ptr [eax+004B0D27] <- keyfile的一部分内容
:00401E02 2C64
sub al, 64
<- al-=0x64
:00401E04 8B55FC
mov edx, dword ptr [ebp-04]
:00401E07 8884152AFFFFFF mov byte ptr [ebp+edx-000000D6],
al <- 保存,下面比较时用到
:00401E0E FF45FC
inc [ebp-04]
:00401E11 837DFC07 cmp
dword ptr [ebp-04], 00000007 <- 7个字节(其实用到6个)
:00401E15 75E2
jne 00401DF9
:00401E17 C6458F0E mov
[ebp-71], 0E
那么先怎么作呢?用symble Loader载入,下:bpx 401dfc do "d eax+4b0d27"。拦下后记下数据窗口中显示的前6个字节。
bd *关断点,下:bpx 401ff8 do "d eax+ebp-13b",因为:
:00401FEE C745FC01000000 mov [ebp-04], 00000001
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402035(C)
|
:00401FF5 8B45FC
mov eax, dword ptr [ebp-04]
:00401FF8 8A8405C5FEFFFF mov al, byte ptr
[ebp+eax-0000013B] <- 从keyfile生成的一个字串
:00401FFF 8B55FC
mov edx, dword ptr [ebp-04]
:00402002 3A84152AFFFFFF cmp al, byte ptr
[ebp+edx-000000D6] <- 上面的字串,比较
:00402009 7423
je 0040202E
<- 一致则继续比较
:0040200B C605C40B4B0000 mov byte ptr [004B0BC4],
00 <- 否则标志置0
:00402012 C6052E0D4B0000 mov byte ptr [004B0D2E],
00
:00402019 A1C00B4B00 mov eax,
dword ptr [004B0BC0]
:0040201E 8B80E8020000 mov eax, dword
ptr [eax+000002E8]
:00402024 33D2
xor edx, edx
:00402026 89500C
mov dword ptr [eax+0C], edx
:00402029 E91D030000 jmp 0040234B
<- 跳下去,返回,byebye crackerz
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402009(C)
|
:0040202E FF45FC
inc [ebp-04]
:00402031 837DFC07 cmp
dword ptr [ebp-04], 00000007
:00402035 75BE
jne 00401FF5
<- 比较下一字节
:00402037 803DC40B4B0000 cmp byte ptr [004B0BC4],
00
拦下后,把数据窗口的前六个字节分别都加上 0x64,记下结果。Bd *关断点。F5让程序运行,退出。
用ultraedit打开Msimgsiz.cfg,到文件偏移0x220处,你会发现此处与你第一次记下的六个字节相同,把他们改为上面加0x64所得到和,存盘,退出。
运行目标,关于对话框的注册项消失,target beaten!!
BTW: 还没有玩到15关,聪明人请快测试。
在About对话框里,只不过是Visible = False,嘿嘿 ,可以用eXeScope调出来,不过得先把重启代码干掉!