|
| 另类PEtite V2.2 脱壳+修复+破解—英汉汉英双向学习词典 V1.0 |
| 作者:佚名 来源:不详 发布时间:2008-6-22 0:50:24 |
 减小字体
 增大字体
|
howWindow>
004A3B02 6A EC push -14
004A3B04 A1 1C604A00 mov eax,dword ptr ds:[4A601C]
004A3B09 8B00 mov eax,dword ptr ds:[eax]
004A3B0B 8B58 24 mov ebx,dword ptr ds:[eax+24]
004A3B0E 53 push ebx
004A3B0F E8 083DF6FF call <jmp &user32 GetWindowLongA>
004A3B14 0D 80000000 or eax,80
004A3B19 50 push eax
004A3B1A 6A EC push -14
004A3B1C A1 1C604A00 mov eax,dword ptr ds:[4A601C]
004A3B21 53 push ebx
004A3B22 E8 053FF6FF call <jmp &user32 SetWindowLongA>
004A3B27 E8 1857FFFF call DUMPED_ 00499244
====>经过这里就出错啦! 重新LOAD进去看看! |
————————————————————————
进入出错CALL: 004A3B27 call DUMPED_ 00499244
00499244 55 push ebp
00499245 8BEC mov ebp,esp
00499247 6A 00 push 0
00499249 6A 00 push 0
0049924B 6A 00 push 0
0049924D 53 push ebx
0049924E 33C0 xor eax,eax
00499250 55 push ebp
00499251 68 19934900 push 1_.00499319
00499256 64:FF30 push dword ptr fs:[eax]
00499259 64:8920 mov dword ptr fs:[eax],esp
0049925C 33DB xor ebx,ebx
0049925E B8 FC7A4A00 mov eax,DUMPED_.004A7AFC
00499263 BA 30934900 mov edx,DUMPED_.00499330 ; ASCII "1.29c for Windows"
00499268 E8 77AAF6FF call DUMPED_.00403CE4
0049926D B8 3C7B4A00 mov eax,DUMPED_.004A7B3C
00499272 BA 4C934900 mov edx,DUMPED_.0049934C ; ASCII "WebPacker"
00499277 E8 68AAF6FF call DUMPED_.00403CE4
0049927C C705D07A4A00240106 mov dword ptr ds:[4A7AD0],60124
====>注意文件指针60124,这是针对原exe的指针
————————————————————————
根据 mikelong 兄弟的指点,偶来进行手动修复:
1、用 WinHex 打开原程序,复制60124至E2724的数据,呵呵,索性复制到最后。然后打开修复输入表后的脱壳文件,就粘贴到文件末尾吧,看一下粘贴数据在新文件中的偏移:E9000 另存为:修复DUMPED_.EXE
2、用 WinHex 打开 修复DUMPED_.EXE ,去到99282处,把240106改为00900E 修正新的文件指针
即把:0049927C C705D07A4A0024010600 mov dword ptr ds:[4A7AD0],60124
改成:0049927C C705D07A4A0000900E00 mov dword ptr ds:[4A7AD0],E9000
OK!修改后的程序正常运行!只是文件大了许多。菜鸟如偶没办法啦。
对于此类让人修理过的Petite2.2壳的程序关键是找到出错的原文件指针,然后把相应代码复制进脱壳后的程序,修改成新的偏移地址。再次感谢 mikelong 兄弟 这些都是他的成果!
再提供一个类似的Petite2.2壳:3TV宽带卫星网络电视机 下载地址:http://webtv.zmdns.com/3tv.exe
可以参考:http://www.51itcool.com/fcg/Announce/Announce.asp?BoardID=3&ID=2842
—————————————————————————————————
三、破解
这个东东是用 Delphi 编写的EBOOK做的程序,不太清楚是用哪个制作EBOOK工具加工的。
注册有点烦人,感谢 DarkNess0ut 帮忙测试 明码比较,懒人如偶太困了,没看算法啦。
晕,点“英汉索引”L就会出现:“本部分仅供注册用户使用,非注册用户只能使用a-k部分的词汇”,下面才出现识别码,呵呵,有点隐蔽。
用户名:fly
识别码:89DD-5EA0123
试炼码:135724689012
—————————————————————————————————
关键地方不太好找,下面这点东西是用 内存搜索 加 内存断点 找到的。
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0049ABAA(C)
|
:0049ABED 8D55FC lea edx, dword ptr [ebp-04]
:0049ABF0 A10C604A00 mov eax, dword ptr [004A600C]
:0049ABF5 8B00 mov eax, dword ptr [eax]
:0049ABF7 E8A4E2F6FF call 00408EA0
:0049ABFC 8D85DCFEFFFF lea eax, dword ptr [ebp+FFFFFEDC]
:0049AC02 8D55EB lea edx, dword ptr [ebp-15]
:0049AC05 E8AA92F6FF call 00403EB4
:0049AC0A 8B85DCFEFFFF mov eax, dword ptr [ebp+FFFFFEDC]
====>EAX=89DD-5EA0123 识别码
:0049AC10 8D95E0FEFFFF lea edx, dword ptr [ebp+FFFFFEE0]
:0049AC16 E865F0FFFF call 00499C80
:0049AC1B 8B85E0FEFFFF mov eax, dword ptr [ebp+FFFFFEE0]
:0049AC21 50 push eax
:0049AC22 8D95D8FEFFFF lea edx, dword ptr [ebp+FFFFFED8]
:0049AC28 A1105F4A00 mov eax, dword ptr [004A5F10]
:0049AC2D 8B00 mov eax, dword ptr [eax]
====>EAX=135724689012 试炼码
:0049AC2F E86CE2F6FF call 00408EA0
:0049AC34 8B95D8FEFFFF mov edx, dword ptr [ebp+FFFFFED8]
:0049AC3A 8D45F8 lea eax, dword ptr [ebp-08]
:0049AC3D 59 pop ecx
:0049AC3E E81993F6FF call 00403F5C
:0049AC43 8B45FC mov eax, dword ptr [ebp-04]
====>EAX=fly 用户名
:0049AC46 E8C592F6FF call 00403F10
:0049AC4B 83F803 cmp eax, 00000003
====>用户名至少3位
:0049AC4E 7D4C jge 0049AC9C
:0049AC9C 8B45F8 mov eax, dword ptr [ebp-08]
====>EAX=135724689012 试炼码
:0049AC9F E86C92F6FF call 00403F10
:0049ACA4 83F80C cmp eax, 0000000C
====>注册码需要12位
:0049ACA7 740E je 0049ACB7
:0049ACB7 A1AC5F4A00 mov eax, dword ptr [004A5FAC]
:0049ACBC 803800 cmp byte ptr [eax], 00
:0049ACBF 7542 jne 0049AD03
:0049ACC1 A150604A00 mov eax, dword ptr [004A6050]
:0049ACC6 8B00 mov eax, dword ptr [eax]
:0049ACC8 50 push eax
:0049ACC9 8B45F8 mov eax, dword ptr [ebp-08]
:0049ACCC 50 push eax
:0049ACCD A1E0604A00 mov eax, dword ptr [004A60E0]
:0049ACD2 8A00 mov al, byte ptr [eax]
:0049ACD4 50 push eax
:0049ACD5 8D85C8FEFFFF lea eax, dword ptr [ebp+FFFFFEC8]
:0049ACDB 8D55EB lea edx, dword ptr [ebp-15]
:0049ACDE E8D191F6FF call 00403EB4
:0049ACE3 8B8DC8FEFFFF mov ecx, dword ptr [ebp+FFFFFEC8]
:0049ACE9 8B1584604A00 mov edx, dword ptr [004A6084]
:0049ACEF 8B12 mov edx, dword ptr [edx]
:0049ACF1 8B45FC mov eax, dword ptr [ebp-04]
:0049ACF4 E893F5FFFF call 0049A28C
====>关键CALL!进入!
:0049ACF9 84C0 test al, al
:0049ACFB 0F84C3000000 je 0049ADC4
====>跳则OVER!
:0049AD01 EB15 jmp 0049AD18
————————————————————————
进入关键CALL:0049ACF4 call 0049A28C
* Referenced by a CALL at Addresses:
|:00498C86 , :0049ACF4
|
:0049A28C 55 push ebp
:0049A28D 8BEC mov ebp, esp
:0049A28F 6A00 push 00000000
:0049A291 6A00 push 00000000
:0049A293 6A00 push 00000000
:0049A295 6A00 push 00000000
:0049A297 6A00 push 00000000
:0049A299 6A00 push 0000, 0000
:0049A29B 6A00 push 00000000
:0049A29D 53 push ebx
:0049A29E 56 push esi
:0049A29F 57 push edi
:0049A2A0 894DF4 mov dword ptr [ebp-0C], ecx
:0049A2A3 8955F8 mov dword ptr [ebp-08], edx
:0049A2A6 8945FC mov dword ptr [ebp-04], eax
:0049A2A9 8B45FC mov eax, dword ptr [ebp-04]
:0049A2AC E8139EF6FF call 004040C4
:0049A2B1 8B45F8 mov eax, dword ptr [ebp-08]
:0049A2B4 E80B9EF6FF call 004040C4
:0049A2B9 8B45F4 mov eax, dword ptr [ebp-0C]
:0049A2BC E8039EF6FF call 004040C4
:0049A2C1 8B4510 mov eax, dword ptr [ebp+10]
:0049A2C4 E8FB9DF6FF call 004040C4
:0049A2C9 8B450C mov eax, dword ptr [ebp+0C]
:0049A2CC E8F39DF6FF call 004040C4
:0049A2D1 33C0 xor eax, eax
:0049A2D3 55 push ebp
:0049A2D4 68AEA34900 push 0049A3AE
:0049A2D9 64FF30 push dword ptr fs:[eax]
:0049A2DC 648920 mov dword ptr fs:[eax], esp
:0049A2DF BE01000000 mov esi, 00000001
:0049A2E4 33DB xor ebx, ebx
:0049A2E6 8B450C mov eax, dword ptr [ebp+0C]
:0049A2E9 E8229CF6FF call 00403F10
:0049A2EE 83F80C cmp eax, 0000000C
:0049A2F1 0F858F000000 jne 0049A386
:0049A2F7 8D45E4 lea eax, dword ptr [ebp-1C]
:0049A2FA 8B550C mov edx, dword ptr [ebp+0C]
:0049A2FD E8269AF6FF call 00403D28
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0049A381(U)
|
:0049A302 8B4510 mov eax, dword ptr [ebp+10]
:0049A305 50 push eax
:0049A306 8A4508 mov al, byte ptr [ebp+08]
:0049A309 50 push eax
:0049A30A 8D45F0 lea eax, dword ptr [ebp-10]
:0049A30D 50 push eax
:0049A30E 8B4DF4 mov ecx, dword ptr [ebp-0C]
:0049A311 8B55F8 mov edx, dword ptr [ebp-08]
:0049A314 8B45FC mov eax, dword ptr [ebp-04]
:0049A317 E894010000 call 0049A4B0
====>算法CALL!
:0049A31C 8D55EC lea edx, dword ptr [ebp-14]
:0049A31F 8B45F0 mov eax, dword ptr [ebp-10]
:0049A322 E805FAFFFF call 00499D2C
:0049A327 8B45EC mov eax, dword ptr [ebp-14]
====>EAX=CWIDFLXCMYLO 注册码
:0049A32A 8B550C mov edx, dword ptr [ebp+0C]
====>EDX=135724689012 试炼码
:0049A32D E8EE9CF6FF call 00404020
====>比较CALL!
:0049A332 7504 jne 0049A338
====>跳则OVER!
:0049A334 B301 mov bl, 01
:0049A336 EB4E jmp 0049A386
—————————————————————————————————
【注册信息保存】:
D:\WINDOWS\system32\bccbiosrm64bft dll
—————————————————————————————————
【整 理】:
用户名:fly
识别码:89DD-5EA0123
注册码:CWIDFLXCMYLO
—————————————————————————————————
, _/
/| _ -~/ \_ , 青春都一饷
( /~ / \~- _ |\
`\\ _/ \ ~\ ) 忍把浮名
_-~~~- ) )__/;;, \_ //’
/’_,\ --~ \ ~~~- ,;;\___( ( -~~~- 换了破解轻狂
`~ _( ,_ --\ ( ,;’’ / ~-- / _`\
/~~//’ /’ `~\ ) /-- _, )_ `~
" `~" " `" /~’`\ `\\~~\
" " "~’ ""
Cracked By 巢水工作坊——fly [OCN][FCG]
2003-10-25 01:10 上一页 1 2 |
上一页 [1] [2] [3] [4] [5] [6] [7]
|
|
[]
[返回上一页]
[打 印]
|
|
|
|
您当前的位置: