您的位置:首页精文荟萃破解文章 → 自明排课系统6.1&学籍成绩系统2.1破解手记

自明排课系统6.1&学籍成绩系统2.1破解手记

时间:2004/10/15 0:57:00来源:本站整理作者:蓝点我要评论(0)

软件名称:自明排课系统6.1&学籍成绩系统2.1
最新版本:6.1
文件大小:1.230MB
软件授权:共享软件
使用平台:Win9x/Me/2000/XP
软件简介:欢迎您使用自明排课系统,并祝贺您从此可以轻松排课。自明排课系统6.1能够产生比手工排课更为合理的课表,当您可以熟练使用时,您的工作效率和排课质量都能大大提高。
加密方式:注册码
功能限制:功能限制
PJ工具:TRW20001.23注册版,W32Dasm8.93黄金版,FI2.5
PJ日期:2003-04-21
作者newlaos申明:只是学习,请不用于商业用途或是将本文方法制作的注册机任意传播,造成后果,本人一概不负。
1、用FI2.5查壳,发现Zmpk.exe没有加壳
2、用W32Dasm黄金修正版本进行静态反汇编,找到"您输入的许可证号有误,您输入的名单将不能保存。",双击来到下面代码段。
3、动态跟踪调试。请出国宝TRW2000,下断点BPX 0043FD87(关键就在这,见下面动态代码分析)。这下好了,可以动态跟踪调试了。
.......
.......

* Reference To: USER32.GetDlgItemTextA, Ord:0104h
|
:0043FD81 FF15F0314500 Call dword ptr [004531F0]
:0043FD87 A1986F4600 mov eax, dword ptr [00466F98]
:0043FD8C 803800 cmp byte ptr [eax], 00
:0043FD8F 0F8485000000 je 0043FE1A
:0043FD95 50 push eax <===假码787878787878
:0043FD96 E8ACB80000 call 0044B647 <===f8跟进去看看!
:0043FD9B 8B0E mov ecx, dword ptr [esi]
:0043FD9D 83C404 add esp, 00000004
:0043FDA0 8B5108 mov edx, dword ptr [ecx+08]
:0043FDA3 89843294000000 mov dword ptr [edx+esi+00000094], eax
:0043FDAA A188B74500 mov eax, dword ptr [0045B788] <===关键的标志位赋值
:0043FDAF 85C0 test eax, eax <===eax必须为0,才能正确注册
:0043FDB1 7554 jne 0043FE07 <===跳走就over了。
:0043FDB3 8B06 mov eax, dword ptr [esi]

* Reference To: USER32.SendMessageA, Ord:0214h
|
:0043FDB5 8B1DEC314500 mov ebx, dword ptr [004531EC]
:0043FDBB 8BD0 mov edx, eax
:0043FDBD 6A00 push 00000000
:0043FDBF 8B4808 mov ecx, dword ptr [eax+08]
:0043FDC2 6831750000 push 00007531
:0043FDC7 8B4208 mov eax, dword ptr [edx+08]
:0043FDCA 6811010000 push 00000111
:0043FDCF 8D3C31 lea edi, dword ptr [ecx+esi]
:0043FDD2 8B8C30700B0000 mov ecx, dword ptr [eax+esi+00000B70]
:0043FDD9 51 push ecx
:0043FDDA FFD3 call ebx <===CALL USER32.SendMessageA
:0043FDDC 398794000000 cmp dword ptr [edi+00000094], eax <===这里必须相等,才能正确注册,[edi+00000094]就是上面那个call产生的值,eax估计与机器码有关
:0043FDE2 7436 je 0043FE1A
:0043FDE4 8B97700B0000 mov edx, dword ptr [edi+00000B70]
:0043FDEA 6A00 push 00000000
:0043FDEC 6832750000 push 00007532
:0043FDF1 6811010000 push 00000111
:0043FDF6 52 push edx
:0043FDF7 FFD3 call ebx <===CALL USER32.SendMessageA(到这里也将出来注册号错误的对话框)
:0043FDF9 8B0E mov ecx, dword ptr [esi]
:0043FDFB 8B5108 mov edx, dword ptr [ecx+08]
:0043FDFE 39843294000000 cmp dword ptr [edx+esi+00000094], eax
:0043FE05 7413 je 0043FE1A

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043FDB1(C)
|
:0043FE07 6A30 push 00000030

* Possible StringData Ref from Data Obj ->"注册许可证号"
|
:0043FE09 6800B84500 push 0045B800

* Possible StringData Ref from Data Obj ->"您输入的许可证号有误,您输入的名单将不能保存。"
|
:0043FE0E 68D0B74500 push 0045B7D0
:0043FE13 55 push ebp

* Reference To: USER32.MessageBoxA, Ord:01BEh
|
:0043FE14 FF1514324500 Call dword ptr [00453214]
===========================================================================================
* Referenced by a CALL at Addresses:
|:00417E08 , :00417E3C , :0042DCCF , :0042F6EB , :0043F9D8
|:0043FD96 , :004401CA , :004401FF , :00444895 , :00444905
|
:0044B647 FF742404 push [esp+04]
:0044B64B E86CFFFFFF call 0044B5BC ------>这里
:0044B650 59 pop ecx
:0044B651 C3 ret
============================================================================================
* Referenced by a CALL at Address:
|:0044B64B
|
:0044B5BC 53 push ebx ->我看,下面可能就是计算了。
:0044B5BD 55 push ebp
:0044B5BE 56 push esi
:0044B5BF 57 push edi
:0044B5C0 8B7C2414 mov edi, dword ptr [esp+14]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0044B5F0(U)
|
:0044B5C4 833D5C58460001 cmp dword ptr [0046585C], 00000001
:0044B5CB 7E0F jle 0044B5DC
:0044B5CD 0FB607 movzx eax, byte ptr [edi]

* Possible Reference to Dialog: PRINTWEEKSET, CONTROL_ID:0008, "h4?:"
|
:0044B5D0 6A08 push 00000008
:0044B5D2 50 push eax
:0044B5D3 E8130B0000 call 0044C0EB <===这里有个call
:0044B5D8 59 pop ecx
:0044B5D9 59 pop ecx
:0044B5DA EB0F jmp 0044B5EB

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0044B5CB(C)
|
:0044B5DC 0FB607 movzx eax, byte ptr [edi]

* Possible StringData Ref from Data Obj ->" ((((( "
->" H"
|
:0044B5DF 8B0D50564600 mov ecx, dword ptr [00465650]
:0044B5E5 8A0441 mov al, byte ptr [ecx+2*eax]
:0044B5E8 83E008 and eax, 00000008

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0044B5DA(U)
|
:0044B5EB 85C0 test eax, eax
:0044B5ED 7403 je 0044B5F2
:0044B5EF 47 inc edi
:0044B5F0 EBD2 jmp 0044B5C4

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0044B5ED(C)
|
:0044B5F2 0FB637 movzx esi, byte ptr [edi]
:0044B5F5 47 inc edi
:0044B5F6 83FE2D cmp esi, 0000002D
:0044B5F9 8BEE mov ebp, esi
:0044B5FB 7405 je 0044B602
:0044B5FD 83FE2B cmp esi, 0000002B
:0044B600 7504 jne 0044B606

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0044B5FB(C)
|
:0044B602 0FB637 movzx esi, byte ptr [edi]
:0044B605 47 inc edi

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0044B600(C)
|
:0044B606 33DB xor ebx, ebx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0044B637(U)
|
:0044B608 833D5C58460001 cmp dword ptr [0046585C], 00000001
:0044B60F 7E0C jle 0044B61D

* Possible Reference to Dialog: AUTOSET, CONTROL_ID:0004, ""
|
:0044B611 6A04 push 00000004
:0044B613 56 push esi
:0044B614 E8D20A0000 call 0044C0EB <===第二个call
:0044B619 59 pop ecx
:0044B61A 59 pop ecx
:0044B61B EB0B jmp 0044B628

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0044B60F(C)
|

* Possible StringData Ref from Data Obj ->" ((((( "
->" H"
|
:0044B61D A150564600 mov eax, dword ptr [00465650]
:0044B622 8A0470 mov al, byte ptr [eax+2*esi]
:0044B625 83E004 and eax, 00000004

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0044B61B(U)
|
:0044B628 85C0 test eax, eax
:0044B62A 740D je 0044B639
:0044B62C 8D049B lea eax, dword ptr [ebx+4*ebx]
:0044B62F 8D5C46D0 lea ebx, dword ptr [esi+2*eax-30]
:0044B633 0FB637 movzx esi, byte ptr [edi]
:0044B636 47 inc edi
:0044B637 EBCF jmp 0044B608

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0044B62A(C)
|
:0044B639 83FD2D cmp ebp, 0000002D
:0044B63C 8BC3 mov eax, ebx
:0044B63E 7502 jne 0044B642
:0044B640 F7D8 neg eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0044B63E(C)
|
:0044B642 5F pop edi
:0044B643 5E pop esi
:0044B644 5D pop ebp
:0044B645 5B pop ebx
:0044B646 C3 ret

4、此软件的爆破:(一但爆破成功,就会系统中留下一个标志,以后就不会再检验了)------>完美!

a、在0043FDAF 85C0 test eax, eax一行,必须强制EAX为0,使得下一行的跳转不跳。我验证过在0043FD96一行的CALL,无论如何都不可能使EAX的值变为0。这一行改为XOR EAX, EAX(85C0改为33C0)
b、在0043FDDC 398794000000 cmp dword ptr [edi+00000094], eax <===[edi+00000094]就是上面那个call产生的值,eax就是机器码变形,两者必须相等。
*************原代码***********************************************
:0043FDDC 398794000000 cmp dword ptr [edi+00000094], eax
:0043FDE2 7436 je 0043FE1A
:0043FDE4 8B97700B0000 mov edx, dword ptr [edi+00000B70]
:0043FDEA 6A00 push 00000000

*************改后代码*********************************************
:0043FDDC 898794000000 MOV DWORD PTR DS:[EDI+94],EAX
:0043FDE2 398794000000 CMP DWORD PTR DS:[EDI+94],EAX
:0043FDE8 7430 je 0043FE1A
:0043FDEA 6A00 PUSH 00000000


5、当然我喜欢的破解方法就是用KEYMAKE1.73制作内存补丁,这样就不会修改原文件(但如果不带破解程序启动的话,就不要再输入许可证序列号,否则又回到未注册状态)。
6、注册信息保存在文件DisFile.Dat里
---------------------------------------------------------------------------------------------
**************************学籍成绩系统2.1----破解手记(方法同上)******************************
---------------------------------------------------------------------------------------------
* Reference To: USER32.GetDlgItemTextA, Ord:0104h
|
:00403BE1 FF15D8F24300 Call dword ptr [0043F2D8]
:00403BE7 A1909D4400 mov eax, dword ptr [00449D90]
:00403BEC 803800 cmp byte ptr [eax], 00
:00403BEF 747D je 00403C6E
:00403BF1 50 push eax
:00403BF2 E899250300 call 00436190
:00403BF7 8B0E mov ecx, dword ptr [esi]
:00403BF9 83C404 add esp, 00000004
:00403BFC 8B5104 mov edx, dword ptr [ecx+04]
:00403BFF 89843284000000 mov dword ptr [edx+esi+00000084], eax
:00403C06 A18C2B4400 mov eax, dword ptr [00442B8C]
:00403C0B 85C0 test eax, eax <===此处改为XOR EAX, EAX(33C0)
:00403C0D 754C jne 00403C5B
:00403C0F 8B06 mov eax, dword ptr [esi]

* Reference To: USER32.SendMessageA, Ord:0214h
|
:00403C11 8B1D20F24300 mov ebx, dword ptr [0043F220]
:00403C17 8BD0 mov edx, eax
:00403C19 6A00 push 00000000
:00403C1B 8B4804 mov ecx, dword ptr [eax+04]
:00403C1E 6831750000 push 00007531
:00403C23 8B4204 mov eax, dword ptr [edx+04]
:00403C26 6811010000 push 00000111
:00403C2B 8D3C31 lea edi, dword ptr [ecx+esi]
:00403C2E 8B0C30 mov ecx, dword ptr [eax+esi]
:00403C31 51 push ecx
:00403C32 FFD3 call ebx
************************原 代 码**********************
:00403C34 398784000000 cmp dword ptr [edi+00000084], eax
:00403C3A 7432 je 00403C6E
:00403C3C 8B17 mov edx, dword ptr [edi]
:00403C3E 6A00 push 00000000
:00403C40 6832750000 push 00007532
:00403C45 6811010000 push 00000111

***********************改后的代码***********************
:00403C34 898784000000 MOV DWORD PTR DS:[EDI+84],EAX
:00403C3A 398784000000 CMP DWORD PTR DS:[EDI+84],EAX
:00403C40 742C je 00403C6E
:00403C42 90 NOP
:00403C43 90 NOP
:00403C44 90 NOP
:00403C45 6811010000 PUSH 111
********************************************************

:00403C4A 52 push edx
:00403C4B FFD3 call ebx
:00403C4D 8B0E mov ecx, dword ptr [esi]
:00403C4F 8B5104 mov edx, dword ptr [ecx+04]
:00403C52 39843284000000 cmp dword ptr [edx+esi+00000084], eax
:00403C59 7413 je 00403C6E

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403C0D(C)
|
:00403C5B 6A30 push 00000030

* Possible StringData Ref from Data Obj ->"版权验证"
|
:00403C5D 68082C4400 push 00442C08

* Possible StringData Ref from Data Obj ->"您输入的版权认证号有误,您将不能输入学生名字。"
|
:00403C62 68D82B4400 push 00442BD8
:00403C67 55 push ebp

* Reference To: USER32.MessageBoxA, Ord:01BEh
|
:00403C68 FF15C8F14300 Call dword ptr [0043F1C8]

1、注册信息保存在文件Zmxj.dis里。

相关视频

    没有数据

相关阅读 云顶之弈怎么排位 云顶之弈排位系统详解dnf6.17熊猫位置在哪 dnf6月17日熊猫位置分享dnf6月18号熊猫在哪里 dnf6.18熊猫位置分享dnf6月17号熊猫在哪里 dnf6.17熊猫位置分享dnf6.15熊猫位置在哪 dnf6月15日熊猫位置分享dnf6.18公会改版详情 dnf6月18号公会改版内容一览lol6月14日周免英雄更新2019 lol6.14周免英雄有哪些dnf6月16日熊猫位置介绍 dnf6.16熊猫在哪

文章评论
发表评论

热门文章 去除winrar注册框方法

最新文章 比特币病毒怎么破解 比去除winrar注册框方法 华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)通过Access破解MSSQL获得数据

人气排行 华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)qq相册密码破解方法去除winrar注册框方法(适应任何版本)怎么用手机破解收费游戏华为无线猫HG522破解如何给软件脱壳基础教程