美萍反黄专家 版本2.41 破解实录
================
破解时间:2001-10-2
软件简介:该软件对抗TRW、SOFTICE、WD32SM、CRACKCODE等破解工具!
破解形式:注册码
破解工具:trw(调试工具)、pw32dasm(反汇编)、hivew (资源修改工具)
破解作者:绝密档案
作者主页:http://hongjian.126.com
具体破解过程:
第一部分,破解对抗
==============
一、用FI侦测,发现它用ASPACK V2.1加压,于是用UNASPACK解压!
二、解除发现破解工具立即关机问题!
先运行shield.exe,它会自动检测你的硬盘是否存在以下文件,
如果存在就立即重新启动电脑!黑名单如下:
内存中的:
1、softice
2、trw、
当然目录下的:
1、CRACKCODE
2、WDAS
解决办法:
1、把黑名单上的名字改名!
用EXE资源编辑工具如:Ultraedit-32等工具编辑shield.exe,用查找->替换功能,把上
述软件的名称替换即可!如把TRW->QHJ ;SOFTICE->QHJTICEt等!
...........}......E.^[..
]...........c:\autoexec.
bat.........WINICE...... /// 左边的工具见到了吗?
....REM.........User32..
........TRW.........UR
Soft..U..j.S3.Uh.%G.d.0d
. 3..
................ ///// 左边的工具见到了吗?
...192.168.0.255........
...crackcode...........
wdasm...........softice...
============================
2、找出关机或死机的地址:共有六处调用两个CALL!
第一处:
|:00473E99(C)
|
:00473EA4 8D45F0
lea eax, dword ptr [ebp-10]
* Possible StringData Ref from Code Obj ->"TRW"
|
:00473EA7 BA04404700 mov edx,
00474004
:00473EAC E8EFFDF8FF call 00403CA0
// 这里是关机的CALL
//把E8EFFDF8FF 改为9090909090
:00473EB1 8B45F8
mov eax, dword ptr [ebp-08]
:00473EB4 8B10
mov edx, dword ptr [eax]
:00473EB6 FF5214
call [edx+14]
:00473EB9 8BD8
mov ebx, eax
:00473EBB 4B
dec ebx
:00473EBC 85DB
test ebx, ebx
:00473EBE 7C50
jl 00473F10
:00473EC0 43
inc ebx
:00473EC1 C745F400000000 mov [ebp-0C], 00000000
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
第二处:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047405E(C)
:00474073 84DB
test bl, bl
:00474075 7537
jne 004740AE //改为EB37 可跳过关机的CALL
// 或把以下各个 CALL 00403C5CL 改为9090909090
:00474077 A1F8E44700 mov eax,
dword ptr [0047E4F8]
:0047407C 833800
cmp dword ptr [eax], 00000000
:0047407F 752D
jne 004740AE
* Possible StringData Ref from Data Obj ->"]G"
:00474081 A1ECE44700 mov eax,
dword ptr [0047E4EC]
* Possible StringData Ref from Code Obj ->"softice"
:00474086 BAF0404700 mov edx,
004740F0
:0047408B E8CCFBF8FF call 00403C5C
//关机的CALL
* Possible StringData Ref from Data Obj ->"(]G"
:00474090 A124E54700 mov eax,
dword ptr [0047E524]
* Possible StringData Ref from Code Obj ->"trw"
:00474095 BA00414700 mov edx,
00474100
:0047409A E8BDFBF8FF call 00403C5C
//关机的CALL
* Possible StringData Ref from Data Obj ->"8]G"
:0047409F A18CE34700 mov eax,
dword ptr [0047E38C]
* Possible StringData Ref from Code Obj ->"winice"
:004740A4 BA0C414700 mov edx,
0047410C
:004740A9 E8AEFBF8FF call 00403C5C
//关机的CALL
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00474075(C), :0047407F(C)
:004740AE 33C0
xor eax, eax //跳到这里可免关机啦!
第三处:
* Possible StringData Ref from Code Obj ->"c:\autoexec.bat"
|
:00473DC7 BAC03F4700 mov edx,
00473FC0
:00473DCC E8CFFEF8FF call 00403CA0
//否则关机无商量!
// 把 E8ABFEF8FF 改为:9090909090
:00473DD1 8B45F0
mov eax, dword ptr [ebp-10]
:00473DD4 E85F4DF9FF call 00408B38
:00473DD9 84C0
test al, al
:00473DDB 740B
je 00473DE8
:00473DDD 8B55F0
mov edx, dword ptr [ebp-10]
:00473DE0 8B45F8
mov eax, dword ptr [ebp-08]
:00473DE3 8B08
mov ecx, dword ptr [eax]
:00473DE5 FF5158
call [ecx+58]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00473DDB(C)
|
:00473DE8 8D45F0
lea eax, dword ptr [ebp-10]
* Possible StringData Ref from Code Obj ->"WINICE" 在批处理文件里也不能有WINICE字样!
|
:00473DEB BAD83F4700 mov edx,
00473FD8
:00473DF0 E8ABFEF8FF call 00403CA0 //否则关机无商量!
:00473DF5 8B45F8
mov eax, dword ptr [ebp-08]
// 把E8EFFDF8FF 改为9090909090
:00473DF8 8B10
mov edx, dword ptr [eax]
:00473DFA FF5214
call [edx+14]
:00473DFD 8BD8
mov ebx, eax
:00473DFF 4B
dec ebx
:00473E00 85DB
test ebx, ebx
:00473E02 7C38
jl 00473E3C
:00473E04 43
inc ebx
:00473E05 C745F400000000 mov [ebp-0C], 00000000
第四处:
* Possible StringData Ref from Code Obj ->"WINICE" // 在内存中不能有此,否则虽不关机也死机!
|
:00473DEB BAD83F4700 mov edx,
00473FD8
:00473DF0 E8ABFEF8FF call 00403CA0
// 把 E8ABFEF8FF 改为:9090909090
:00473DF5 8B45F8
mov eax, dword ptr [ebp-08]
:00473DF8 8B10
mov edx, dword ptr [eax]
:00473DFA FF5214
call [edx+14]
:00473DFD 8BD8
mov ebx, eax
:00473DFF 4B
dec ebx
:00473E00 85DB
test ebx, ebx
:00473E02 7C38
jl 00473E3C
:00473E04 43
inc ebx
:00473E05 C745F400000000 mov [ebp-0C], 00000000
第五处:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00473FF7(C)
|
:0047402C 33DB
xor ebx, ebx
:0047402E 8D45FC
lea eax, dword ptr [ebp-04]
* Possible StringData Ref from Code Obj ->"\\.\SICE" //否则关机无商量!
:00474031 BADC404700 mov edx,
004740DC
:00474036 E865FCF8FF call 00403CA0
// 把E8EFFDF8FF 改为9090909090
:0047403B 6A00
push 00000000
:0047403D 6880000000 push 00000080
:00474042 6A03
push 00000003
:00474044 6A00
push 00000000
:00474046 6A03
push 00000003
:00474048 68000000C0 push C0000000
:0047404D 8B45FC
mov eax, dword ptr [ebp-04]
:00474050 E8F7FFF8FF call 0040404C
:00474055 50
push eax
第六处:
* Possible StringData Ref from Code Obj ->"\\.\NTICE" //否则关机无商量!
|
:0047412D BA90414700 mov edx,
00474190
:00474132 E869FBF8FF call 00403CA0
// 把E8EFFDF8FF 改为9090909090
:00474137 6A00
push 00000000
:00474139 6880000000 push 00000080
:0047413E 6A03
push 00000003
:00474140 6A00
push 00000000
:00474142 6A03
push 00000003
:00474144 68000000C0 push C0000000
:00474149 8B45FC
mov eax, dword ptr [ebp-04]
:0047414C E8FBFEF8FF call 0040404C
:00474151 50
push eax
总结:共有关机的地址:六处调用两个CALL!
1、 call 00403CA0
2、 call 00403C5C
我们也可以修改以上两个CALL,完成工作!
=============================================================
第二部分,找注册码
因为其注册后要重启查证,故反汇编后,从“未注册”处查起!往上找,在其读取注册表数据之前!
为断点!具体是:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00476D77(C)
|
:00476D86 8B153CFA4700 mov edx, dword
ptr [0047FA3C]
:00476D8C A14CFA4700 mov eax,
dword ptr [0047FA4C]
:00476D91 E8DED3F8FF call 00404174 //
D EDX 可见真的注册码很多位!!
:00476D96 85C0
test eax, eax
:00476D98 7E24
jle 00476DBE
:00476D9A A14CFA4700 mov eax,
dword ptr [0047FA4C]
:00476D9F E8E4D0F8FF call 00403E88
:00476DA4 83F805
cmp eax, 00000005 // 只取前5位进行比较!
:00476DA7 7515
jne 00476DBE
:00476DA9 8B153CFA4700 mov edx, dword
ptr [0047FA3C]
:00476DAF A14CFA4700 mov eax,
dword ptr [0047FA4C]
:00476DB4 E8BBD3F8FF call 00404174
:00476DB9 A398E24700 mov dword
ptr [0047E298], eax
用Keymake 1.2版本做freeRes它的注册机:
一)选择F8-另类注册机!
1、程序名称:shield.exe
2、添加数据:
中断地址:476d91
中断次数:1
第一字节:E8
指令长度:5
=========
再次添加数据:
中断地址:404174
中断次数:1
第一字节:85
指令长度:2
===========
二、选择内存方式 EDX
运行本注册机!一切OK!能显示40位长注册码!但只取其前5位即可!
绝密档案
http://hongjian.126.com
- 标 题:美萍反黄专家 版本2.41 破解实录 (9千字)
- 作 者:qhj
- 时 间:2001-10-4 17:05:11
- 链 接:http://bbs.pediy.com