破解Demo

需要破解的程序界面如下:

需要破解的程序的主要代码如下:

 1 void CEasyCrackMeDlg::OnBnClickedButtonOk()
 2 {
 3     // TODO: 在此添加控件通知处理程序代码
 4     TCHAR szID[MAXBYTE] = {0};
 5     TCHAR szPassword[MAXBYTE] = {0};
 6     TCHAR szTempPassword[MAXBYTE] = {0};
 7 
 8     GetDlgItemText(IDC_EDIT_ID, szID, MAXBYTE);
 9     GetDlgItemText(IDC_EDIT_PASSWORD, szPassword, MAXBYTE);
10 
11     if (lstrlen(szID) == 0)
12     {
13         return;
14     }
15 
16     if (lstrlen(szPassword) == 0)
17     {
18         return;
19     }
20 
21     if (lstrlen(szID) < 7)
22     {
23         return;
24     }
25 
26     for (int i = 0; i < lstrlen(szID); i++)
27     {
28         if (szID[i] == _T('Z') || szID[i] == _T('z') || szID[i] == _T('9'))
29         {
30             szTempPassword[i] = szID[i];
31         }
32         else
33         {
34             szTempPassword[i] = szID[i] + 1;
35         }
36     }
37 
38     if (lstrcmp(szTempPassword, szPassword) == 0)
39     {
40         AfxMessageBox(_T("密码正确"));
41     }
42     else
43     {
44         AfxMessageBox(_T("密码错误"));
45     }
46 }
47 
48 void CEasyCrackMeDlg::OnBnClickedButtonCancel()
49 {
50     // TODO: 在此添加控件通知处理程序代码
51     OnCancel();
52 }

需要破解的程序的下载地址:
http://pan.baidu.com/s/1jG2ZV06

 

一、文件补丁

用OD打开上面的程序,下断点:bp lstrcmpW,运行到断点处后跳出该程序,会看到判断的地方JNZ(代码为75h),把它修改为JZ(代码为74h)即可,该行对应的地址为内存中的虚拟地址VA,转换成FileOffset后修改75h为74h即可。

文件补丁的具体代码如下:

 1 #include <Windows.h>
 2 #include <iostream>
 3 
 4 using namespace std;
 5 
 6 int main(int argc, char **argv)
 7 {
 8     DWORD dwFileOffset = 0;
 9 
10 #ifdef _DEBUG
11     dwFileOffset = 0x00001FED;
12 #else
13     dwFileOffset = 0x00000828;
14 #endif
15 
16     BYTE bCode = 0;
17     DWORD dwReadNum = 0;
18 
19     if (argc != 2)
20     {
21         cout << "Please input two argument!" << endl;
22         return -1;
23     }
24 
25     DWORD dwErr = 0;
26 
27     //打开文件
28     HANDLE hFile = CreateFile(argv[1], GENERIC_WRITE | GENERIC_READ, FILE_SHARE_WRITE | FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
29     if (INVALID_HANDLE_VALUE == hFile)
30     {
31         dwErr = GetLastError();
32         cout << __LINE__ << " : CreateFile error ( " << dwErr << " )" <<endl;
33         return -1;
34     }
35 
36     if (INVALID_SET_FILE_POINTER == SetFilePointer(hFile, dwFileOffset, NULL, FILE_BEGIN))
37     {
38         dwErr = GetLastError();
39         cout << __LINE__ << " : SetFilePointer error ( " << dwErr << " )" <<endl;
40         return -1;
41     }
42     
43     if (0 == ReadFile(hFile, (LPVOID)&bCode, sizeof(BYTE), &dwReadNum, NULL))
44     {
45         dwErr = GetLastError();
46         cout << __LINE__ << " : ReadFile error ( " << dwErr << " )" <<endl;
47         return -1;
48     }
49 
50     //比较当前位置是否为JNZ
51     if (TEXT('\x75') != bCode)
52     {
53         cout << bCode << endl;
54         CloseHandle(hFile);
55         return -1;
56     }
57 
58     //修改为JZ
59     bCode = TEXT('\x74');
60     if (INVALID_SET_FILE_POINTER == SetFilePointer(hFile, dwFileOffset, 0, FILE_BEGIN))
61     {
62         dwErr = GetLastError();
63         cout << __LINE__ << " : SetFilePointer error ( " << dwErr << " )" <<endl;
64         CloseHandle(hFile);
65         return -1;
66     }
67 
68     if (0 == WriteFile(hFile, (LPVOID)&bCode, sizeof(BYTE), &dwReadNum, NULL))
69     {
70         dwErr = GetLastError();
71         cout << __LINE__ << " : WriteFile error ( " << dwErr << " )" <<endl;
72         CloseHandle(hFile);
73         return -1;
74     }
75 
76     cout << "Write JZ is Successfully !" << endl;
77 
78     CloseHandle(hFile);
79 
80     //运行修改后的程序
81     //int iLen = WideCharToMultiByte(CP_ACP, 0, argv[1], -1, NULL, 0, NULL, NULL);
82     //char *pszFileName = new char[iLen];
83     //WideCharToMultiByte(CP_ACP, 0, argv[1], -1, pszFileName, iLen, NULL, NULL);
84     //WinExec(pszFileName, SW_SHOW);
85     //delete[] pszFileName;
86     WinExec(argv[1], SW_SHOW);
87 
88     return 0;
89 }

这里把上面需要破解的程序拖到文件补丁上打开即可破解。

 

二、内存补丁

具体方法同上面的文件补丁,只是不需要做VA到FileOffset的转换。

具体代码如下:

 1 #include <Windows.h>
 2 #include <iostream>
 3 
 4 using namespace std;
 5 
 6 int main(int argc, char **argv)
 7 {
 8     DWORD dwVAddress = 0;
 9 #ifdef _DEBUG
10     dwVAddress = 0x01262BED;
11 #else
12     dwVAddress = 0x01011428;
13 #endif
14     BYTE bCode = 0;
15     DWORD dwReadNum = 0;
16     DWORD dwErr = 0;
17 
18     if (argc != 2)
19     {
20         cout << "Please input two argument!" <<endl;
21         return -1;
22     }
23 
24     STARTUPINFO si = {0};
25     si.cb = sizeof(STARTUPINFO);
26     si.wShowWindow = SW_SHOW;
27     si.dwFlags = STARTF_USESHOWWINDOW;
28 
29     PROCESS_INFORMATION pi = {0};
30 
31     BOOL bRet = CreateProcess(argv[1], NULL, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi);
32     if (FALSE == bRet)
33     {
34         dwErr = GetLastError();
35         cout << __LINE__ << " : CreateProcess Error ( " << dwErr << " )" << endl;
36         return -1;
37     }
38 
39     ReadProcessMemory(pi.hProcess, (LPVOID)dwVAddress, (LPVOID)&bCode, sizeof(BYTE), &dwReadNum);
40 
41     //判断是否为JNZ
42     if (TEXT('\x75') != bCode)
43     {
44         dwErr = GetLastError();
45         cout << bCode << endl;
46         CloseHandle(pi.hThread);
47         CloseHandle(pi.hProcess);
48         return -1;
49     }
50 
51     //将JNZ修改为JZ
52     bCode = TEXT('\x74');
53     WriteProcessMemory(pi.hProcess, (LPVOID)dwVAddress, (LPVOID)&bCode, sizeof(BYTE), &dwReadNum);
54 
55     ResumeThread(pi.hThread);
56 
57     CloseHandle(pi.hThread);
58     CloseHandle(pi.hProcess);
59 
60     cout << "Write JZ is Successfully !" << endl;
61 
62     return 0;
63 }

 

posted @ 2014-02-11 12:16  七月流光  阅读(773)  评论(0编辑  收藏  举报