pcGhost(破解记录)
电脑幽灵pcGhost4.0破解实录
大小392k
http://www.sunhy.com/download/pcGhost.zip
pcGhost默认的热键为Alt+F12(1秒中连按两次),与traceboy类似
工具:Trw2000
注册码aaaa-bbbb形式,中间有个-,总长度大于12
前半部分相当于"用户名",后办部分相当于"注册码"
注册码填gdong-1234567 ctrl+n激活Trw2000
bpx hmemcpy
go
点确定,被拦
bc *
pmodule
停在 (1)处
0167:00430BEE E83168FDFF CALL `USER32!CallWindowProcA`
0167:00430BF3 89430C MOV ,EAX <====由此出来 (1)
0167:00430BF6 8B03 MOV EAX,
0167:00430BF8 83F80C CMP EAX,BYTE +0C
0167:00430BFB 751B JNZ 00430C18
0167:00430BFD 8B5308 MOV EDX,
0167:00430C00 52 PUSH EDX
0167:00430C01 8B4B04 MOV ECX,
0167:00430C04 8BD0 MOV EDX,EAX
0167:00430C06 8BC6 MOV EAX,ESI
0167:00430C08 E88FBEFFFF CALL 0042CA9C
0167:00430C0D EB09 JMP SHORT 00430C18
0167:00430C0F 8BD3 MOV EDX,EBX
0167:00430C11 8BC6 MOV EAX,ESI
0167:00430C13 E844D4FFFF CALL 0042E05C
0167:00430C18 5D POP EBP
0167:00430C19 5F POP EDI
0167:00430C1A 5E POP ESI
0167:00430C1B 5B POP EBX
0167:00430C1C C3 RET
按F10直到如下代码段
0167:00477033 8D45FC LEA EAX,
0167:00477036 50 PUSH EAX ****
0167:00477037 33C9 XOR ECX,ECX
0167:00477039 BAF8714700 MOV EDX,004771F8
0167:0047703E B810724700 MOV EAX,00477210
0167:00477043 E8F898FDFF CALL 00450940
0167:00477048 837DFC00 CMP DWORD ,BYTE +00
0167:0047704C 0F84D3000000 JZ NEAR 00477125
0167:00477052 8D85F8FEFFFF LEA EAX,
0167:00477058 8B55FC MOV EDX,
0167:0047705B B9FF000000 MOV ECX,FF
0167:00477060 E8B7CDF8FF CALL 00403E1C
0167:00477065 8D85F8FEFFFF LEA EAX, ***
0167:0047706B E814C3FFFF CALL 00473384 ***==>F8追入
0167:00477070 84C0 TEST AL,AL ***
0167:00477072 0F84AD000000 JZ NEAR 00477125 ***
0167:00477078 B201 MOV DL,01
追进来到下面
0167:00473384 55 PUSH EBP
0167:00473385 8BEC MOV EBP,ESP
0167:00473387 81C4ECFCFFFF ADD ESP,FFFFFCEC
0167:0047338D 53 PUSH EBX
0167:0047338E 56 PUSH ESI
0167:0047338F 57 PUSH EDI
0167:00473390 33D2 XOR EDX,EDX
0167:00473392 8995F0FCFFFF MOV ,EDX
0167:00473398 8995ECFCFFFF MOV ,EDX
0167:0047339E 8995F8FCFFFF MOV ,EDX
0167:004733A4 8995F4FCFFFF MOV ,EDX
0167:004733AA 8BF0 MOV ESI,EAX
0167:004733AC 8DBDFFFEFFFF LEA EDI,
0167:004733B2 33C9 XOR ECX,ECX
0167:004733B4 8A0E MOV CL,
0167:004733B6 41 INC ECX
0167:004733B7 F3A4 REP MOVSB
0167:004733B9 33C0 XOR EAX,EAX
0167:004733BB 55 PUSH EBP
0167:004733BC 68EC344700 PUSH DWORD 004734EC
0167:004733C1 64FF30 PUSH DWORD
0167:004733C4 648920 MOV ,ESP
0167:004733C7 C645FF00 MOV BYTE ,00
0167:004733CB 8D85F4FCFFFF LEA EAX,
0167:004733D1 8D95FFFEFFFF LEA EDX,
0167:004733D7 E8080AF9FF CALL 00403DE4
0167:004733DC 8B85F4FCFFFF MOV EAX,
0167:004733E2 8D95F8FCFFFF LEA EDX,
0167:004733E8 E8EF58F9FF CALL 00408CDC
0167:004733ED 8B95F8FCFFFF MOV EDX,
0167:004733F3 8D85FFFEFFFF LEA EAX,
0167:004733F9 B9FF000000 MOV ECX,FF
0167:004733FE E8190AF9FF CALL 00403E1C
0167:00473403 33DB XOR EBX,EBX
0167:00473405 C685FFFDFFFF00MOV BYTE ,00
0167:0047340C C685FFFCFFFF00MOV BYTE ,00
0167:00473413 8D95FFFEFFFF LEA EDX,
0167:00473419 B800354700 MOV EAX,00473500
0167:0047341E E8A1F5F8FF CALL 004029C4判断输入注册码是否aaaa-bbbb形式
0167:00473423 8BF0 MOV ESI,EAX
0167:00473425 85F6 TEST ESI,ESI
0167:00473427 0F8EA1000000 JNG NEAR 004734CE===> 天堂之门
0167:0047342D 8D85FFFDFFFF LEA EAX,
0167:00473433 50 PUSH EAX
0167:00473434 8BCE MOV ECX,ESI
0167:00473436 49 DEC ECX
0167:00473437 BA01000000 MOV EDX,01
0167:0047343C 8D85FFFEFFFF LEA EAX,
0167:00473442 E8E1F3F8FF CALL 00402828
0167:00473447 8D85FFFCFFFF LEA EAX,
0167:0047344D 50 PUSH EAX
0167:0047344E 33C9 XOR ECX,ECX
0167:00473450 8A8DFFFEFFFF MOV CL,
0167:00473456 2BCE SUB ECX,ESI
0167:00473458 8D5601 LEA EDX,
0167:0047345B 8D85FFFEFFFF LEA EAX,
0167:00473461 E8C2F3F8FF CALL 00402828
0167:00473466 33D2 XOR EDX,EDX
0167:00473468 8A95FFFDFFFF MOV DL,
0167:0047346E 85D2 TEST EDX,EDX
0167:00473470 7E16 JNG 00473488
0167:00473472 8D8500FEFFFF LEA EAX,
0167:00473478 33C9 XOR ECX,ECX
0167:0047347A 8A08 MOV CL,
0167:0047347C 03D9 ADD EBX,ECX
0167:0047347E 81C3A41D0F00 ADD EBX,000F1DA4
0167:00473484 40 INC EAX
0167:00473485 4A DEC EDX
0167:00473486 75F0 JNZ 00473478
0167:00473488 8D85F0FCFFFF LEA EAX,
0167:0047348E 8D95FFFCFFFF LEA EDX,
0167:00473494 E84B09F9FF CALL 00403DE4
0167:00473499 8B85F0FCFFFF MOV EAX,
0167:0047349F 50 PUSH EAX **
0167:004734A0 8D95ECFCFFFF LEA EDX,
0167:004734A6 8BC3 MOV EAX,EBX
0167:004734A8 E8AF59F9FF CALL 00408E5C
0167:004734AD 8B95ECFCFFFF MOV EDX,
0167:004734B3 58 POP EAX ★★
0167:004734B4 E8970AF9FF CALL 00403F50 判断bbbb与上面用aaaa算出的
注册码是否相等(eax装1234567,edx装真码)
0167:004734B9 0F94C0 SETZ AL
0167:004734BC 80BD00FFFFFF61CMP BYTE ,61
0167:004734C3 0F93C2 SETNC DL
0167:004734C6 22C2 AND AL,DL
0167:004734C8 7404 JZ 004734CE
0167:004734CA C645FF01 MOV BYTE ,01
0167:004734CE 33C0 XOR EAX,EAX
0167:004734D0 5A POP EDX
0167:004734D1 59 POP ECX
0167:004734D2 59 POP ECX
0167:004734D3 648910 MOV ,EDX
0167:004734D6 68F3344700 PUSH DWORD 004734F3
0167:004734DB 8D85ECFCFFFF LEA EAX,
0167:004734E1 BA04000000 MOV EDX,04
0167:004734E6 E8F906F9FF CALL 00403BE4
0167:004734EB C3 RET
★★处 d edx
edx=4953667
总结:我的注册码为 gdong-4953667
详细可参考看雪论坛精华2相关文章
作者:风飘雪
主页 http://duba.126.com
e-mailgd1@yeah.net
页:
[1]