lesson504.htm

为所有对破解感兴趣的朋友准备的礼物。希望大家能够喜欢。

                              
          &nbsp; &nbsp; <br>
          0167:004014F3&nbsp; 7E41&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; JLE&nbsp; &nbsp; &nbsp; 00401536&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <br>
          0167:004014F5&nbsp; 8D86E0000000&nbsp; &nbsp; &nbsp; &nbsp; LEA&nbsp; 
          &nbsp; &nbsp; EAX,[ESI+000000E0]&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; &nbsp; <br>
          0167:004014FB&nbsp; 8BCF&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; MOV&nbsp; &nbsp; &nbsp; ECX,EDI&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <br>
          0167:004014FD&nbsp; 50&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; &nbsp; PUSH&nbsp; &nbsp; &nbsp; EAX&nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; &nbsp; <br>
          0167:004014FE&nbsp; E841030000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; CALL&nbsp; 
          &nbsp; &nbsp; 00401844&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <br>
          0167:00401503&nbsp; 8DBEE4000000&nbsp; &nbsp; &nbsp; &nbsp; LEA&nbsp; 
          &nbsp; &nbsp; EDI,[ESI+000000E4]&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <br>
          0167:00401509&nbsp; 8BCD&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; MOV&nbsp; &nbsp; &nbsp; ECX,EBP&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  <br>
          0167:0040150B&nbsp; 57&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; &nbsp; PUSH&nbsp; &nbsp; &nbsp; EDI&nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp;  <br>
          0167:0040150C&nbsp; E833030000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; CALL&nbsp; 
          &nbsp; &nbsp; 00401844&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <br>
          0167:00401511&nbsp; 8B07&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; MOV&nbsp; &nbsp; &nbsp; EAX,[EDI] //把,[EDI]的值作为地址传给EAX,此时D EAX可看到输入的序列号&nbsp; 
          &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; <br>
          0167:00401513&nbsp; 803836&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; CMP&nbsp; &nbsp; &nbsp; BYTE PTR [EAX],36//关键&nbsp; &nbsp; &nbsp; 
          &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <br>
          0167:00401516&nbsp; 751E&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; JNZ&nbsp; &nbsp; &nbsp; 00401536// 跳到出错信息处&nbsp; &nbsp; &nbsp; 
          &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          <br>
          0167:00401518&nbsp; 80780132&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          CMP&nbsp; &nbsp; &nbsp; BYTE PTR [EAX+01],32&nbsp; //关键&nbsp; &nbsp; 
          &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <br>
          0167:0040151C&nbsp; 7518&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; JNZ&nbsp; &nbsp; &nbsp; 00401536&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <br>
          0167:0040151E&nbsp; 80780238&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          CMP&nbsp; &nbsp; &nbsp; BYTE PTR [EAX+02],38//关键&nbsp; &nbsp; &nbsp; 
          &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <br>
          0167:00401522&nbsp; 7512&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; JNZ&nbsp; &nbsp; &nbsp; 00401536&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <br>
          0167:00401524&nbsp; 80780337&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          CMP&nbsp; &nbsp; &nbsp; BYTE PTR [EAX+03],37 //关键&nbsp; &nbsp; &nbsp; 
          &nbsp; &nbsp; &nbsp; &nbsp; <br>
          0167:00401528&nbsp; 750C&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; JNZ&nbsp; &nbsp; &nbsp; 00401536&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <br>
          0167:0040152A&nbsp; 8078042D&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          CMP&nbsp; &nbsp; &nbsp; BYTE PTR [EAX+04],2D//关键&nbsp; &nbsp; &nbsp; 
          &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <br>
          0167:0040152E&nbsp; 7506&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; JNZ&nbsp; &nbsp; &nbsp; 00401536&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <br>
          0167:00401530&nbsp; 80780541&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          CMP&nbsp; &nbsp; &nbsp; BYTE PTR [EAX+05],41//关键&nbsp; &nbsp; &nbsp; 
          &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <br>
          0167:00401534&nbsp; 7417&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; JZ&nbsp; &nbsp; &nbsp; &nbsp; 0040154D&nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <br>
          0167:00401536&nbsp; 6A00&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; PUSH&nbsp; &nbsp; &nbsp; 00&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; <br>
          0167:00401538&nbsp; 6864304000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; PUSH&nbsp; 
          &nbsp; &nbsp; 00403064&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <br>
          0167:0040153D&nbsp; 6838304000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; PUSH&nbsp; 
          &nbsp; &nbsp; 00403038&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <br>
          0167:00401542&nbsp; 8BCE&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; MOV&nbsp; &nbsp; &nbsp; ECX,ESI&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <br>
          0167:00401544&nbsp; E8F5020000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; CALL&nbsp; 
          &nbsp; &nbsp; 0040183E //出错的对话框<br>
          0167:00401549&nbsp; 6A00&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; PUSH&nbsp; &nbsp; &nbsp; 00&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; <br>
          0167:0040154B&nbsp; FFD3&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; CALL&nbsp; &nbsp; &nbsp; EBX&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; <br>
          0167:0040154D&nbsp; 8D8EE0000000&nbsp; &nbsp; &nbsp; &nbsp; LEA&nbsp; 
          &nbsp; &nbsp; ECX,[ESI+000000E0]&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; &nbsp;  <br>
          0167:00401553&nbsp; 8D542414&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          LEA&nbsp; &nbsp; &nbsp; EDX,[ESP+14]&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; &nbsp; &nbsp; &nbsp;    <br>
          <br>
          上面看明白了吗？ <br>
          36(hex) = 6 <br>
          32(hex) = 2 <br>
          38(hex) = 8 <br>
          37(hex) = 7 <br>
          2D(hex) = - <br>
          41(hex) = A <br>
          所以序列号： 6287-A ，注意姓名必须 6 个字符以上，且和序列号无关。 </p>
      </td>
    </tr>
  </table>
  <span class="p9"> </span></div>
<div id="KB2Parent" class="parent"> <span class="p9"><a href="#" onClick="expandIt('KB2'); return false"> 
  2、习题二答案</a> </span></div>
<div id="KB2Child" class="child"> <span class="p9">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span>
  <table width="100%" cellspacing="0" align="center">
    <tr bgcolor="#EFEFEF"> 
      <td> 
        <p class="p9">1、在Name:填入toye<br>
          　 Serial：87654321（先乱填）</p>
        <p class="p9">2、CTRL+D切入SOFTICE环境下；</p>
        <p class="p9">3、下命令：<span class="p9">BPX HMEMCPY </span></p>
        <p class="p9"><span class="p9">在Windows NT中：bpx memcpy不能拦断，可试试MessageBox(A)或Dialogbox(A)设断拦截对话框，一般都能拦截成功。<br>
          注：在windows NT下类似命令是bpx memcpy，不过好象实用不大，拦不到什么。</span></p>
        <p class="p9">4、按F5（或CTRL+D）回到windows环境，点击OK按钮；</p>
        <p class="p9">5、SOFTICE拦截后，BD *(把断点暂时关闭，可用BE *恢复）（注意：BC *是清除断点）；</p>
        <p class="p9">6、按13下F12,跳出出错的对话框，因此重新一来遍:be *(恢复hmemcpy这个断点）；</p>
        <p class="p9">7、点击OK按钮将再次中断，此时一定要记住禁止断点：bc * </p>
        <p class="p9">8、这次按12下F12,来到：（这时你要按F10,让指令一行行执行）</p>
        <p class="p9"><span class="p9"><font color="#000000">0167:004417E7&nbsp; 
          8B83C4020000&nbsp; &nbsp; &nbsp; &nbsp; MOV&nbsp; &nbsp; &nbsp; EAX,[EBX+000002C4] 
          <br>
          0137:004417ED&nbsp; CALL&nbsp; &nbsp; 004231A4 <br>
          0137:004417F2&nbsp; MOV&nbsp; &nbsp; EAX,[EBP-0C]&nbsp; ←过了这一行，下命令D 
          EAX将看到你的姓名。 <br>
          0137:004417F5&nbsp; LEA&nbsp; &nbsp; EDX,[EBP-08] //也就是说要在这一行，下命令D EAX<br>
          0137:004417F8&nbsp; CALL&nbsp; &nbsp; 004416F8&nbsp; &nbsp; &nbsp; ←此CALL就是根据姓名计算序列号 
          <br>
          0137:004417FD&nbsp; MOV&nbsp; &nbsp; EDX,[EBP-08]&nbsp; ←将计算结果的地址放入EDX<br>
          0137:00441800&nbsp; POP&nbsp; &nbsp; EAX //也就是说要在这一行，下命令D EAX看到正确的序列号 
          <br>
          0137:00441801&nbsp; CALL&nbsp; &nbsp; 00403B44 <br>
          0137:00441806&nbsp; JNZ&nbsp; &nbsp; 00441822&nbsp; 　　←此处如不跳转，则程序能跳过0441835的CALL，因此向上分析 
          <br>
          0137:00441808&nbsp; PUSH&nbsp; &nbsp; 00000040 <br>
          0137:0044180A&nbsp; MOV&nbsp; &nbsp; ECX,0044186C <br>
          0137:0044180F&nbsp; MOV&nbsp; &nbsp; EDX,00441878 <br>
          0137:00441814&nbsp; MOV&nbsp; &nbsp; EAX,[00442C30] <br>
          0137:00441819&nbsp; MOV&nbsp; &nbsp; EAX,[EAX] <br>
          0137:0044181B&nbsp; CALL&nbsp; &nbsp; 0043EEF4 <br>
          0137:00441820&nbsp; JMP&nbsp; &nbsp; 0044183A&nbsp; &nbsp; &nbsp; ←这里可跳过下面的0137:00441835的CALL，再向上看看 
          <br>
          0137:00441822&nbsp; PUSH&nbsp; &nbsp; 00000010 <br>
          0137:00441824&nbsp; MOV&nbsp; &nbsp; ECX,00441884 <br>
          0137:00441829&nbsp; MOV&nbsp; &nbsp; EDX,0044188C <br>
          0137:0044182E&nbsp; MOV&nbsp; &nbsp; EAX,[00442C30] <br>
          0137:00441833&nbsp; MOV&nbsp; &nbsp; EAX,[EAX] <br>
          0137:00441835&nbsp; CALL&nbsp; &nbsp; 0043EEF4&nbsp; &nbsp; &nbsp; &nbsp; 
          ←过了这一行，将出现Wrong Code的出错框。因此向上 <br>
          　　　　　　　　　　　　　　　　　　　　　看看何处能跳过此CALL </font><br>
          </span></p>
        <p class="p9">10、姓名：toye<br>
          　　序列号： 9074-04B7-F265-3F57</p>
</td>
    </tr>
  </table>
</div>
<div id="KB3Parent" class="parent"> <span class="p9"><a href="#" onClick="expandIt('KB3'); return false"> 
  3、习题三答案</a> </span></div>
<div id="KB3Child" class="child"> <span class="p9">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span>
  <table width="100%" cellspacing="0" align="center">
    <tr bgcolor="#EFEFEF"> 
      <td> 
        <p><span class="p9">前面几个习题讲解很详细，下面的几个就把要点拎出</span></p>
        <p><span class="p9"><span class="p9">你可用bpx hmemcpy设断，在你按OK会中断。如不中断，这时你在姓名加或减一字符，就会中断。按F10、F12来到：（按F12前记住要清除刚设的断点：BC 
          * ）</span></span><span class="p9"><br>
          :00401132 E841020000 CALL USER32!SendDlgItemMessageA 注意：函数SendDlgItemMessageA你可用它设断<br>
          :00401132 E841020000 　　　Call 00401378<br>
          :00401137 A3AF214000 　　　mov dword ptr [004021AF], eax (姓名长度)<br>
          :0040113C 83F800　　 　　　cmp eax, 00000000 (什么也没输入?)<br>
          :0040113F 0F84D5000000 　　je 0040121A -&gt;如什么没输入出错<br>
          :00401145 83F808 　　　　　cmp eax, 00000008 (name&lt;=8?)<br>
          :00401148 0F8FCC000000 　　jg 0040121A -&gt;否则出错<br>
          :0040114E 8BF0　　　　　　 mov esi, eax (将姓名长度放入esi)<br>
          :00401150 6A00 　　　　　　push 00000000<br>
          :00401152 6A00　　　　　　 push 00000000<br>
          :00401154 6A0E 　　　　　　push 0000000E<br>
          :00401156 6A04 　　　　　　push 00000004<br>
          :00401158 FF7508 　　　　　push [ebp+08]<br>
          :0040115B E818020000　　　 Call 00401378 (取你输入的序列号)<br>
          :00401160 83F800　　　　　 cmp eax, 00000000 (什么也没输入?)<br>
          :00401163 0F84B1000000　　 je 0040121A -&gt;如什么没输入出错<br>
          :00401169 3BF0　　　　　　 cmp esi, eax -&gt; (name的长度=serial的长度?)<br>