软件下载地址:http://www.duotegame.com/soft/6403.html
------------------------------------------------------------------------
前几天已发了一篇,现在再发一篇简单的破解 呵呵。 只苦求一邀请码 谢谢!
以下是爆破的过程:
软件有使用期限的,所以测试前,最好把时间改大几个月,这样便于我们的破解。
软件没壳的 ,直接爆破.
爆破:
(多做记号哦!)
0046D223 E8 04320000 call MemEdito.0047042C ; 出提示框 //NOP掉
0046D228 8B03 mov eax,dword ptr ds:[ebx]
0046D22A 80B8 9C000000 0>cmp byte ptr ds:[eax+9C],0
0046D231 74 0F je short MemEdito.0046D242 //这个跳也NOP掉
提示的CALL和那个je都NOP掉后,保存下,然后在载入保存的。
此时按F9运行,发现已经没有过期提示了。但还会跳出提示注册的网页.
好,我们记住网页的地址,等下要用到。我的是:https://www.regsoft.net/regsoft/vieworderpage.php3?productid=48321
OD重新载入一次程序(Ctrl+F2),先分析一下代码,然后右键--查找所有参考文本串---粘贴刚才的网址进去(记得去掉大小写区分,和勾上整个范围) -搜索 。
找到后,双击进去,来到了这里:
004FCCE2 BA A0CD4F00 mov edx,MemEdito.004FCDA0 ; ASCII "https://www.regsoft.net/regsoft/vieworderpage.php3?productid=48321"
可以判断这是一段打开网页的子程序,前面必有个(bad)CALL调用! 既然有贪污点就会有个主谋吧。。。
我们来把那个CALL揪出来~ 找到此段的断首(要注意中间那两个回跳不是段首,那个retn是返回到下面去的),004FCC34处下F2断点 ,F9运行,就断在了这:
004FCC34 55 push ebp //在这里F2下断 --运行004FCC35 8BEC mov ebp,esp 004FCC37 33C9 xor ecx,ecx 004FCC39 51 push ecx 004FCC3A 51 push ecx 004FCC3B 51 push ecx 004FCC3C 51 push ecx 004FCC3D 53 push ebx 004FCC3E 56 push esi 004FCC3F 57 push edi 004FCC40 33C0 xor eax,eax 004FCC42 55 push ebp 004FCC43 68 5ACD4F00 push MemEdito.004FCD5A 004FCC48 64:FF30 push dword ptr fs:[eax] 004FCC4B 64:8920 mov dword ptr fs:[eax],esp 004FCC4E 8D45 F8 lea eax,dword ptr ss:[ebp-8] 004FCC51 E8 2E7DF0FF call MemEdito.00404984 004FCC56 B2 01 mov dl,1 004FCC58 A1 CCC24A00 mov eax,dword ptr ds:[4AC2CC] 004FCC5D E8 D6F7FAFF call MemEdito.004AC438 004FCC62 8945 FC mov dword ptr ss:[ebp-4],eax 004FCC65 33C0 xor eax,eax 004FCC67 55 push ebp 004FCC68 68 BDCC4F00 push MemEdito.004FCCBD 004FCC6D 64:FF30 push dword ptr fs:[eax] 004FCC70 64:8920 mov dword ptr fs:[eax],esp 004FCC73 BA 02000080 mov edx,80000002 004FCC78 8B45 FC mov eax,dword ptr ss:[ebp-4] 004FCC7B E8 94F8FAFF call MemEdito.004AC514 004FCC80 B1 01 mov cl,1 004FCC82 BA 70CD4F00 mov edx,MemEdito.004FCD70 ; ASCII "\SOFTWARE\Memory Editor" 004FCC87 8B45 FC mov eax,dword ptr ss:[ebp-4] 004FCC8A E8 C9F9FAFF call MemEdito.004AC658 004FCC8F 8D4D F8 lea ecx,dword ptr ss:[ebp-8] 004FCC92 BA 90CD4F00 mov edx,MemEdito.004FCD90 ; ASCII "BUYURL" 004FCC97 8B45 FC mov eax,dword ptr ss:[ebp-4] 004FCC9A E8 61FDFAFF call MemEdito.004ACA00 004FCC9F 8B45 FC mov eax,dword ptr ss:[ebp-4] 004FCCA2 E8 3DF8FAFF call MemEdito.004AC4E4 004FCCA7 33C0 xor eax,eax 004FCCA9 5A pop edx 004FCCAA 59 pop ecx 004FCCAB 59 pop ecx 004FCCAC 64:8910 mov dword ptr fs:[eax],edx 004FCCAF 68 C4CC4F00 push MemEdito.004FCCC4 004FCCB4 8B45 FC mov eax,dword ptr ss:[ebp-4] 004FCCB7 E8 186FF0FF call MemEdito.00403BD4 004FCCBC C3 retn 004FCCBD ^ E9 A676F0FF jmp MemEdito.00404368 004FCCC2 ^ EB F0 jmp short MemEdito.004FCCB4 004FCCC4 33C0 xor eax,eax 004FCCC6 55 push ebp 004FCCC7 68 35CD4F00 push MemEdito.004FCD35 004FCCCC 64:FF30 push dword ptr fs:[eax] 004FCCCF 64:8920 mov dword ptr fs:[eax],esp 004FCCD2 8B45 F8 mov eax,dword ptr ss:[ebp-8] 004FCCD5 E8 627FF0FF call MemEdito.00404C3C 004FCCDA 83F8 02 cmp eax,2 004FCCDD 7D 0D jge short MemEdito.004FCCEC 004FCCDF 8D45 F8 lea eax,dword ptr ss:[ebp-8] 004FCCE2 BA A0CD4F00 mov edx,MemEdito.004FCDA0 ; ASCII "https://www.regsoft.net/regsoft/vieworderpage.php3?productid=48321" 004FCCE7 E8 307DF0FF call MemEdito.00404A1C 004FCCEC 6A 03 push 3 004FCCEE 8D55 F0 lea edx,dword ptr ss:[ebp-10] 004FCCF1 A1 94015400 mov eax,dword ptr ds:[540194] 004FCCF6 8B00 mov eax,dword ptr ds:[eax] 004FCCF8 E8 9B3EF7FF call MemEdito.00470B98 004FCCFD 8B45 F0 mov eax,dword ptr ss:[ebp-10] 004FCD00 8D55 F4 lea edx,dword ptr ss:[ebp-C] 004FCD03 E8 78D0F0FF call MemEdito.00409D80 004FCD08 8B45 F4 mov eax,dword ptr ss:[ebp-C] 004FCD0B E8 2481F0FF call MemEdito.00404E34 004FCD10 50 push eax 004FCD11 8B45 F8 mov eax,dword ptr ss:[ebp-8] 004FCD14 E8 1B81F0FF call MemEdito.00404E34 004FCD19 50 push eax 004FCD1A 68 E4CD4F00 push MemEdito.004FCDE4 ; ASCII "IEXPLORE.EXE" 004FCD1F 68 F4CD4F00 push MemEdito.004FCDF4 ; ASCII "open" 004FCD24 6A 00 push 0 004FCD26 E8 FD02F4FF call <jmp.&shell32.ShellExecuteA> ; 到这就打开网页了.
运行后就断下来了,此时看堆栈有个返回,右键“在反汇编窗口中跟随”,来到往上一行的那个CALL。(就是它!!)
0052E761 /7C 0B jl short MemEdito.0052E76E 0052E763 |83FE 0F cmp esi,0F 0052E766 |7F 06 jg short MemEdito.0052E76E 0052E768 |807D E7 01 cmp byte ptr ss:[ebp-19],1 0052E76C |75 4D jnz short MemEdito.0052E7BB 0052E76E \E8 2DE8FCFF call MemEdito.004FCFA0 0052E773 84C0 test al,al 0052E775 75 44 jnz short MemEdito.0052E7BB 0052E777 8D45 DC lea eax,dword ptr ss:[ebp-24] 0052E77A BA 7CE95200 mov edx,MemEdito.0052E97C ; ASCII "Quick Memory Editor has expired, please register." 0052E77F E8 9862EDFF call MemEdito.00404A1C 0052E784 B8 B8E95200 mov eax,MemEdito.0052E9B8 ; ASCII "Quick Memory Editor has expired, it will be closed in 60 seconds." 0052E789 E8 EE9AF1FF call MemEdito.0044827C 0052E78E 68 0CE95200 push MemEdito.0052E90C ; ASCII "YES" 0052E793 B9 00E95200 mov ecx,MemEdito.0052E900 ; ASCII "ise" 0052E798 BA B0E85200 mov edx,MemEdito.0052E8B0 ; ASCII "Registration" 0052E79D 8BC3 mov eax,ebx 0052E79F 8B30 mov esi,dword ptr ds:[eax] 0052E7A1 FF56 04 call dword ptr ds:[esi+4] 0052E7A4 8B45 FC mov eax,dword ptr ss:[ebp-4] 0052E7A7 8B80 A0040000 mov eax,dword ptr ds:[eax+4A0] 0052E7AD B2 01 mov dl,1 0052E7AF E8 5026F1FF call MemEdito.00440E04 0052E7B4 E8 7BE4FCFF call MemEdito.004FCC34 ; ////原来是这个CALL在调用 0052E7B9 EB 34 jmp short MemEdito.0052E7EF
0052E773 84C0 test al,al
0052E775 75 44 jnz short MemEdito.0052E7BB ///改成JMP
保存就好了。。
这样就没任何提示了 ,软件可以使用,OK~爆破成功了!