|
 |
推荐文章 |
|
|
|
|
|
|
|
|
|
|
|
这个软件升级第2天我就破解了。之所以到现在才发布这个破解文章,是因为这个软件实在太好了,我不忍心看着他因为破解泛滥而不得不关闭Guest账户。请不要以此文章制作破解文件!谢谢合作
免费用户限制:不定时跳广告
破解方法:爆破(只能用这个)
破解工具:FI,W32DASM,HIEW,FILEMON
破解目的:去除广告
我敢打赌,我第一个破除了2.2的老版本。5.14日,软件提示有新版本,强迫升级,呜……又该破解
了……
本来觉得这个新版本很简单的,升级变动也不大,按老的走就可以了。W32DASM反汇编stock.dll(主
程序),来到10006737,把那个CALL nop掉完事(老版本就是这样被我破掉的)。启动!^&%#@$!*)&( 怎
么回事?又重新下载引擎???可是,没升级呀…… 忽然意识到:这个新程序,是不是加了一个自校验
功能???如果有改动就……自动重新下载!广告是去除了,下面的任务就是去掉那个自校验功能!(广
告的去除方法不再详述)
设想程序基本思路:
从服务器下载新版本号-->获得本地版本号-->比较-->相等就跳走-->不相等下载新版本-->提示升级-->安
装或从服务器下载新版本号-->获得本地版本号-->比较-->相等就跳走-->系统自校验-->相等继续使用-->不相
等从服务器上下载新版本-->提示升级-->安装
一开始是从10006473处下手,经过N次爆破均不成功。无奈之际,打开串式参考,找到两个可疑文件
名:stock.dll、stock000.dll。赶紧去winnt\system32\看,果然有这两个文件,但并不相同。猜想
stock000.dll是上一版本的备份。双击,来到10009451(请从下面找到10009451,从那里看,跟着注释走
,这样可以较清楚地看到我的破解思路) 注释中的“右键”,是在w32dasm的操作。
* Referenced by a CALL at Address:
|:100063C8 <----关键CALL
|
:10007500 64A100000000 mov eax, dword ptr fs:[00000000]
:10007506 6AFF push FFFFFFFF
:10007508 68705B0310 push 10035B70
:1000750D 50 push eax
:1000750E 64892500000000 mov dword ptr fs:[00000000], esp
:10007515 83EC20 sub esp, 00000020
:10007518 53 push ebx
:10007519 55 push ebp
:1000751A 56 push esi
:1000751B 8BF1 mov esi, ecx
:1000751D 33DB xor ebx, ebx
:1000751F 57 push edi
:10007520 8B8638060000 mov eax, dword ptr [esi+00000638]
:10007526 3BC3 cmp eax, ebx
:10007528 740F je 10007539 <----很可疑,修改为74,成功!
:1000752A 50 push eax
:1000752B E86FF80100 call 10026D9F
:10007530 83C404 add esp, 00000004
:10007533 899E38060000 mov dword ptr [esi+00000638], ebx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10007528(C) <----右键
:10007539 8B442444 mov eax, dword ptr [esp+44]
:1000753D 8B7C2440 mov edi, dword ptr [esp+40]
:10007541 8DAE38050000 lea ebp, dword ptr [esi+00000538]
:10007547 50 push eax
:10007548 57 push edi
:10007549 8BCE mov ecx, esi
:1000754B 894624 mov dword ptr [esi+24], eax
:1000754E 885D00 mov byte ptr [ebp+00], bl
:10007551 889E38040000 mov byte ptr [esi+00000438], bl
:10007557 E894FEFFFF call 100073F0
:1000755C 85C0 test eax, eax
:1000755E 7545 jne 100075A5 <----没准是这里,不过经测试,不是!继续向上
:10007560 6800010000 push 00000100
:10007565 E80CF80100 call 10026D76
:1000756A 8BD0 mov edx, eax
:1000756C 83C404 add esp, 00000004
:1000756F 3BD3 cmp edx, ebx
:10007571 899638060000 mov dword ptr [esi+00000638], edx
:10007577 7422 je 1000759B
* Possible StringData Ref from Data Obj ->"包错误"
..............................
......................
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1000755E(C) <----右键
|
:100075A5 33C0 xor eax, eax
:100075A7 668B07 mov ax, word ptr [edi]
:100075AA 3D00200000 cmp eax, 00002000
:100075AF 0F8F00010000 jg 100076B5 <----不可能是关键跳转,继续向上
:100075B5 0F84A4000000 je 1000765F
:100075BB 0500F0FFFF add eax, FFFFF000
:100075C0 83F80B cmp eax, 0000000B
......................
...........
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:100075AF(C) <----右键
|
:100076B5 3D02300000 cmp eax, 00003002
:100076BA 0F8F7C010000 jg 1000783C <----不可能是关键跳转,继续向上
:100076C0 0F84D7000000 je 1000779D
:100076C6 2D01200000 sub eax, 00002001
:100076CB 747A je 10007747
:100076CD 83E802 sub eax, 00000002
:100076D0 741F je 100076F1
.....................
...............
:10007816 50 push eax
:10007817 52 push edx
:10007818 51 push ecx
:10007819 55 push ebp
:1000781A E840E20000 call 10015A5F
:1000781F 83C418 add esp, 00000018
:10007822 8D4C241C lea ecx, dword ptr [esp+1C]
:10007826 E8F3F00100 call 1002691E
:1000782B C7442438FFFFFFFF mov [esp+38], FFFFFFFF
:10007833 8D4C2444 lea ecx, dword ptr [esp+44]
:10007837 E900010000 jmp 1000793C
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:100076BA(C) <----右键。
|
:1000783C 3D00500000 cmp eax, 00005000
:10007841 755C jne 1000789F <----来到这里,继续向上
:10007843 3D00800000 cmp eax, 00008000
:10007848 7418 je 10007862
:1000784A 3D00A00000 cmp eax, 0000A000
:1000784F 0F85EC000000 jne 10007941
:10007855 57 push edi
:10007856 8BCE mov ecx, esi
:10007858 E8D3180000 call 10009130
:1000785D E9DF000000 jmp 10007941
.......................
..............
:1000788D F3 repz
:1000788E A5 movsd
:1000788F 8BCA mov ecx, edx
:10007891 83E103 and ecx, 00000003
:10007894 F3 repz
:10007895 A4 movsb
:10007896 8D4C2420 lea ecx, dword ptr [esp+20]
:1000789A E99D000000 jmp 1000793C
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10007841(C) <----跳转,此处按右键
|
:1000789F 57 push edi
:100078A0 8BCE mov ecx, esi
:100078A2 E8E9190000 call 10009290 <----来到这里,继续向上
:100078A7 85C0 test eax, eax
:100078A9 750A jne 100078B5
:100078AB B803000000 mov eax, 00000003
:100078B0 E98E000000 jmp 10007943
------------------------------------------------------------------------
* Referenced by a CALL at Address:
|:100078A2 <----右键,看是哪里来的
|
:10009290 6AFF push FFFFFFFF
:10009292 68C85B0310 push 10035BC8
:10009297 64A100000000 mov eax, dword ptr fs:[00000000]
:1000929D 50 push eax
:1000929E 64892500000000 mov dword ptr fs:[00000000], esp
...............
............
:100092DE 752F jne 1000930F
:100092E0 56 push esi
:100092E1 8BCB mov ecx, ebx
:100092E3 E888000000 call 10009370 <----继续向上
:100092E8 8D4C240C lea ecx, dword ptr [esp+0C]
:100092EC C7442450FFFFFFFF mov [esp+50], FFFFFFFF
:100092F4 E8179DFFFF call 10003010
------------------------------------------------------------------
* Referenced by a CALL at Address:
|:100092E3 <----CALL,右键,看看是哪里来的
|
:10009370 81EC00030000 sub esp, 00000300
:10009376 8D842400020000 lea eax, dword ptr [esp+00000200]
:1000937D 53 push ebx
:1000937E 55 push ebp
:1000937F 56 push esi
:10009380 57 push edi
:10009381 6880000000 push 00000080
:10009386 50 push eax
* Reference To: KERNEL32.GetSystemDirectoryA, Ord:0159h <----获得系统目录,继续向上
|
:10009387 FF15E4710310 Call dword ptr [100371E4]
:1000938D 83C9FF or ecx, FFFFFFFF
* Possible StringData Ref from Data Obj ->"\"
|
:10009390 BFE4520410 mov edi, 100452E4
:10009395 33C0 xor eax, eax
.................
........
:10009449 A5 movsd
:1000944A 8BC8 mov ecx, eax
:1000944C 83E103 and ecx, 00000003
:1000944F F3 repz
:10009450 A4 movsb
* Possible StringData Ref from Data Obj ->"stock000.dll" <----来到这里,从这里向上找
|
:10009451 BF40590410 mov edi, 10045940
:10009456 83C9FF or ecx, FFFFFFFF
:10009459 33C0 xor eax, eax
:1000945B 8D942410010000 lea edx, dword ptr [esp+00000110]
总结一下:
--------------------------------------
10006737处,E824000000 改 9090909090
10007528处,74 改 75
总计修改6 byte,收工。 |
|
|
|
|
|
特别声明: 本站除部分特别声明禁止转载的专稿外的其他文章可以自由转载,但请务必注明出处和原始作者。文章版权归文章原始作者所有。对于被本站转载文章的个人和网站,我们表示深深的谢意。如果本站转载的文章有版权问题请联系编辑人员,我们尽快予以更正。 |
|
|
|
|
|
责任编辑: 原点 |
投稿作者: 本站收集 |
|
|
信息来源: 网络 |
录入时间: 2005-5-26 |
|
|
|
| |
|
设为首页
加入收藏
总编信箱
投稿或申请专栏请先 [登 陆]