=写得不好
初学者看
看吧API32spy是
个非常有用
破解工具!它可以用来侦测系统
了那些
帮助我们决定下什么断点
下载:http://madmat.hypermart.net/apis3225.exe
http://apis32.virtualave.net/soft/apis3225.exe
http://skyscraper.fortunecity.com/emacs/859/soft/apis3225.exe
首先
用Fileinfor2.45(FI.exe)检查到APISpy2.5(Apis32.EXE)是用Petite1.2加密使用Procdump1.62脱壳它
壳吧不是吧?ERROR!
操作?运行Blast Wave 2000 v0.2(Blast Wave 2000 是
个windows 下脱壳辅助工具它能轻易
找到任何加密壳入口点.包括ASProtect以及幻影加密壳.)按Trace键
运行Apis32.EXE. 得到Entry po
: 00406360用w32dasm打开Apis32.EXE
反编译后, 按Find Text键,打入Entry po地址:00406360找到:004????? E989CDFEFF JMP 00406360
哈
写下E989CDFEFF吧不如再
次使用Procdump来脱壳它壳吧?就写个新Script来脱壳Petite1.2壳打开Procdump
Script.ini[INDEX]
.
.
.
P1B=VGCrypt 0.75
P1C=Aspack108.4
P1D=Aspack2000
P1E=Petite1.2 =这里加入新脱壳名称
; script by GustawKit
.
.
. 加入新脱壳资料[Petite1.2] =新脱壳名称
L1=LOOK E9,89,CD,FE,FF =先前写下E989CDFEFF
L2=BP =如果发现断点
L3=STEP =就进行步步解析操作解压以后保存文件
OPTL1=00000000
OPTL2=01000001
OPTL3=01010001
OPTL4=00030000
OPTL5=00000000 运行Procdump1.62选择Unpack=
选择 Petite1.2=选择Apis32.EXE等待Apis32.EXE
信息窗口弹出再按Procdump1.62OK键开始脱壳成功了然后
用w32dasm打开Apis32.EXE
反编译后, 按String Data References 键找那个弹出窗口
信息“This copy of APIS32 is UN R E G I S T E R E D”* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402EA5(C)
|
* Possible StringData Ref from Data Obj ->"This copy of APIS32 is U "
->"N R E G I S T E R E D" "
|
:00402EA9 BF10A24000 mov edi, 0040A210
:00402EAE BA20BD4000 mov edx, 0040BD20
:00402EB3 83C9FF or ecx, FFFFFFFF
:00402EB6 33C0 xor eax, eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402491(U)
|
:00402494 0AC0 or al, al =修改这儿or al,01(修改0AC0=>0c01)
:00402496 7402 je 0040249A =如果al=0,就跳(跳就玩完了)
:00402498 EB09 jmp 004024A3 果然弹出窗口不见了下
步修改注册找那个弹出窗口信息"The registration information you.... "* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004018B9(U)
|
:004018BC 0AC0 or al, al =修改这儿or al,01(修改0AC0=>0c01)
:004018BE 7402 je 004018C2 =如果al=0,就跳(跳就玩完了)
:004018C0 EB2C jmp 004018EE
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004018BE(C)
|
* Possible StringData Ref from Data Obj ->"The registration information you "
->"provided is incorrect. Please ver
y "
->"that you entered your name and "
->"code properly, and try again. If "
->"you encounter dficulties, please "
->"send mail to [email protected] or "
->"visit our web site http://madmat.hypermart.net"
|
:004018C2 BFFCA04000 mov edi, 0040A0FC
:004018C7 BA80C74000 mov edx, 0040C780
:004018CC 83C9FF or ecx, FFFFFFFF
:004018CF 33C0 xor eax, eax
:004018D1 F2 repnz
:004018D2 AE scasb 如何啦?这个
作者老是使用这个指令去判断是否注册啊or al, al
je 004018C2
=如果al=0就跳(跳就玩完了)算了
把所有 or al, al更换成or al,01吧使用Hex workshop
Replace代替功能把所有0AC0换成0c01 (大约十个左右)OK
破解API Spy for Windows 95/98/NT/2000 成功
最新评论