代码:
//----------------------------------------------------------------------------------------------------------------- // Photoshop CS4 文件大是50MB,是我第一次破的件,我花了一天反的跟..~! // 幸好ADOBE比良心,未加,我不是破解高手~~!只是一的,然在我破完後,上早就有破解丁,我是很失 // 落~!出大家,希望有所需要的朋友有所助. // 破解需要注意的文件atmlib.dll,atmserver.dll文件,起初打算在PS部JMP,但是,我最不喜PS,一是50MB的, // 另一是最不想手修改文件,原汁原味我最喜.od加的候注意,由於平凡的等待服和程,致F8和F7跟的候卡住, // 法是在卡住的函後F2,然後重新加,F9到,最好取消,如果中途耽比多,估後面卡住,如此反. // 需要注意的是50MB,OD分析有一整子,可以直接按空格止,每次加都分析,很~! // 我就不略太多的代了.只把出~! // -By EasyStudy // 看雪技: http://bbs.pediy.com // 2010.02.12 深夜 //----------------------------------------------------------------------------------------------------------------- // 入口: 0114E32A > E8 E5040000 call 0114E814 0114E32F ^ E9 35FDFFFF jmp 0114E069 0114E334 CC int3 0114E335 CC int3 0114E336 CC int3 0114E337 CC int3 0114E338 CC int3 0114E339 CC int3 // WinMain函: 010CEF20 81EC 00050000 sub esp, 500 010CEF26 A1 34039101 mov eax, dword ptr [1910334] 010CEF2B 33C4 xor eax, esp 010CEF2D 898424 FC040000 mov dword ptr [esp+4FC], eax 010CEF34 8B8424 04050000 mov eax, dword ptr [esp+504] 010CEF3B 8B8C24 08050000 mov ecx, dword ptr [esp+508] 010CEF42 53 push ebx 010CEF43 55 push ebp 010CEF44 56 push esi 010CEF45 57 push edi 010CEF46 33FF xor edi, edi 010CEF48 894424 18 mov dword ptr [esp+18], eax 010CEF4C 894C24 20 mov dword ptr [esp+20], ecx 010CEF50 897C24 10 mov dword ptr [esp+10], edi 010CEF54 897C24 14 mov dword ptr [esp+14], edi 010CEF58 FF15 F4925801 call dword ptr [<&KERNEL32.GetCommand>; kernel32.GetCommandLineW // 010CF335 C605 1B63AB01 0>mov byte ptr [1AB631B], 1 010CF33C E8 9FFF43FF call 0050F2E0 ;入 010CF341 A1 309AAC01 mov eax, dword ptr [1AC9A30] 010CF346 3BC7 cmp eax, edi // 0050F45E 53 push ebx 0050F45F 68 C4DA8D01 push 018DDAC4 0050F464 68 A8DA8D01 push 018DDAA8 0050F469 53 push ebx 0050F46A 50 push eax 0050F46B E8 ECE6C300 call <jmp.&MSVCR80.__RTDynamicCast> 0050F470 8BF0 mov esi, eax 0050F472 6A 0A push 0A 0050F474 8975 E0 mov dword ptr [ebp-20], esi 0050F477 E8 5410BF00 call 011004D0 0050F47C 83C4 18 add esp, 18 0050F47F E8 3C08BF00 call 010FFCC0 0050F484 8BCE mov ecx, esi 0050F486 885D EF mov byte ptr [ebp-11], bl 0050F489 E8 D2717500 call 00C66660 ;但是需要去 0050F48E 68 40891001 push 01108940 0050F493 FF15 28985801 call dword ptr [<&MSVCR80.set_unexpec>; MSVCR80.set_unexpected 0050F499 68 20F25000 push 0050F220 0050F49E FF15 2C985801 call dword ptr [<&MSVCR80.set_termina>; MSVCR80.set_terminate 0050F4A4 83C4 08 add esp, 8 0050F4A7 8945 D8 mov dword ptr [ebp-28], eax 0050F4AA C645 FC 04 mov byte ptr [ebp-4], 4 0050F4AE E8 6D99EFFF call 00408E20 0050F4B3 84C0 test al, al 0050F4B5 0F85 E9000000 jnz 0050F5A4 ;就能JMP了,只是每次有那框 0050F4BB C645 FC 05 mov byte ptr [ebp-4], 5 0050F4BF E8 0CB7AF00 call AIF::float4x4::~float4x4 0050F4C4 E8 07B7AF00 call AIF::float4x4::~float4x4 0050F4C9 E8 2282B300 call 010476F0 0050F4CE E8 DD3FB500 call 010634B0 0050F4D3 E8 F8B6AF00 call AIF::float4x4::~float4x4 0050F4D8 E8 338DB300 call 01048210 0050F4DD 8BCE mov ecx, esi 0050F4DF E8 5C8D7500 call 00C68240 0050F4E4 8B0D 74638F01 mov ecx, dword ptr [18F6374] ; Photosho.01AB1118 0050F4EA E8 B16B6A00 call 00BB60A0 0050F4EF C745 FC 0400000>mov dword ptr [ebp-4], 4 0050F4F6 EB 55 jmp short 0050F54D // 00C6674F 66:A3 0C63AB01 mov word ptr [1AB630C], ax 00C66755 C605 91A2AC01 0>mov byte ptr [1ACA291], 0 00C6675C C605 A0A2AC01 0>mov byte ptr [1ACA2A0], 0 00C66763 C605 9AA2AC01 0>mov byte ptr [1ACA29A], 1 00C6676A C705 9CA2AC01 F>mov dword ptr [1ACA29C], 0FFFF 00C66774 C705 0863AB01 0>mov dword ptr [1AB6308], 0 00C6677E E8 0D3C7AFF call 0040A390 ;去 00C66783 E8 98267AFF call 00408E20 00C66788 84C0 test al, al 00C6678A 75 34 jnz short 00C667C0 00C6678C E8 1FE51000 call 00D74CB0 00C66791 33C0 xor eax, eax 00C66793 33F6 xor esi, esi 00C66795 0FBFC8 movsx ecx, ax 00C66798 80CA FF or dl, 0FF 00C6679B 2AD0 sub dl, al // 0040A6D6 68 08BD9201 push 0192BD08 0040A6DB 68 04BD9201 push 0192BD04 0040A6E0 8D4C24 54 lea ecx, dword ptr [esp+54] 0040A6E4 51 push ecx 0040A6E5 53 push ebx 0040A6E6 68 A0BC9201 push 0192BCA0 0040A6EB 50 push eax 0040A6EC 6A 01 push 1 0040A6EE 56 push esi 0040A6EF 57 push edi 0040A6F0 55 push ebp 0040A6F1 FF15 00BC9201 call dword ptr [192BC00] ; amtlib.AMTObtainProductLicense ;去 0040A6F7 8B7C24 74 mov edi, dword ptr [esp+74] //--------------------------------------------------------------------------------------------------------- // // 跟到: 0811652B > \55 push ebp 0811652C . 8B6C24 10 mov ebp, dword ptr [esp+10] 08116530 . 57 push edi 08116531 . 8B7C24 20 mov edi, dword ptr [esp+20] 08116535 . 57 push edi 08116536 . C605 2A2F3908>mov byte ptr [8392F2A], 1 0811653D . 893D 0C2F3908 mov dword ptr [8392F0C], edi 08116543 . 892D 0CC03608 mov dword ptr [836C00C], ebp 08116549 . E8 92F3FFFF call AMTPreObtainProductLicense 0811654E . A1 182F3908 mov eax, dword ptr [8392F18] 08116553 . 50 push eax 08116554 . E8 872B0F00 call 082090E0 08116559 . 83C4 08 add esp, 8 0811655C . 833D 082F3908>cmp dword ptr [8392F08], 0 ;F2 ->F9 ->F2 // 再跟就到了: 08133304 |> /50 /push eax 08133305 |. |56 |push esi 08133306 |. |68 948A3308 |push 08338A94 ; ASCII "App Product Locale [%d] = %s" 0813330B |. |68 8C8A3308 |push 08338A8C ; ASCII "%d %s" 08133310 |. |6A 04 |push 4 08133312 |. |68 20483308 |push 08334820 ; ASCII "AMT" 08133317 |. |E8 644AFEFF |call 08117D80 0813331C |. |50 |push eax 0813331D |. |E8 6E060D00 |call 08203990 08133322 |. |8B44B7 04 |mov eax, dword ptr [edi+esi*4+4] 08133326 |. |83C6 01 |add esi, 1 08133329 |. |83C4 1C |add esp, 1C 0813332C |. |85C0 |test eax, eax 0813332E |.^\75 D4 \jnz short 08133304 // 往下: 081333E3 |. 51 push ecx 081333E4 |. 8B4C24 74 mov ecx, dword ptr [esp+74] 081333E8 |. 52 push edx 081333E9 |. 8B5424 74 mov edx, dword ptr [esp+74] 081333ED |. 51 push ecx 081333EE |. 52 push edx 081333EF |. 50 push eax 081333F0 |. 8B4424 70 mov eax, dword ptr [esp+70] 081333F4 |. 50 push eax 081333F5 |. 8BCD mov ecx, ebp 081333F7 |. E8 04F1FFFF call 08132500 // 再往下:基本已束了,需要在上面函做理: 08133463 |. 8B4D 14 mov ecx, dword ptr [ebp+14] 08133466 |. E8 C5BAFEFF call 0811EF30 0813346B |. 84C0 test al, al 0813346D |. 74 2F je short 0813349E 0813346F |. 68 C0893308 push 083389C0 ; ASCII "This is a subsequent launch. Deferring services." 08133474 |. 6A 00 push 0 08133476 |. 6A 04 push 4 08133478 |. 68 20483308 push 08334820 ; ASCII "AMT" 0813347D |. E8 FE48FEFF call 08117D80 08133482 |. 50 push eax 08133483 |. E8 08050D00 call 08203990 08133488 |. 83C4 14 add esp, 14 0813348B |. C745 04 00000>mov dword ptr [ebp+4], 0 08133492 |. E9 C9000000 jmp 08133560 //call 08132500 -> F7: 081325E6 |. 50 push eax 081325E7 |. 51 push ecx 081325E8 |. 52 push edx 081325E9 |. 8D4424 44 lea eax, dword ptr [esp+44] 081325ED |. 50 push eax 081325EE |. 8D4C24 2C lea ecx, dword ptr [esp+2C] 081325F2 |. 51 push ecx 081325F3 |. C64424 70 01 mov byte ptr [esp+70], 1 081325F8 |. E8 2311FFFF call 08123720 ;F7 // 081238B6 > \56 push esi 081238B7 . E8 347D0E00 call 0820B5F0 ;F7 081238BC . A1 74FD3D08 mov eax, dword ptr [83DFD74] 081238C1 . 50 push eax 081238C2 . E8 D9820E00 call 0820BBA0 081238C7 . 8B0D 302F3908 mov ecx, dword ptr [8392F30] 081238CD . 8981 8C020000 mov dword ptr [ecx+28C], eax 081238D3 . 8B0D 302F3908 mov ecx, dword ptr [8392F30] 081238D9 . 83C4 08 add esp, 8 081238DC . 3999 8C020000 cmp dword ptr [ecx+28C], ebx 081238E2 . 75 43 jnz short 08123927 081238E4 . 8BF1 mov esi, ecx 081238E6 . E8 1561FFFF call 08119A00 081238EB . 56 push esi 081238EC . E8 98521300 call 08258B89 081238F1 . 8B15 342F3908 mov edx, dword ptr [8392F34] 081238F7 . 68 7C613308 push 0833617C ; ASCII "ERROR: No configuration service found for application." 081238FC . 53 push ebx 081238FD . 6A 02 push 2 081238FF . 68 20483308 push 08334820 ; ASCII "AMT" 08123904 . 52 push edx 08123905 . 891D 302F3908 mov dword ptr [8392F30], ebx 0812390B . E8 80000E00 call 08203990 08123910 . 83C4 18 add esp, 18 08123913 . 32C0 xor al, al 08123915 . 8B4D F4 mov ecx, dword ptr [ebp-C] 08123918 . 64:890D 00000>mov dword ptr fs:[0], ecx 0812391F . 59 pop ecx 08123920 . 5F pop edi 08123921 . 5E pop esi 08123922 . 5B pop ebx 08123923 . 8BE5 mov esp, ebp 08123925 . 5D pop ebp //一路跟到: 0812399E . 8B0D 302F3908 mov ecx, dword ptr [8392F30] 081239A4 . E8 E7FAFFFF call 08123490 ;F7 081239A9 . 8B0D 302F3908 mov ecx, dword ptr [8392F30] 081239AF . 3999 F8000000 cmp dword ptr [ecx+F8], ebx // 081234CB |. 8B0D B4D03808 mov ecx, dword ptr [838D0B4] ; amtlib.08345314 081234D1 |. 8B86 8C020000 mov eax, dword ptr [esi+28C] 081234D7 |. 51 push ecx 081234D8 |. 68 2C523308 push 0833522C ; ASCII "application.xml" 081234DD |. 68 00040000 push 400 081234E2 |. 8D5424 34 lea edx, dword ptr [esp+34] 081234E6 |. 52 push edx 081234E7 |. 33DB xor ebx, ebx 081234E9 |. 50 push eax 081234EA |. 885C24 3C mov byte ptr [esp+3C], bl 081234EE |. E8 BDA70E00 call 0820DCB0 // 08123547 |. 6A 01 push 1 08123549 |. 68 2C523308 push 0833522C ; ASCII "application.xml" 0812354E |. 68 68603308 push 08336068 ; ASCII "config ERROR: unified configuration file [%s] not found! (Errno = %ld)" 08123553 |. 53 push ebx 08123554 |. 6A 02 push 2 08123556 |. 68 20483308 push 08334820 ; ASCII "AMT" 0812355B |. 51 push ecx 0812355C |. E8 2F040E00 call 08203990 08123561 |. 83C4 24 add esp, 24 08123564 |. EB 07 jmp short 0812356D 08123566 |> 8BCE mov ecx, esi 08123568 |. E8 43E2FFFF call 081217B0 //F7 //一路往下: 去一圈果T_T 081222AA |. 8B0D 342F3908 mov ecx, dword ptr [8392F34] 081222B0 |. 68 905C3308 push 08335C90 ; ASCII "config: No BridgeTalkCode found in configuration; Bridgetalk will be disabled." 081222B5 |. 53 push ebx 081222B6 |. 6A 04 push 4 081222B8 |. 68 20483308 push 08334820 ; ASCII "AMT" 081222BD |. 51 push ecx 081222BE |. E8 CD160E00 call 08203990 081222C3 |. 83C4 14 add esp, 14 081222C6 |> 8BCE mov ecx, esi 081222C8 |. E8 A3E9FFFF call 08120C70 //F7 //返回後: 081239B5 . /75 30 jnz short 081239E7 081239B7 . |8BF1 mov esi, ecx 081239B9 . |E8 4260FFFF call 08119A00 081239BE . |56 push esi 081239BF . |E8 C5511300 call 08258B89 081239C4 . |A1 342F3908 mov eax, dword ptr [8392F34] 081239C9 . |68 10613308 push 08336110 ; ASCII "ERROR: No licensing configuration found for application." 081239CE . |53 push ebx 081239CF . |6A 02 push 2 081239D1 . |68 20483308 push 08334820 ; ASCII "AMT" 081239D6 . |50 push eax 081239D7 . |891D 302F3908 mov dword ptr [8392F30], ebx 081239DD . |E8 AEFF0D00 call 08203990 081239E2 . |83C4 18 add esp, 18 081239E5 . |EB 4E jmp short 08123A35 //似乎到了目的地~~!加油~~! 081239E7 > \8B55 10 mov edx, dword ptr [ebp+10] 081239EA . 8951 54 mov dword ptr [ecx+54], edx 081239ED . 8B0D 302F3908 mov ecx, dword ptr [8392F30] 081239F3 . E8 F848FFFF call 081182F0 081239F8 . 8B0D 302F3908 mov ecx, dword ptr [8392F30] 081239FE . E8 ADFBFFFF call 081235B0 ;悲性卡死~~T_T 08123A03 . EB 30 jmp short 08123A35 08123A05 . A1 342F3908 mov eax, dword ptr [8392F34] 08123A0A . 68 EC603308 push 083360EC ; ASCII "Application failed to initialize" 08123A0F . 33DB xor ebx, ebx 08123A11 . 53 push ebx 08123A12 . 6A 01 push 1 08123A14 . 68 20483308 push 08334820 ; ASCII "AMT" 08123A19 . 50 push eax 08123A1A . E8 71FF0D00 call 08203990 08123A1F . 83C4 14 add esp, 14 08123A22 . E8 A963FFFF call 08119DD0 08123A27 . 891D 302F3908 mov dword ptr [8392F30], ebx 08123A2D . B8 333A1208 mov eax, 08123A33 08123A32 . C3 retn //再,再: //重上面,一路跟到: 08133463 |. 8B4D 14 mov ecx, dword ptr [ebp+14] 08133466 |. E8 C5BAFEFF call 0811EF30 0813346B |. 84C0 test al, al 0813346D |. 74 2F je short 0813349E 0813346F |. 68 C0893308 push 083389C0 ; ASCII "This is a subsequent launch. Deferring services." 08133474 |. 6A 00 push 0 08133476 |. 6A 04 push 4 08133478 |. 68 20483308 push 08334820 ; ASCII "AMT" 0813347D |. E8 FE48FEFF call 08117D80 08133482 |. 50 push eax 08133483 |. E8 08050D00 call 08203990 08133488 |. 83C4 14 add esp, 14 0813348B |. C745 04 00000>mov dword ptr [ebp+4], 0 08133492 |. E9 C9000000 jmp 08133560 //^o^挖挖~~!於到了~! 08133497 |> \68 8C893308 push 0833898C ; ASCII "Forcing first launch workflow at product request." 0813349C |. EB 05 jmp short 081334A3 0813349E |> 68 38893308 push 08338938 ; ASCII "Forcing first launch workflow because product is not licensed from previous launch." 081334A3 |> 6A 00 push 0 081334A5 |. 6A 04 push 4 081334A7 |. 68 20483308 push 08334820 ; ASCII "AMT" 081334AC |. E8 CF48FEFF call 08117D80 081334B1 |. 50 push eax 081334B2 |. E8 D9040D00 call 08203990 081334B7 |. 83C4 14 add esp, 14 081334BA |. 6A 00 push 0 081334BC |. 8BCD mov ecx, ebp 081334BE |. E8 8DFAFFFF call 08132F50 ;幸福的道路在 //整函我列了出,^_^.看看那文字似乎和品有很大,一路JMP 08132F50 /$ 53 push ebx 08132F51 |. 8B5C24 08 mov ebx, dword ptr [esp+8] 08132F55 |. 85DB test ebx, ebx 08132F57 |. 56 push esi 08132F58 |. 57 push edi 08132F59 |. 8BF1 mov esi, ecx 08132F5B |. 75 07 jnz short 08132F64 08132F5D |. BF E8883308 mov edi, 083388E8 ; ASCII "Obtain" 08132F62 |. EB 0F jmp short 08132F73 08132F64 |> 83FB 02 cmp ebx, 2 08132F67 |. BF E0883308 mov edi, 083388E0 ; ASCII "Validat" 08132F6C |. 74 05 je short 08132F73 08132F6E |. BF D4883308 mov edi, 083388D4 ; ASCII "PreValidat" 08132F73 |> 57 push edi 08132F74 |. 68 B8883308 push 083388B8 ; ASCII "AMT: %sing Product License." 08132F79 |. 68 B0883308 push 083388B0 ; ASCII "%sing" 08132F7E |. 6A 04 push 4 08132F80 |. 68 20483308 push 08334820 ; ASCII "AMT" 08132F85 |. E8 F64DFEFF call 08117D80 08132F8A |. 50 push eax 08132F8B |. E8 000A0D00 call 08203990 08132F90 |. 83C4 18 add esp, 18 08132F93 |. 807E 54 00 cmp byte ptr [esi+54], 0 08132F97 |. 74 53 je short 08132FEC 08132F99 |. 68 80883308 push 08338880 ; ASCII "Launch Workflow already done in this session." 08132F9E |. 6A 00 push 0 08132FA0 |. 6A 04 push 4 08132FA2 |. 68 20483308 push 08334820 ; ASCII "AMT" 08132FA7 |. E8 D44DFEFF call 08117D80 08132FAC |. 50 push eax 08132FAD |. E8 DE090D00 call 08203990 08132FB2 |. 83C4 14 add esp, 14 08132FB5 |> 53 push ebx 08132FB6 |. 8BCE mov ecx, esi 08132FB8 |. E8 33CAFFFF call 0812F9F0 08132FBD |. 6A 00 push 0 08132FBF |. 8BCE mov ecx, esi 08132FC1 |. E8 4ADDFFFF call 08130D10 08132FC6 C746 04 01000>mov dword ptr [esi+4], 1 ;我的修改 08132FCD B8 01000000 mov eax, 1 ;我的修改 08132FD2 90 nop ;我的修改 08132FD3 90 nop ;我的修改 08132FD4 E9 9B000000 jmp 08133074 ;我的修改 08132FD9 90 nop ;我的修改 08132FDA 57 push edi 08132FDB 68 60883308 push 08338860 ; ASCII "Failure %sing Product License!" 08132FE0 |. 68 B0883308 push 083388B0 ; ASCII "%sing" 08132FE5 |. 6A 02 push 2 08132FE7 |. E9 95000000 jmp 08133081 08132FEC |> 83FB 01 cmp ebx, 1 08132FEF |. 75 07 jnz short 08132FF8 08132FF1 |. 68 30883308 push 08338830 ; ASCII "Launch Workflow not yet done in this session." 08132FF6 |. EB 05 jmp short 08132FFD 08132FF8 |> 68 F4873308 push 083387F4 ; ASCII "Launch Workflow not yet done in foreground in this session." 08132FFD |> 6A 00 push 0 08132FFF |. 6A 04 push 4 08133001 |. 68 20483308 push 08334820 ; ASCII "AMT" 08133006 |. E8 754DFEFF call 08117D80 0813300B |. 50 push eax 0813300C |. E8 7F090D00 call 08203990 08133011 |. 83C4 14 add esp, 14 08133014 |. 53 push ebx 08133015 |. 8BCE mov ecx, esi 08133017 |. E8 74FBFFFF call 08132B90 ;需要跟去 0813301C |. 837E 04 02 cmp dword ptr [esi+4], 2 08133020 |. 75 39 jnz short 0813305B 08133022 |. 8B4E 14 mov ecx, dword ptr [esi+14] 08133025 |. E8 064CFEFF call 08117C30 0813302A |. 84C0 test al, al 0813302C |. 74 2D je short 0813305B 0813302E |. 8B4E 14 mov ecx, dword ptr [esi+14] 08133031 |. E8 5A4DFEFF call 08117D90 08133036 |. 84C0 test al, al 08133038 |. 74 21 je short 0813305B 0813303A |. 83FB 02 cmp ebx, 2 0813303D |. 75 1C jnz short 0813305B 0813303F |. 53 push ebx 08133040 |. 8BCE mov ecx, esi 08133042 |. C746 04 00000>mov dword ptr [esi+4], 0 08133049 |. E8 D2B9FFFF call 0812EA20 0813304E |. 6A 00 push 0 08133050 |. E8 BBDCFFFF call 08130D10 08133055 |. 5F pop edi 08133056 |. 5E pop esi 08133057 |. 5B pop ebx 08133058 |. C2 0400 retn 4 0813305B |> 837E 04 00 cmp dword ptr [esi+4], 0 0813305F |.^ 0F84 50FFFFFF je 08132FB5 08133065 |. 6A 00 push 0 08133067 |. 8BCE mov ecx, esi 08133069 |. E8 A2DCFFFF call 08130D10 0813306E |. 5F pop edi 0813306F |. 5E pop esi 08133070 |. 5B pop ebx 08133071 |. C2 0400 retn 4 08133074 |> 57 push edi 08133075 |. 68 D8873308 push 083387D8 ; ASCII "AMT: Product License %sed." 0813307A |. 68 D0873308 push 083387D0 ; ASCII "%sed" 0813307F |. 6A 04 push 4 08133081 |> 68 20483308 push 08334820 ; ASCII "AMT" 08133086 |. E8 F54CFEFF call 08117D80 0813308B |. 50 push eax 0813308C |. E8 FF080D00 call 08203990 08133091 |. 83C4 18 add esp, 18 08133094 |. 837E 04 00 cmp dword ptr [esi+4], 0 08133098 |. 0F85 A3010000 jnz 08133241 0813309E |. 807E 19 00 cmp byte ptr [esi+19], 0 081330A2 |. 0F85 99010000 jnz 08133241 081330A8 |. 807E 1A 00 cmp byte ptr [esi+1A], 0 081330AC |. 0F85 8F010000 jnz 08133241 081330B2 |. 8B4E 14 mov ecx, dword ptr [esi+14] 081330B5 |. E8 764BFEFF call 08117C30 081330BA |. 84C0 test al, al 081330BC |. 0F84 FF000000 je 081331C1 081330C2 |. 8B4E 14 mov ecx, dword ptr [esi+14] 081330C5 |. E8 5694FEFF call 0811C520 081330CA |. 83F8 03 cmp eax, 3 081330CD |. 0F85 EE000000 jnz 081331C1 081330D3 |. E8 0868FFFF call 081298E0 081330D8 |. 68 94873308 push 08338794 ; ASCII "Product has been activated. Ensuring that it's registered." 081330DD |. 6A 00 push 0 081330DF |. 6A 04 push 4 081330E1 |. 68 20483308 push 08334820 ; ASCII "AMT" 081330E6 |. 8BF8 mov edi, eax 081330E8 |. E8 934CFEFF call 08117D80 081330ED |. 50 push eax 081330EE |. E8 9D080D00 call 08203990 081330F3 |. 8B4E 14 mov ecx, dword ptr [esi+14] 081330F6 |. 83C4 14 add esp, 14 081330F9 |. E8 E24BFEFF call 08117CE0 081330FE |. 84C0 test al, al 08133100 |. 0F85 BB000000 jnz 081331C1 08133106 |. 8B4E 14 mov ecx, dword ptr [esi+14] 08133109 |. E8 22A9FEFF call 0811DA30 0813310E |. 84C0 test al, al 08133110 |. 0F85 AB000000 jnz 081331C1 08133116 |. 8BCF mov ecx, edi 08133118 |. E8 E398FFFF call 0812CA00 0813311D |. 84C0 test al, al 0813311F |. 0F85 9C000000 jnz 081331C1 08133125 |. 68 803A0900 push 93A80 0813312A |. 8BCF mov ecx, edi 0813312C |. E8 0FA2FFFF call 0812D340 08133131 |. 84C0 test al, al 08133133 |. 0F84 88000000 je 081331C1 08133139 |. 68 5C873308 push 0833875C ; ASCII "Product has not yet been registered, and a nag is due." 0813313E |. 6A 00 push 0 08133140 |. 6A 04 push 4 08133142 |. 68 20483308 push 08334820 ; ASCII "AMT" 08133147 |. E8 344CFEFF call 08117D80 0813314C |. 50 push eax 0813314D |. E8 3E080D00 call 08203990 08133152 |. 83C4 14 add esp, 14 08133155 |. 83FB 01 cmp ebx, 1 08133158 |. 75 22 jnz short 0813317C 0813315A |. 68 28873308 push 08338728 ; ASCII "Pre-Validation: Foreground validation is required." 0813315F |. 6A 00 push 0 08133161 |. 6A 04 push 4 08133163 |. 68 20483308 push 08334820 ; ASCII "AMT" 08133168 |. E8 134CFEFF call 08117D80 0813316D |. 50 push eax 0813316E |. E8 1D080D00 call 08203990 08133173 |. C746 04 02000>mov dword ptr [esi+4], 2 0813317A |. EB 42 jmp short 081331BE 0813317C |> 68 0C873308 push 0833870C ; ASCII "Invoking EPIC Registration." 08133181 |. 6A 00 push 0 08133183 |. 6A 04 push 4 08133185 |. 68 20483308 push 08334820 ; ASCII "AMT" 0813318A |. E8 F14BFEFF call 08117D80 0813318F |. 50 push eax 08133190 |. E8 FB070D00 call 08203990 08133195 |. 83C4 14 add esp, 14 08133198 |. 6A 01 push 1 0813319A |. 8BCF mov ecx, edi 0813319C |. E8 9F9CFFFF call 0812CE40 081331A1 |. 84C0 test al, al 081331A3 |. 75 1C jnz short 081331C1 081331A5 |. 68 AC743308 push 083374AC ; ASCII "Product Registration failed." 081331AA |. 6A 00 push 0 081331AC |. 6A 03 push 3 081331AE |. 68 20483308 push 08334820 ; ASCII "AMT" 081331B3 |. E8 C84BFEFF call 08117D80 081331B8 |. 50 push eax 081331B9 |. E8 D2070D00 call 08203990 081331BE |> 83C4 14 add esp, 14 081331C1 |> 8B4E 14 mov ecx, dword ptr [esi+14] 081331C4 |. E8 67BDFEFF call 0811EF30 081331C9 |. 84C0 test al, al 081331CB |. 75 22 jnz short 081331EF 081331CD |. 68 C8863308 push 083386C8 ; ASCII "Suppressing silent AUM update check on first or unlicensed launch." 081331D2 |. 6A 00 push 0 081331D4 |. 6A 04 push 4 081331D6 |. 68 20483308 push 08334820 ; ASCII "AMT" 081331DB |. E8 A04BFEFF call 08117D80 081331E0 |. 50 push eax 081331E1 |. E8 AA070D00 call 08203990 081331E6 |. 83C4 14 add esp, 14 081331E9 |. 5F pop edi 081331EA |. 5E pop esi 081331EB |. 5B pop ebx 081331EC |. C2 0400 retn 4 081331EF |> 85DB test ebx, ebx 081331F1 |. 74 4E je short 08133241 081331F3 |. 8B4E 14 mov ecx, dword ptr [esi+14] 081331F6 |. E8 354AFEFF call 08117C30 081331FB |. 84C0 test al, al 081331FD |. 74 42 je short 08133241 081331FF |. 8B4E 14 mov ecx, dword ptr [esi+14] 08133202 |. E8 E94AFEFF call 08117CF0 08133207 |. 84C0 test al, al 08133209 |. 75 36 jnz short 08133241 0813320B |. 68 A8863308 push 083386A8 ; ASCII "Doing silent AUM update check." 08133210 |. 6A 00 push 0 08133212 |. 6A 04 push 4 08133214 |. 68 20483308 push 08334820 ; ASCII "AMT" 08133219 |. E8 624BFEFF call 08117D80 0813321E |. 50 push eax 0813321F |. E8 6C070D00 call 08203990 08133224 |. 83C4 14 add esp, 14 08133227 |. E8 54CE0D00 call 08210080 0813322C |. 8BF0 mov esi, eax 0813322E |. 85F6 test esi, esi 08133230 |. 74 0F je short 08133241 08133232 |. 56 push esi 08133233 |. E8 28CF0D00 call 08210160 08133238 |. 56 push esi 08133239 |. E8 B2830D00 call 0820B5F0 0813323E |. 83C4 08 add esp, 8 08133241 |> 5F pop edi 08133242 |. 5E pop esi 08133243 |. 5B pop ebx 08133244 \. C2 0400 retn 4 // 08132C80 |> \68 90853308 push 08338590 ; ASCII "Passive app is not installed. Possibly missing driver data. Allowing non-installed use." 08132C85 |. 6A 00 push 0 08132C87 |. 6A 03 push 3 08132C89 |. 68 20483308 push 08334820 ; ASCII "AMT" 08132C8E |. E8 ED50FEFF call 08117D80 08132C93 |. 50 push eax 08132C94 |. E8 F70C0D00 call 08203990 08132C99 |. 83C4 14 add esp, 14 08132C9C |> 807E 19 00 cmp byte ptr [esi+19], 0 08132CA0 |. 75 6E jnz short 08132D10 08132CA2 |. 807E 1A 00 cmp byte ptr [esi+1A], 0 08132CA6 |. 75 68 jnz short 08132D10 08132CA8 |. 8B4E 14 mov ecx, dword ptr [esi+14] 08132CAB |. E8 2050FEFF call 08117CD0 08132CB0 |. 84C0 test al, al 08132CB2 EB 5C jmp short 08132D10 ;需要修改JMP 08132CB4 |. 8B4E 14 mov ecx, dword ptr [esi+14] 08132CB7 |. E8 744FFEFF call 08117C30 08132CBC |. 84C0 test al, al 08132CBE |. 74 50 je short 08132D10 08132CC0 |. 53 push ebx ;去就出那框 08132CC1 |. 8BCE mov ecx, esi 08132CC3 |. E8 58DBFFFF call 08130820 08132CC8 |. 84C0 test al, al 08132CCA 75 44 jnz short 08132D10 08132CCC |. 83FB 01 cmp ebx, 1 08132CCF |. 74 0B je short 08132CDC 08132CD1 |. 68 60853308 push 08338560 ; ASCII "EULA has been refused. Application must exit." 08132CD6 |. 6A 00 push 0 08132CD8 |. 6A 01 push 1 08132CDA |. EB 09 jmp short 08132CE5 08132CDC |> 68 24853308 push 08338524 ; ASCII "EULA needs to be presented. Requiring foreground validate." 08132CE1 |. 6A 00 push 0 08132CE3 |. 6A 04 push 4 08132CE5 |> 68 20483308 push 08334820 ; ASCII "AMT" 08132CEA |. E8 9150FEFF call 08117D80 08132CEF |. 50 push eax 08132CF0 |. E8 9B0C0D00 call 08203990 08132CF5 |. 8B4E 14 mov ecx, dword ptr [esi+14] 08132CF8 |. 83C4 14 add esp, 14 08132CFB |. 6A 00 push 0 08132CFD |. 6A 00 push 0 08132CFF |. E8 1C01FFFF call 08122E20 08132D04 |. C746 04 02000>mov dword ptr [esi+4], 2 08132D0B |. 5E pop esi 08132D0C |. 5B pop ebx 08132D0D |. C2 0400 retn 4 // 08132DAB |> \8BCF mov ecx, edi 08132DAD |. E8 FE39FEFF call 081167B0 08132DB2 |. 84C0 test al, al 08132DB4 EB 0E jmp short 08132DC4 ;需要JMP 08132DB6 |. 68 60843308 push 08338460 ; ASCII "ALM failed to initialize and read trusted storage, hence no license." 08132DBB |. 6A 00 push 0 08132DBD |. 6A 01 push 1 08132DBF |. E9 29010000 jmp 08132EED 08132DC4 |> 8B4E 14 mov ecx, dword ptr [esi+14] // 08132E29 |> \E8 F296FEFF call 0811C520 08132E2E B8 03000000 mov eax, 3 08132E33 ^ E9 51FFFFFF jmp 08132D89 ;需要JMP 08132E38 90 nop 08132E39 90 nop 08132E3A 75 29 jnz short 08132E65 08132E3C |. 68 70833308 push 08338370 ; ASCII "Prevalidation finds app not activated. Requiring foreground validate." 08132E41 |. 6A 00 push 0 08132E43 |. 6A 04 push 4 08132E45 |> 68 20483308 push 08334820 ; ASCII "AMT" 08132E4A |. E8 314FFEFF call 08117D80 08132E4F |. 50 push eax 08132E50 |. E8 3B0B0D00 call 08203990 08132E55 |. 83C4 14 add esp, 14 08132E58 |. 5F pop edi 08132E59 |. C746 04 02000>mov dword ptr [esi+4], 2 08132E60 |. 5E pop esi 08132E61 |. 5B pop ebx 08132E62 |. C2 0400 retn 4 //-------------------------------------------------------------------------------------------------------- //以上修改基本上就可以使用了~! //--------------------------------------------------------------------------------------------------------- //充1: // 085B70D8 53 push ebx 085B70D9 6A 01 push 1 085B70DB 6A 03 push 3 085B70DD 8D4424 6C lea eax, dword ptr [esp+6C] 085B70E1 50 push eax 085B70E2 55 push ebp 085B70E3 56 push esi 085B70E4 56 push esi 085B70E5 8B4C24 3C mov ecx, dword ptr [esp+3C] 085B70E9 8B4424 40 mov eax, dword ptr [esp+40] 085B70ED 51 push ecx 085B70EE 8D5424 38 lea edx, dword ptr [esp+38] 085B70F2 52 push edx 085B70F3 50 push eax 085B70F4 FF5424 3C call dword ptr [esp+3C] ;示框 //----------------------------------------------------------------------------------------------------------- //充2: 08132CA8 |. 8B4E 14 mov ecx, dword ptr [esi+14] 08132CAB |. E8 2050FEFF call 08117CD0 08132CB0 |. 84C0 test al, al 08132CB2 |. 75 5C jnz short 08132D10 08132CB4 |. 8B4E 14 mov ecx, dword ptr [esi+14] 08132CB7 |. E8 744FFEFF call 08117C30 08132CBC |. 84C0 test al, al 08132CBE |. 74 50 je short 08132D10 08132CC0 |. 53 push ebx 08132CC1 |. 8BCE mov ecx, esi 08132CC3 |. E8 58DBFFFF call 08130820 ;已示框 08132CC8 |. 84C0 test al, al 08132CCA 75 44 jnz short 08132D10 081281C7 |. 8B7424 0C mov esi, dword ptr [esp+C] 081281CB |. 8D4C24 7C lea ecx, dword ptr [esp+7C] 081281CF |. C78424 B80000>mov dword ptr [esp+B8], -1 081281DA |. E8 C1BDFFFF call 08123FA0 081281DF |. 8D4C24 7C lea ecx, dword ptr [esp+7C] 081281E3 |. 51 push ecx 081281E4 |. C78424 800000>mov dword ptr [esp+80], 08335574 081281EF |. E8 17E71200 call 0825690B 081281F4 |. 83C4 04 add esp, 4 081281F7 |. 8BC6 mov eax, esi 081281F9 |. 8B8C24 B00000>mov ecx, dword ptr [esp+B0] 08128200 |. 64:890D 00000>mov dword ptr fs:[0], ecx 08128207 |. 59 pop ecx 08128208 |. 5E pop esi 08128209 |. 5B pop ebx 0812820A |. 81C4 B0000000 add esp, 0B0 08128210 \. C3 retn ;必返回3: //返回3: 0811C63B |> \B8 03000000 mov eax, 3 ; Case 3 of switch 0811C5A8 0811C640 |. 8B4C24 44 mov ecx, dword ptr [esp+44] 0811C644 |. 64:890D 00000>mov dword ptr fs:[0], ecx 0811C64B |. 59 pop ecx 0811C64C |. 5E pop esi 0811C64D |. 5B pop ebx 0811C64E |. 83C4 44 add esp, 44 0811C651 |. C3 retn //才等於跳: 08132E1F |> \68 B8833308 push 083383B8 ; ASCII "Product is non-serialized. Bypassing EULA and ALM product-level license checks." 08132E24 |.^ E9 3DFFFFFF jmp 08132D66 08132E29 |> E8 F296FEFF call 0811C520 08132E2E |. 83F8 03 cmp eax, 3 08132E31 ^ 0F84 52FFFFFF je 08132D89 ; 我直接修改JMP,不修改其他函了 //修改如下: 10032E1F |> \68 B8832310 push 102383B8 ; ASCII "Product is non-serialized. Bypassing EULA and ALM product-level license checks." 10032E24 |.^ E9 3DFFFFFF jmp 10032D66 10032E29 |> E8 F296FEFF call 1001C520 10032E2E B8 03000000 mov eax, 3 10032E33 ^ E9 51FFFFFF jmp 10032D89 10032E38 90 nop 10032E39 90 nop //修改如下: 08132FBD |. 6A 00 push 0 08132FBF |. 8BCE mov ecx, esi 08132FC1 |. E8 4ADDFFFF call 08130D10 08132FC6 C746 04 01000>mov dword ptr [esi+4], 1 08132FCD B8 01000000 mov eax, 1 08132FD2 90 nop 08132FD3 90 nop 08132FD4 E9 9B000000 jmp 08133074 08132FD9 90 nop 08132FDA 57 push edi 08132FDB 68 60883308 push 08338860 ; ASCII "Failure %sing Product License!" 08132FE0 |. 68 B0883308 push 083388B0 ; ASCII "%sing" 08132FE5 |. 6A 02 push 2 08132FE7 |. E9 95000000 jmp 08133081