文章导航PC6首页软件下载单机游戏安卓资源苹果资源

pc软件新闻网络操作系统办公工具编程服务器软件评测

安卓新闻资讯应用教程刷机教程安卓游戏攻略tv资讯深度阅读综合安卓评测

苹果ios资讯苹果手机越狱备份教程美化教程ios软件教程mac教程

单机游戏角色扮演即时战略动作射击棋牌游戏体育竞技模拟经营其它游戏游戏工具

网游cf活动dnf活动lol周免英雄lol礼包

手游最新动态手游评测手游活动新游预告手游问答

您的位置:首页精文荟萃破解文章 → 自明排课系统6.1&学籍成绩系统2.1破解手记

自明排课系统6.1&学籍成绩系统2.1破解手记

时间:2004/10/15 0:57:00来源:本站整理作者:蓝点我要评论(0)

软件名称:自明排课系统6.1&学籍成绩系统2.1
最新版本:6.1
文件大小:1.230MB
软件授权:共享软件
使用平台:Win9x/Me/2000/XP
软件简介:欢迎您使用自明排课系统,并祝贺您从此可以轻松排课。自明排课系统6.1能够产生比手工排课更为合理的课表,当您可以熟练使用时,您的工作效率和排课质量都能大大提高。
加密方式:注册码
功能限制:功能限制
PJ工具:TRW20001.23注册版,W32Dasm8.93黄金版,FI2.5
PJ日期:2003-04-21
作者newlaos申明:只是学习,请不用于商业用途或是将本文方法制作的注册机任意传播,造成后果,本人一概不负。
1、用FI2.5查壳,发现Zmpk.exe没有加壳
2、用W32Dasm黄金修正版本进行静态反汇编,找到"您输入的许可证号有误,您输入的名单将不能保存。",双击来到下面代码段。
3、动态跟踪调试。请出国宝TRW2000,下断点BPX 0043FD87(关键就在这,见下面动态代码分析)。这下好了,可以动态跟踪调试了。
.......
.......

* Reference To: USER32.GetDlgItemTextA, Ord:0104h
|
:0043FD81 FF15F0314500 Call dword ptr [004531F0]
:0043FD87 A1986F4600 mov eax, dword ptr [00466F98]
:0043FD8C 803800 cmp byte ptr [eax], 00
:0043FD8F 0F8485000000 je 0043FE1A
:0043FD95 50 push eax <===假码787878787878
:0043FD96 E8ACB80000 call 0044B647 <===f8跟进去看看!
:0043FD9B 8B0E mov ecx, dword ptr [esi]
:0043FD9D 83C404 add esp, 00000004
:0043FDA0 8B5108 mov edx, dword ptr [ecx+08]
:0043FDA3 89843294000000 mov dword ptr [edx+esi+00000094], eax
:0043FDAA A188B74500 mov eax, dword ptr [0045B788] <===关键的标志位赋值
:0043FDAF 85C0 test eax, eax <===eax必须为0,才能正确注册
:0043FDB1 7554 jne 0043FE07 <===跳走就over了。
:0043FDB3 8B06 mov eax, dword ptr [esi]

* Reference To: USER32.SendMessageA, Ord:0214h
|
:0043FDB5 8B1DEC314500 mov ebx, dword ptr [004531EC]
:0043FDBB 8BD0 mov edx, eax
:0043FDBD 6A00 push 00000000
:0043FDBF 8B4808 mov ecx, dword ptr [eax+08]
:0043FDC2 6831750000 push 00007531
:0043FDC7 8B4208 mov eax, dword ptr [edx+08]
:0043FDCA 6811010000 push 00000111
:0043FDCF 8D3C31 lea edi, dword ptr [ecx+esi]
:0043FDD2 8B8C30700B0000 mov ecx, dword ptr [eax+esi+00000B70]
:0043FDD9 51 push ecx
:0043FDDA FFD3 call ebx <===CALL USER32.SendMessageA
:0043FDDC 398794000000 cmp dword ptr [edi+00000094], eax <===这里必须相等,才能正确注册,[edi+00000094]就是上面那个call产生的值,eax估计与机器码有关
:0043FDE2 7436 je 0043FE1A
:0043FDE4 8B97700B0000 mov edx, dword ptr [edi+00000B70]
:0043FDEA 6A00 push 00000000
:0043FDEC 6832750000 push 00007532
:0043FDF1 6811010000 push 00000111
:0043FDF6 52 push edx
:0043FDF7 FFD3 call ebx <===CALL USER32.SendMessageA(到这里也将出来注册号错误的对话框)
:0043FDF9 8B0E mov ecx, dword ptr [esi]
:0043FDFB 8B5108 mov edx, dword ptr [ecx+08]
:0043FDFE 39843294000000 cmp dword ptr [edx+esi+00000094], eax
:0043FE05 7413 je 0043FE1A

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043FDB1(C)
|
:0043FE07 6A30 push 00000030

* Possible StringData Ref from Data Obj ->"注册许可证号"
|
:0043FE09 6800B84500 push 0045B800

* Possible StringData Ref from Data Obj ->"您输入的许可证号有误,您输入的名单将不能保存。"
|
:0043FE0E 68D0B74500 push 0045B7D0
:0043FE13 55 push ebp

* Reference To: USER32.MessageBoxA, Ord:01BEh
|
:0043FE14 FF1514324500 Call dword ptr [00453214]
===========================================================================================
* Referenced by a CALL at Addresses:
|:00417E08 , :00417E3C , :0042DCCF , :0042F6EB , :0043F9D8
|:0043FD96 , :004401CA , :004401FF , :00444895 , :00444905
|
:0044B647 FF742404 push [esp+04]
:0044B64B E86CFFFFFF call 0044B5BC ------>这里
:0044B650 59 pop ecx
:0044B651 C3 ret
============================================================================================
* Referenced by a CALL at Address:
|:0044B64B
|
:0044B5BC 53 push ebx ->我看,下面可能就是计算了。
:0044B5BD 55 push ebp
:0044B5BE 56 push esi
:0044B5BF 57 push edi
:0044B5C0 8B7C2414 mov edi, dword ptr [esp+14]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0044B5F0(U)
|
:0044B5C4 833D5C58460001 cmp dword ptr [0046585C], 00000001
:0044B5CB 7E0F jle 0044B5DC
:0044B5CD 0FB607 movzx eax, byte ptr [edi]

* Possible Reference to Dialog: PRINTWEEKSET, CONTROL_ID:0008, "h4?:"
|
:0044B5D0 6A08 push 00000008
:0044B5D2 50 push eax
:0044B5D3 E8130B0000 call 0044C0EB <===这里有个call
:0044B5D8 59 pop ecx
:0044B5D9 59 pop ecx
:0044B5DA EB0F jmp 0044B5EB

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0044B5CB(C)
|
:0044B5DC 0FB607 movzx eax, byte ptr [edi]

* Possible StringData Ref from Data Obj ->" ((((( "
->" H"
|
:0044B5DF 8B0D50564600 mov ecx, dword ptr [00465650]
:0044B5E5 8A0441 mov al, byte ptr [ecx+2*eax]
:0044B5E8 83E008 and eax, 00000008

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0044B5DA(U)
|
:0044B5EB 85C0 test eax, eax
:0044B5ED 7403 je 0044B5F2
:0044B5EF 47 inc edi
:0044B5F0 EBD2 jmp 0044B5C4

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0044B5ED(C)
|
:0044B5F2 0FB637 movzx esi, byte ptr [edi]
:0044B5F5 47 inc edi
:0044B5F6 83FE2D cmp esi, 0000002D
:0044B5F9 8BEE mov ebp, esi
:0044B5FB 7405 je 0044B602
:0044B5FD 83FE2B cmp esi, 0000002B
:0044B600 7504 jne 0044B606

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0044B5FB(C)
|
:0044B602 0FB637 movzx esi, byte ptr [edi]
:0044B605 47 inc edi

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0044B600(C)
|
:0044B606 33DB xor ebx, ebx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0044B637(U)
|
:0044B608 833D5C58460001 cmp dword ptr [0046585C], 00000001
:0044B60F 7E0C jle 0044B61D

* Possible Reference to Dialog: AUTOSET, CONTROL_ID:0004, ""
|
:0044B611 6A04 push 00000004
:0044B613 56 push esi
:0044B614 E8D20A0000 call 0044C0EB <===第二个call
:0044B619 59 pop ecx
:0044B61A 59 pop ecx
:0044B61B EB0B jmp 0044B628

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0044B60F(C)
|

* Possible StringData Ref from Data Obj ->" ((((( "
->" H"
|
:0044B61D A150564600 mov eax, dword ptr [00465650]
:0044B622 8A0470 mov al, byte ptr [eax+2*esi]
:0044B625 83E004 and eax, 00000004

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0044B61B(U)
|
:0044B628 85C0 test eax, eax
:0044B62A 740D je 0044B639
:0044B62C 8D049B lea eax, dword ptr [ebx+4*ebx]
:0044B62F 8D5C46D0 lea ebx, dword ptr [esi+2*eax-30]
:0044B633 0FB637 movzx esi, byte ptr [edi]
:0044B636 47 inc edi
:0044B637 EBCF jmp 0044B608

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0044B62A(C)
|
:0044B639 83FD2D cmp ebp, 0000002D
:0044B63C 8BC3 mov eax, ebx
:0044B63E 7502 jne 0044B642
:0044B640 F7D8 neg eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0044B63E(C)
|
:0044B642 5F pop edi
:0044B643 5E pop esi
:0044B644 5D pop ebp
:0044B645 5B pop ebx
:0044B646 C3 ret

4、此软件的爆破:(一但爆破成功,就会系统中留下一个标志,以后就不会再检验了)------>完美!

a、在0043FDAF 85C0 test eax, eax一行,必须强制EAX为0,使得下一行的跳转不跳。我验证过在0043FD96一行的CALL,无论如何都不可能使EAX的值变为0。这一行改为XOR EAX, EAX(85C0改为33C0)
b、在0043FDDC 398794000000 cmp dword ptr [edi+00000094], eax <===[edi+00000094]就是上面那个call产生的值,eax就是机器码变形,两者必须相等。
*************原代码***********************************************
:0043FDDC 398794000000 cmp dword ptr [edi+00000094], eax
:0043FDE2 7436 je 0043FE1A
:0043FDE4 8B97700B0000 mov edx, dword ptr [edi+00000B70]
:0043FDEA 6A00 push 00000000

*************改后代码*********************************************
:0043FDDC 898794000000 MOV DWORD PTR DS:[EDI+94],EAX
:0043FDE2 398794000000 CMP DWORD PTR DS:[EDI+94],EAX
:0043FDE8 7430 je 0043FE1A
:0043FDEA 6A00 PUSH 00000000


5、当然我喜欢的破解方法就是用KEYMAKE1.73制作内存补丁,这样就不会修改原文件(但如果不带破解程序启动的话,就不要再输入许可证序列号,否则又回到未注册状态)。
6、注册信息保存在文件DisFile.Dat里
---------------------------------------------------------------------------------------------
**************************学籍成绩系统2.1----破解手记(方法同上)******************************
---------------------------------------------------------------------------------------------
* Reference To: USER32.GetDlgItemTextA, Ord:0104h
|
:00403BE1 FF15D8F24300 Call dword ptr [0043F2D8]
:00403BE7 A1909D4400 mov eax, dword ptr [00449D90]
:00403BEC 803800 cmp byte ptr [eax], 00
:00403BEF 747D je 00403C6E
:00403BF1 50 push eax
:00403BF2 E899250300 call 00436190
:00403BF7 8B0E mov ecx, dword ptr [esi]
:00403BF9 83C404 add esp, 00000004
:00403BFC 8B5104 mov edx, dword ptr [ecx+04]
:00403BFF 89843284000000 mov dword ptr [edx+esi+00000084], eax
:00403C06 A18C2B4400 mov eax, dword ptr [00442B8C]
:00403C0B 85C0 test eax, eax <===此处改为XOR EAX, EAX(33C0)
:00403C0D 754C jne 00403C5B
:00403C0F 8B06 mov eax, dword ptr [esi]

* Reference To: USER32.SendMessageA, Ord:0214h
|
:00403C11 8B1D20F24300 mov ebx, dword ptr [0043F220]
:00403C17 8BD0 mov edx, eax
:00403C19 6A00 push 00000000
:00403C1B 8B4804 mov ecx, dword ptr [eax+04]
:00403C1E 6831750000 push 00007531
:00403C23 8B4204 mov eax, dword ptr [edx+04]
:00403C26 6811010000 push 00000111
:00403C2B 8D3C31 lea edi, dword ptr [ecx+esi]
:00403C2E 8B0C30 mov ecx, dword ptr [eax+esi]
:00403C31 51 push ecx
:00403C32 FFD3 call ebx
************************原 代 码**********************
:00403C34 398784000000 cmp dword ptr [edi+00000084], eax
:00403C3A 7432 je 00403C6E
:00403C3C 8B17 mov edx, dword ptr [edi]
:00403C3E 6A00 push 00000000
:00403C40 6832750000 push 00007532
:00403C45 6811010000 push 00000111

***********************改后的代码***********************
:00403C34 898784000000 MOV DWORD PTR DS:[EDI+84],EAX
:00403C3A 398784000000 CMP DWORD PTR DS:[EDI+84],EAX
:00403C40 742C je 00403C6E
:00403C42 90 NOP
:00403C43 90 NOP
:00403C44 90 NOP
:00403C45 6811010000 PUSH 111
********************************************************

:00403C4A 52 push edx
:00403C4B FFD3 call ebx
:00403C4D 8B0E mov ecx, dword ptr [esi]
:00403C4F 8B5104 mov edx, dword ptr [ecx+04]
:00403C52 39843284000000 cmp dword ptr [edx+esi+00000084], eax
:00403C59 7413 je 00403C6E

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403C0D(C)
|
:00403C5B 6A30 push 00000030

* Possible StringData Ref from Data Obj ->"版权验证"
|
:00403C5D 68082C4400 push 00442C08

* Possible StringData Ref from Data Obj ->"您输入的版权认证号有误,您将不能输入学生名字。"
|
:00403C62 68D82B4400 push 00442BD8
:00403C67 55 push ebp

* Reference To: USER32.MessageBoxA, Ord:01BEh
|
:00403C68 FF15C8F14300 Call dword ptr [0043F1C8]

1、注册信息保存在文件Zmxj.dis里。

相关视频

    没有数据

相关阅读 云顶之弈怎么排位 云顶之弈排位系统详解dnf6.17熊猫位置在哪 dnf6月17日熊猫位置分享dnf6月18号熊猫在哪里 dnf6.18熊猫位置分享dnf6月17号熊猫在哪里 dnf6.17熊猫位置分享dnf6.15熊猫位置在哪 dnf6月15日熊猫位置分享dnf6.18公会改版详情 dnf6月18号公会改版内容一览lol6月14日周免英雄更新2019 lol6.14周免英雄有哪些dnf6月16日熊猫位置介绍 dnf6.16熊猫在哪

文章评论
发表评论

热门文章 去除winrar注册框方法

最新文章 比特币病毒怎么破解 比去除winrar注册框方法 华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)通过Access破解MSSQL获得数据

人气排行 华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)qq相册密码破解方法去除winrar注册框方法(适应任何版本)怎么用手机破解收费游戏华为无线猫HG522破解如何给软件脱壳基础教程