又到杀狗的时间了,呵呵,这次的疯狗的是什么呢?小弟是广告界的,当然先拿喷绘
软件来开刀了,蒙泰5.0应该是国内用得最多的一个喷绘
软件吧,好,这次就拿它来试刀了。
工具:trw2000
w32dasm8.93黄金版
hview
蒙泰在运行时如果没有加密狗,就会弹出一个对话框,好,我们就从这个对话框入手。运行trw2000,然后运行蒙泰,会
出现对话框,切入trw2000(ctrl+N),下断点bpx enddialog,返回主程序,按下“确定”按钮,Boom,被拦下来的,暂停
断点(BD *),接着就一直按F12和F10,直到返回到下面的
代码处:
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00490D53(C)
|
:00490D5D 8B1B
mov ebx,
dword ptr [
ebx]
:00490D5F 85DB
test ebx,
ebx :00490D61 75EC
jne 00490D4F
* Referenced by a (U)nconditional
or (C)onditional Jump at Addresses:
|:00490D47(C), :00490D4D(C)
|
:00490D63 833D80AC630007
cmp dword ptr [0063AC80], 00000007 <=====我们想办法让[0063AC80]不等于7
:00490D6A 750E
jne 00490D7A
:00490D6C 833D20C6650000
cmp dword ptr [0065C620], 00000000
:00490D73 7505
jne 00490D7A
:00490D75 E836FFFFFF
call 00490CB0 <=====出错对话框
* Referenced by a (U)nconditional
or (C)onditional Jump at Addresses:
|:00490D6A(C), :00490D73(C)
|
:00490D7A B801000000
mov eax, 00000001 <=====返回到这里
我们往上看,有两条跳转指令,程序是通过
地址63ac80和65c620的内容来决定是否显示出错对话框的,好,退出蒙泰,我们再
下断点bpm 63ac80,看会断在什么地方:
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:004B67AC(C)
|
:004B67CD C743109A010000
mov [
ebx+10], 0000019A
:004B67D4 C743145C000000
mov [
ebx+14], 0000005C
:004B67DB 33D2
xor edx,
edx :004B67DD 895318
mov dword ptr [
ebx+18],
edx :004B67E0 C7431C07000000
mov [
ebx+1C], 00000007 <=====这里就是给63ac80赋值的地方,当走到这里的
时候就GAME OVER了,所以我们往上看什么地方可以跳过这里
:004B67E7 68606D0000
push 00006D60 <======中断在此
:004B67EC E85EF10E00
call 005A594F
我们往上看,是4B67AC这个
地址调用的:
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:004B6792(C)
|
:004B67A4 83BC240402000004
cmp dword ptr [
esp+00000204], 00000004 <=====当[
esp+00000204]小于4时,
就会跳到4B67CD,如果没有狗,这个
地址的内容为0,同时这里也是判断版本号的地方,当大于等于4时,就是通用版
:004B67AC 7C1F
jl 004B67CD
:004B67AE C705D443630001000000
mov dword ptr [006343D4], 00000001
:004B67B8 33C0
xor eax,
eax :004B67BA C743148C000000
mov [
ebx+14], 0000008C
:004B67C1 894318
mov dword ptr [
ebx+18],
eax :004B67C4 C7431C05000000
mov [
ebx+1C], 00000005 <=====[63AC80]=5
:004B67CB EB55
jmp 004B6822
再往上看
地址4B6792:
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:004B66EB(U)
|
:004B6757 83BC24040200000C
cmp dword ptr [
esp+00000204], 0000000C <=====大于等于0C时,是专业版
:004B675F 7C0C
jl 004B676D
:004B6761 C7431C01000000
mov [
ebx+1C], 00000001
:004B6768 E9B5000000
jmp 004B6822
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:004B675F(C)
|
:004B676D 83BC24040200000A
cmp dword ptr [
esp+00000204], 0000000A <=====大于等于0A时,是专业版S(哪
位朋友知道专业版S和专业版有什么区别)
:004B6775 7C13
jl 004B678A
:004B6777 C74314C2010000
mov [
ebx+14], 000001C2
:004B677E C7431C02000000
mov [
ebx+1C], 00000002
:004B6785 E998000000
jmp 004B6822
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:004B6775(C)
|
:004B678A 83BC240402000006
cmp dword ptr [
esp+00000204],
您当前的位置:
减小字体
增大字体