从轻松试卷 v4.03 的破解看 r fl z 的妙用
--------**不太懂汇编的初学者看过来,一个好的命令可以帮助你**
http://soft.linksun.com/fpx/lesson15.zip r fl z 动态修改跳转的方向,即跳强行改为不跳,不跳强行改为跳
破解人:paulyoung
1、运行轻松试卷,在注册框的学校/单位、用户名、注册号处填写,随你便啦。
2、Ctrl+D 激活TRW,下 BPX HMEMCPY。F5 退出,点击确定,被拦截。
3、下 BD * ,中断所有断点。
4、按12次 F12 (因为13次出错),开始看:
:004019A5 8D4DF8 lea ecx, dword ptr [ebp-08] //程序入口
:004019A8 51 push ecx
:004019A9 8BD7 mov edx, edi
:004019AB 8D45F4 lea eax, dword ptr [ebp-0C]
:004019AE E8D5721200 call 00528C88
:004019B3 FF431C inc [ebx+1C]
:004019B6 8D55F4 lea edx, dword ptr [ebp-0C]
:004019B9 58 pop eax
:004019BA E80D751200 call 00528ECC
:004019BF 50 push eax
:004019C0 FF4B1C dec [ebx+1C]
:004019C3 8D45F4 lea eax, dword ptr [ebp-0C]
:004019C6 BA02000000 mov edx, 00000002
:004019CB E818741200 call 00528DE8
:004019D0 FF4B1C dec [ebx+1C]
:004019D3 8D45F8 lea eax, dword ptr [ebp-08]
:004019D6 BA02000000 mov edx, 00000002
:004019DB E808741200 call 00528DE8 //学校名、单位名不能为空(我掉头就溜……)
:004019E0 59 pop ecx
:004019E1 84C9 test cl, cl
:004019E3 745F je 00401A44 //下 r fl z ,F5退出,可看到上面提示
:004019E5 66C743101400 mov [ebx+10], 0014
:004019EB 8D5701 lea edx, dword ptr [edi+01]
:004019EE 8D45F0 lea eax, dword ptr [ebp-10]
:004019F1 E892721200 call 00528C88
:004019F6 FF431C inc [ebx+1C]
:004019F9 8D45F0 lea eax, dword ptr [ebp-10]
:004019FC 33D2 xor edx, edx
:004019FE 8955EC mov dword ptr [ebp-14], edx
:00401A01 8D55EC lea edx, dword ptr [ebp-14]
:00401A04 FF431C inc [ebx+1C]
:00401A07 E8E8A90100 call 0041C3F4
:00401A0C 8D45EC lea eax, dword ptr [ebp-14]
:00401A0F 8B00 mov eax, dword ptr [eax]
:00401A11 E886420100 call 00415C9C
:00401A16 FF4B1C dec [ebx+1C]
:00401A19 8D45EC lea eax, dword ptr [ebp-14]
:00401A1C BA02000000 mov edx, 00000002
:00401A21 E8C2731200 call 00528DE8
:00401A26 FF4B1C dec [ebx+1C]
:00401A29 8D45F0 lea eax, dword ptr [ebp-10]
:00401A2C BA02000000 mov edx, 00000002
:00401A31 E8B2731200 call 00528DE8
:00401A36 8B0B mov ecx, dword ptr [ebx]
:00401A38 64890D00000000 mov dword ptr fs:[00000000], ecx
:00401A3F E972030000 jmp 00401DB6
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004019E3(C)
|
:00401A44 66C743102000 mov [ebx+10], 0020
:00401A4A 33C0 xor eax, eax
:00401A4C 8945E8 mov dword ptr [ebp-18], eax
:00401A4F 8D55E8 lea edx, dword ptr [ebp-18]
:00401A52 FF431C inc [ebx+1C]
:00401A55 8B86DC020000 mov eax, dword ptr [esi+000002DC]
:00401A5B E8F8A60D00 call 004DC158
:00401A60 8D55E8 lea edx, dword ptr [ebp-18]
:00401A63 52 push edx
:00401A64 8D5711 lea edx, dword ptr [edi+11]
:00401A67 8D45E4 lea eax, dword ptr [ebp-1C]
:00401A6A E819721200 call 00528C88
:00401A6F FF431C inc [ebx+1C]
:00401A72 8D55E4 lea edx, dword ptr [ebp-1C]
:00401A75 58 pop eax
:00401A76 E851741200 call 00528ECC
:00401A7B 50 push eax
:00401A7C FF4B1C dec [ebx+1C]
:00401A7F 8D45E4 lea eax, dword ptr [ebp-1C]
:00401A82 BA02000000 mov edx, 00000002
:00401A87 E85C731200 call 00528DE8
:00401A8C FF4B1C dec [ebx+1C]
:00401A8F 8D45E8 lea eax, dword ptr [ebp-18]
:00401A92 BA02000000 mov edx, 00000002
:00401A97 E84C731200 call 00528DE8 //用户名不能为空(傻子才会跟进去)
:00401A9C 59 pop ecx
:00401A9D 84C9 test cl, cl
:00401A9F 745F je 00401B00 //下 r fl z ,F5退出,可看到上面提示
:00401AA1 66C743102C00 mov [ebx+10], 002C
:00401AA7 8D5712 lea edx, dword ptr [edi+12]
:00401AAA 8D45E0 lea eax, dword ptr [ebp-20]
:00401AAD E8D6711200 call 00528C88
:00401AB2 FF431C inc [ebx+1C]
:00401AB5 8D45E0 lea eax, dword ptr [ebp-20]
:00401AB8 33D2 xor edx, edx
:00401ABA 8955DC mov dword ptr [ebp-24], edx
:00401ABD 8D55DC lea edx, dword ptr [ebp-24]
:00401AC0 FF431C inc [ebx+1C]
:00401AC3 E82CA90100 call 0041C3F4
:00401AC8 8D45DC lea eax, dword ptr [ebp-24]
:00401ACB 8B00 mov eax, dword ptr [eax]
:00401ACD E8CA410100 call 00415C9C
:00401AD2 FF4B1C dec [ebx+1C]
:00401AD5 8D45DC lea eax, dword ptr [ebp-24]
:00401AD8 BA02000000 mov edx, 00000002
:00401ADD E806731200 call 00528DE8
:00401AE2 FF4B1C dec [ebx+1C]
:00401AE5 8D45E0 lea eax, dword ptr [ebp-20]
:00401AE8 BA02000000 mov edx, 00000002
:00401AED E8F6721200 call 00528DE8
:00401AF2 8B0B mov ecx, dword ptr [ebx]
:00401AF4 64890D00000000 mov dword ptr fs:[00000000], ecx
:00401AFB E9B6020000 jmp 00401DB6
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401A9F(C)
|
:00401B00 66C743103800 mov [ebx+10], 0038
:00401B06 33C0 xor eax, eax
:00401B08 8945D8 mov dword ptr [ebp-28], eax
:00401B0B 8D55D8 lea edx, dword ptr [ebp-28]
:00401B0E FF431C inc [ebx+1C]
:00401B11 8B86E0020000 mov eax, dword ptr [esi+000002E0]
:00401B17 E83CA60D00 call 004DC158
:00401B1C 8D55D8 lea edx, dword ptr [ebp-28]
:00401B1F 52 push edx
:00401B20 8D5724 lea edx, dword ptr [edi+24]
:00401B23 8D45D4 lea eax, dword ptr [ebp-2C]
:00401B26 E85D711200 call 00528C88
:00401B2B FF431C inc [ebx+1C]
:00401B2E 8D55D4 lea edx, dword ptr [ebp-2C]
:00401B31 58 pop eax
:00401B32 E895731200 call 00528ECC
:00401B37 50 push eax
:00401B38 FF4B1C dec [ebx+1C]
:00401B3B 8D45D4 lea eax, dword ptr [ebp-2C]
:00401B3E BA02000000 mov edx, 00000002
:00401B43 E8A0721200 call 00528DE8
:00401B48 FF4B1C dec [ebx+1C]
:00401B4B 8D45D8 lea eax, dword ptr [ebp-28]
:00401B4E BA02000000 mov edx, 00000002
:00401B53 E890721200 call 00528DE8 //注册号不能为空(快点走吧……)
:00401B58 59 pop ecx
:00401B59 84C9 test cl, cl
:00401B5B 745F je 00401BBC //下 r fl z ,F5退出,可看到上面提示
:00401B5D 66C743104400 mov [ebx+10], 0044
:00401B63 8D5725 lea edx, dword ptr [edi+25]
:00401B66 8D45D0 lea eax, dword ptr [ebp-30]
:00401B69 E81A711200 call 00528C88
:00401B6E FF431C inc [ebx+1C]
:00401B71 8D45D0 lea eax, dword ptr [ebp-30]
:00401B74 33D2 xor edx, edx
:00401B76 8955CC mov dword ptr [ebp-34], edx
:00401B79 8D55CC lea edx, dword ptr [ebp-34]
:00401B7C FF431C inc [ebx+1C]
:00401B7F E870A80100 call 0041C3F4
:00401B84 8D45CC lea eax, dword ptr [ebp-34]
:00401B87 8B00 mov eax, dword ptr [eax]
:00401B89 E80E410100 call 00415C9C
:00401B8E FF4B1C dec [ebx+1C]
:00401B91 8D45CC lea eax, dword ptr [ebp-34]
:00401B94 BA02000000 mov edx, 00000002
:00401B99 E84A721200 call 00528DE8
:00401B9E FF4B1C dec [ebx+1C]
:00401BA1 8D45D0 lea eax, dword ptr [ebp-30]
:00401BA4 BA02000000 mov edx, 00000002
:00401BA9 E83A721200 call 00528DE8
:00401BAE 8B0B mov ecx, dword ptr [ebx]
:00401BB0 64890D00000000 mov dword ptr fs:[00000000], ecx
:00401BB7 E9FA010000 jmp 00401DB6
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401B5B(C)
|
:00401BBC 66C743105C00 mov [ebx+10], 005C
:00401BC2 33C0 xor eax, eax
:00401BC4 8945C4 mov dword ptr [ebp-3C], eax
:00401BC7 8D55C4 lea edx, dword ptr [ebp-3C]
:00401BCA FF431C inc [ebx+1C]
:00401BCD 8B86D8020000 mov eax, dword ptr [esi+000002D8]
:00401BD3 E880A50D00 call 004DC158
:00401BD8 8D55C4 lea edx, dword ptr [ebp-3C]
:00401BDB 33C0 xor eax, eax
:00401BDD 8B0A mov ecx, dword ptr [edx]
:00401BDF 8D55C8 lea edx, dword ptr [ebp-38]
:00401BE2 51 push ecx
:00401BE3 8945C8 mov dword ptr [ebp-38], eax
:00401BE6 FF431C inc [ebx+1C]
:00401BE9 8B86DC020000 mov eax, dword ptr [esi+000002DC]
:00401BEF E864A50D00 call 004DC158
:00401BF4 8D45C8 lea eax, dword ptr [ebp-38]
:00401BF7 8B00 mov eax, dword ptr [eax]
:00401BF9 33D2 xor edx, edx
:00401BFB 8955FC mov dword ptr [ebp-04], edx
:00401BFE 8D4DFC lea ecx, dword ptr [ebp-04]
:00401C01 FF431C inc [ebx+1C]
:00401C04 5A pop edx
:00401C05 E8762C0100 call 00414880
:00401C0A FF4B1C dec [ebx+1C]
:00401C0D 8D45C4 lea eax, dword ptr [ebp-3C]
:00401C10 BA02000000 mov edx, 00000002
:00401C15 E8CE711200 call 00528DE8
:00401C1A FF4B1C dec [ebx+1C]
:00401C1D 8D45C8 lea eax, dword ptr [ebp-38]
:00401C20 BA02000000 mov edx, 00000002
:00401C25 E8BE711200 call 00528DE8
:00401C2A 66C743105000 mov [ebx+10], 0050
:00401C30 66C743106800 mov [ebx+10], 0068
:00401C36 33C0 xor eax, eax
:00401C38 8945C0 mov dword ptr [ebp-40], eax
:00401C3B 8D55C0 lea edx, dword ptr [ebp-40]
:00401C3E FF431C inc [ebx+1C]
:00401C41 8B86E0020000 mov eax, dword ptr [esi+000002E0]
:00401C47 E80CA50D00 call 004DC158
:00401C4C 8D55C0 lea edx, dword ptr [ebp-40]
:00401C4F 8D45FC lea eax, dword ptr [ebp-04]
:00401C52 E875721200 call 00528ECC
:00401C57 50 push eax
:00401C58 FF4B1C dec [ebx+1C]
:00401C5B 8D45C0 lea eax, dword ptr [ebp-40]
:00401C5E BA02000000 mov edx, 00000002
:00401C63 E880711200 call 00528DE8 //恭喜你,你已成功注册(哈……哈……,快成功了!)
:00401C68 59 pop ecx
:00401C69 84C9 test cl, cl
:00401C6B 0F84C0000000 je 00401D31 //下 r fl z ,F5退出,可看到上面提示
:00401C71 66C743107400 mov [ebx+10], 0074
:00401C77 33C0 xor eax, eax
:00401C79 8945BC mov dword ptr [ebp-44], eax
:00401C7C 8D55BC lea edx, dword ptr [ebp-44]
:00401C7F FF431C inc [ebx+1C]
:00401C82 8B86D8020000 mov eax, dword ptr [esi+000002D8]
:00401C88 E8CBA40D00 call 004DC158
:00401C8D 8D55BC lea edx, dword ptr [ebp-44]
:00401C90 33C0 xor eax, eax
:00401C92 8B0A mov ecx, dword ptr [edx]
:00401C94 8D55B8 lea edx, dword ptr [ebp-48]
:00401C97 51 push ecx
:00401C98 8945B8 mov dword ptr [ebp-48], eax
:00401C9B FF431C inc [ebx+1C]
:00401C9E 8B86DC020000 mov eax, dword ptr [esi+000002DC]
:00401CA4 E8AFA40D00 call 004DC158
:00401CA9 8D55B8 lea edx, dword ptr [ebp-48]
:00401CAC 8B0A mov ecx, dword ptr [edx]
:00401CAE 51 push ecx
:00401CAF E818340100 call 004150CC
:00401CB4 83C408 add esp, 00000008
:00401CB7 FF4B1C dec [ebx+1C]
:00401CBA 8D45B8 lea eax, dword ptr [ebp-48]
:00401CBD BA02000000 mov edx, 00000002 //D EDX ,ALT+↑可看到注册码
:00401CC2 E821711200 call 00528DE8
:00401CC7 FF4B1C dec [ebx+1C]
:00401CCA 8D45BC lea eax, dword ptr [ebp-44]
:00401CCD BA02000000 mov edx, 00000002
:00401CD2 E811711200 call 00528DE8
:00401CD7 66C743108000 mov [ebx+10], 0080
:00401CDD 8D573D lea edx, dword ptr [edi+3D]
:00401CE0 8D45B4 lea eax, dword ptr [ebp-4C]
:00401CE3 E8A06F1200 call 00528C88
:00401CE8 FF431C inc [ebx+1C]
:00401CEB 8D45B4 lea eax, dword ptr [ebp-4C]
:00401CEE 33D2 xor edx, edx
:00401CF0 8955B0 mov dword ptr [ebp-50], edx
:00401CF3 8D55B0 lea edx, dword ptr [ebp-50]
:00401CF6 FF431C inc [ebx+1C]
:00401CF9 E8F6A60100 call 0041C3F4
:00401CFE 8D45B0 lea eax, dword ptr [ebp-50]
:00401D01 8B00 mov eax, dword ptr [eax]
:00401D03 E8B03E0100 call 00415BB8 //弹出“恭喜你,你已成功注册”窗口
**********************************************************************
大家明白了吗?r fl z 并不会真的修改程序,只是起到模拟的作用,用它来验证某些 CALL 的功能非常好用,对于不太懂汇编的初学者来说,看到可疑的 CALL 与 jne,je 时,在jne/je 处下 r fl z ,再 F5 退出,看一看提示,就毋须象以前那样乱 D or ?一通,甚至 F8 跟入,徒劳无功了。如象 00401C63 处,在 00401C6B je 00401D31 处下 r fl z,弹出成功窗口,说明这个call有问题,虽然跟进这个 call 只能看到正确注册码的前三位,但很多软件还是用这种办法直接找到注册码或 F8 跟入再找到注册码的。
注:1、各位验证某个 call 时最好先 BD * 中断之前的所有断点,再在这个 call按F9 设断,下 r fl z ,F5 退出后,如果发现不是验证注册码的 call ,按确定一般都可以被 TRW2000,SOFT-ICE 拦截,以便继续验证。(因为验证可能不止一次,如上例,以免重复作无谓的劳动。)
2、00401C6B je 00401D31 处必须下 r fl z,否则你是不可能来到00401CBD mov edx, 00000002的,切记,切记!
下面给出一个必须用r fl z命令来破解的例子,体会此命令的重要性
软件名称:魔法转换1.5
整理日期:2001.4.1
最新版本:1.5 build 0401
文件大小:528KB
软件授权:共享软件
使用平台:Win9x/NT/2000
发布公司:Home Page
软件简介:
是一个图像转换工具。它支持的图像格式有BMP,GIF,JPG,ICO等等。能将它支持的格式图像转换或批量转换为BMP,GIF,JPG格式。它之所以魔法,就是它能将图像转换为HTM,TXT,RTF格式,而且支持彩色转换和单色转换,还分为多种模式转换,比如缩小一倍。如果转换出ASCII字符不满意,还可以设置字符方案,在选项里你可以调入一幅图像来扫描字符,直到满意为止。又能导入方案和导出方案。
下载: http://www.esoftware.com.cn/ 搜一下,很容易搜到
不直接比对,较讨厌
1.脱aspack壳,w32dasm黄金版反汇编
* Possible StringData Ref from Code Obj ->"magct"
|
:004B262E BAF0274B00 mov edx, 004B27F0 -------(1)
:004B2633 A1384F4C00 mov eax, dword ptr [004C4F38]
:004B2638 E8F3BAFBFF call 0046E130
:004B263D 46 inc esi
:004B263E 0F85BF000000 jne 004B2703 ------------(2)
:004B2644 8B45F8 mov eax, dword ptr [ebp-08] *
:004B2647 8B55F4 mov edx, dword ptr [ebp-0C] *(3)
:004B264A E8B116F5FF call 00403D00 **
:004B264F 753D jne 004B268E *
:004B2651 33D2 xor edx, edx
:004B2653 8B83E8010000 mov eax, dword ptr [ebx+000001E8]
:004B2659 E816FFF6FF call 00422574
* Possible StringData Ref from Code Obj ->"已注册!授权给:"
|
:004B265E 6854284B00 push 004B2854
:004B2663 FF75FC push [ebp-04]
* Possible StringData Ref from Code Obj ->" 注册码:"
|
:004B2666 6870284B00 push 004B2870
:004B266B FF75F4 push [ebp-0C]
:004B266E 8D45F0 lea eax, dword ptr [ebp-10]
:004B2671 BA04000000 mov edx, 00000004
:004B2676 E83516F5FF call 00403CB0
:004B267B 8B55F0 mov edx, dword ptr [ebp-10]
:004B267E 8B83F0010000 mov eax, dword ptr [ebx+000001F0]
:004B2684 E883FFF6FF call 0042260C
:004B2689 E9E5000000 jmp 004B2773
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B264F(C)
|
:004B268E 8D45F0 lea eax, dword ptr [ebp-10]
:004B2691 E81A550000 call 004B7BB0
:004B2696 8B45F0 mov eax, dword ptr [ebp-10]
:004B2699 E8524FF5FF call 004075F0
:004B269E 83F81E cmp eax, 0000001E
:004B26A1 7E15 jle 004B26B8
* Possible StringData Ref from Code Obj ->"这是共享软件!你已经用了30天,如果觉得满意,请"
->"注册!"
|
:004B26A3 BA84284B00 mov edx, 004B2884
2.填入用户名,注册码后退出,时间后调一年
trw2000载入
bpx 4b262e (1)
r fl z (2) 使不跳 此处不修改跳转,根本无法来到(3)
d eax (3)
3.注册码保存处
win.ini
[magct]
name=guodong
code=670E75156F1C64236F2A6E316738
关于本文----本文第一部分为paulyoung破文
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
