|
【转帖】蒙泰5.0加密狗和谐过程(大家都看看能看懂多少)
只是转贴,本人一窍不通!
又到杀狗的时间了,呵呵,这次的疯狗的是什么呢?小弟是广告界的,当然先拿喷绘软件来开刀了,蒙泰5.0应该是国内用得最多的一个喷绘软件吧,好,这次就拿它来试刀了。 工具:trw2000 w32dasm8.93黄金版 hview 蒙泰在运行时如果没有加密狗,就会弹出一个对话框,好,我们就从这个对话框入手。运行trw2000,然后运行蒙泰,会 出现对话框,切入trw2000(ctrl+N),下断点bpx enddialog,返回主程序,按下“确定”按钮,Boom,被拦下来的,暂停 断点(BD *),接着就一直按F12和F10,直到返回到下面的代码处: * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00490D53(C) | :00490D5D 8B1B mov ebx, dword ptr [ebx] :00490D5F 85DB test ebx, ebx :00490D61 75EC jne 00490D4F * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:00490D47(C), :00490D4D(C) | :00490D63 833D80AC630007 cmp dword ptr [0063AC80], 00000007 <=====我们想办法让[0063AC80]不等于7 :00490D6A 750E jne 00490D7A :00490D6C 833D20C6650000 cmp dword ptr [0065C620], 00000000 :00490D73 7505 jne 00490D7A :00490D75 E836FFFFFF call 00490CB0 <=====出错对话框 * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:00490D6A(C), :00490D73(C) | :00490D7A B801000000 mov eax, 00000001 <=====返回到这里 我们往上看,有两条跳转指令,程序是通过地址63ac80和65c620的内容来决定是否显示出错对话框的,好,退出蒙泰,我们再 下断点bpm 63ac80,看会断在什么地方: * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004B67AC(C) | :004B67CD C743109A010000 mov [ebx+10], 0000019A :004B67D4 C743145C000000 mov [ebx+14], 0000005C :004B67DB 33D2 xor edx, edx :004B67DD 895318 mov dword ptr [ebx+18], edx :004B67E0 C7431C07000000 mov [ebx+1C], 00000007 <=====这里就是给63ac80赋值的地方,当走到这里的 时候就GAME OVER了,所以我们往上看什么地方可以跳过这里 :004B67E7 68606D0000 push 00006D60 <======中断在此 :004B67EC E85EF10E00 call 005A594F 我们往上看,是4B67AC这个地址调用的: * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004B6792(C) | :004B67A4 83BC240402000004 cmp dword ptr [esp+00000204], 00000004 <=====当[esp+00000204]小于4时, 就会跳到4B67CD,如果没有狗,这个地址的内容为0,同时这里也是判断版本号的地方,当大于等于4时,就是通用版 :004B67AC 7C1F jl 004B67CD :004B67AE C705D443630001000000 mov dword ptr [006343D4], 00000001 :004B67B8 33C0 xor eax, eax :004B67BA C743148C000000 mov [ebx+14], 0000008C :004B67C1 894318 mov dword ptr [ebx+18], eax :004B67C4 C7431C05000000 mov [ebx+1C], 00000005 <=====[63AC80]=5 :004B67CB EB55 jmp 004B6822 再往上看地址4B6792: * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004B66EB(U) | :004B6757 83BC24040200000C cmp dword ptr [esp+00000204], 0000000C <=====大于等于0C时,是专业版 :004B675F 7C0C jl 004B676D :004B6761 C7431C01000000 mov [ebx+1C], 00000001 :004B6768 E9B5000000 jmp 004B6822 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004B675F(C) | :004B676D 83BC24040200000A cmp dword ptr [esp+00000204], 0000000A <=====大于等于0A时,是专业版S(哪 位朋友知道专业版S和专业版有什么区别) :004B6775 7C13 jl 004B678A :004B6777 C74314C2010000 mov [ebx+14], 000001C2 :004B677E C7431C02000000 mov [ebx+1C], 00000002 :004B6785 E998000000 jmp 004B6822 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004B6775(C) | :004B678A 83BC240402000006 cmp dword ptr [esp+00000204], 00000006 <=====当大于等于6时,是标准版 :004B6792 7C10 jl 004B67A4 :004B6794 C743142C010000 mov [ebx+14], 0000012C :004B679B C7431C04000000 mov [ebx+1C], 00000004 :004B67A2 EB7E jmp 004B6822 好了,我们快要接近目标了,再往上看: :004B6722 51 push ecx :004B6723 E8EAE11000 call 005C4912 :004B6728 85C0 test eax, eax <=====注意了,这里就是关键的地方,当没有狗时,EAX=0 :004B672A 740E je 004B673A :004B672C 8B842408020000 mov eax, dword ptr [esp+00000208] :004B6733 A320C66500 mov dword ptr [0065C620], eax :004B6738 EB09 jmp 004B6743 * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:004B6702(C), :004B672A(C) | :004B673A 33D2 xor edx, edx <=====EDX=0 :004B673C 89942404020000 mov dword ptr [esp+00000204], edx <=====放标志了,[ESP+00000204]=0 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004B6738(U) | :004B6743 6800010000 push 00000100 :004B6748 6A00 push 00000000 :004B674A 8D4C240C lea ecx, dword ptr [esp+0C] :004B674E 51 push ecx :004B674F E8A8EF1000 call 005C56FC :004B6754 83C40C add esp, 0000000C 好了,我们找到关键的地方了,我们要让[ESP+00000204]不为0,我的改法是: 004B6722 51 push ecx :004B6723 E8EAE11000 call 005C4912 :004B6728 85C0 test eax, eax <=====改为push 0c(我需要专业版嘛,如果你要通用版,就用04好 了,我想你不会那么笨吧,呵呵) :004B672A 740E je 004B673A <=====改为JMPS 004B673A :004B672C 8B842408020000 mov eax, dword ptr [esp+00000208] :004B6733 A320C66500 mov dword ptr [0065C620], eax :004B6738 EB09 jmp 004B6743 * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:004B6702(C), :004B672A(C) | :004B673A 33D2 xor edx, edx <=====改为POP EDX; NOP(POP指令只有一个字节,所以要加NOP补 足) :004B673C 89942404020000 mov dword ptr [esp+00000204], edx * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004B6738(U) | :004B6743 6800010000 push 00000100 :004B6748 6A00 push 00000000 :004B674A 8D4C240C lea ecx, dword ptr [esp+0C] :004B674E 51 push ecx :004B674F E8A8EF1000 call 005C56FC :004B6754 83C40C add esp, 0000000C 好长啊,终于写完了。哪位朋友对解HASP外壳狗有经验的,能否给我一份和谐过程呢?小弟很需要这方面的知识的,谢谢了。 |
你的和谐工具在哪有down?学习学习
|
5.0那里要改那么多地方呀,改两个地方就行了。
|
看雪论坛精华4中就有了啊。可惜偶看不懂
|
这个早就有了,5.1的和谐能搞到吗?
|
俺没有学过汇编语言,看不懂
|
真是晕啊,就象看天书一样啊,书到用是方恨少,这句话说的真好啊
|
1 个附件
5。1的改法和这差不多,原理是一样的。
|
呵呵,fzwbli兄弟,你的蒙泰怎么不显示是什么版本呢?
|
1 个附件
专业版的,我装了个保护程序。他就不显示了。不用保护程序,再贴图
|
一个字“牛”,嘻嘻。。。。我等平闲之辈只有看的份儿了,希望能帮帮我们这些可怜的电脑程序肓了.谢谢.......嘻嘻...
|
太牛了!哥们儿,那个软件哪儿有下的呀?
|
贴个和谐过程给大家看看~~~~~~~~~~~~~~~~~~~~
|
等待中!~~~~~~~~~~~~~~~~~~~~~
|
没人性 国产货还要破
|
| 所有时间均为 +8, 现在的时间是 2025-12-01 07:10. |
Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions, Inc.