迅雷VIP用户的破解方法
————————————————————————————————————
先用OD载入这个文件,查找字符串“isvip”找到后,在它上面的“register.ini”语句上面的call语句下断点
21987044 .E8 C882FFFF CALL XLUser.2197F311 ;在此处下断点 ,F7跟入
21987049 .68 B43D9921 PUSH XLUser.21993DB4 ;register.ini
2198704E .8D86 14050000 LEA EAX,DWORD PTR DS:
21987054 .50 PUSH EAX
21987055 .8D45 9C LEA EAX,DWORD PTR SS:
21987058 .50 PUSH EAX
21987059 .E8 CE4EFFFF CALL XLUser.2197BF2C
2198705E .83C4 0C ADD ESP,0C
21987061 .80BE FC050000>CMP BYTE PTR DS:,0
21987068 .C645 FC 12 MOV BYTE PTR SS:,12
2198706C .8D4D 9C LEA ECX,DWORD PTR SS:
2198706F .74 0E JE SHORT XLUser.2198707F
21987071 .FF15 DC209921 CALL DWORD PTR DS:[<&MSVCP71.std::basic_string<cha>;
msvcp71.std::basic_string<char,std::char_traits<char>,std::allocator<char> >::data
21987077 .50 PUSH EAX
21987078 .68 C8259921 PUSH XLUser.219925C8 ;1
2198707D .EB 0C JMP SHORT XLUser.2198708B
2198707F >FF15 DC209921 CALL DWORD PTR DS:[<&MSVCP71.std::basic_string<cha>;
msvcp71.std::basic_string<char,std::char_traits<char>,std::allocator<char> >::data
21987085 .50 PUSH EAX
21987086 .68 C4259921 PUSH XLUser.219925C4 ;0
2198708B >68 003A9921 PUSH XLUser.21993A00 ; |isvip
21987090 .68 F8399921 PUSH XLUser.219939F8 ; |login
21987095 .FF15 34209921 CALL DWORD PTR DS:[<&KERNEL32.WritePrivateProfileS>; \WritePrivateProfileStringA
————————————————————————————————————
此时就用OD载入“Thunder.exe”,F9运行迅雷。在这里中断后,F7跟入。
21987044 .E8 C882FFFF CALL XLUser.2197F311 ;在此处下断点 ,F7跟入
进入call子程序后,我们找子程序的末尾处,找到后,找最后一个跳转语句,在找跳转语句上面的call语句,在call语句上面下断点,然后F9,待到程序中断后,F7跟进去。
————————————————————————————————————
2197F311/$55 PUSH EBP ;子程序开始处
2197F312|.8BEC MOV EBP,ESP
2197F314|.51 PUSH ECX
2197F315|.53 PUSH EBX
2197F316|.56 PUSH ESI
2197F317|.8BF1 MOV ESI,ECX
2197F319|.57 PUSH EDI
2197F31A|.8D9E 4C100000 LEA EBX,DWORD PTR DS:
2197F320|.53 PUSH EBX ; /pCriticalSection
2197F321|.895D FC MOV DWORD PTR SS:,EBX ; |
2197F324|.FF15 24209921 CALL DWORD PTR DS:[<&KERNEL32.EnterCriticalSection>] ; \EnterCriticalSection
2197F32A|.8B7D 08 MOV EDI,DWORD PTR SS:
2197F32D|.39BE 24100000 CMP DWORD PTR DS:,EDI
2197F333|.75 06 JNZ SHORT XLUser.2197F33B
2197F335|.53 PUSH EBX
2197F336|.E9 ED000000 JMP XLUser.2197F428
2197F33B|>33DB XOR EBX,EBX
2197F33D|.399E 64100000 CMP DWORD PTR DS:,EBX
2197F343|.74 2F JE SHORT XLUser.2197F374
2197F345|.83FF 02 CMP EDI,2
2197F348|.75 0F JNZ SHORT XLUser.2197F359
2197F34A|.399E A4000000 CMP DWORD PTR DS:,EBX
2197F350|.75 07 JNZ SHORT XLUser.2197F359
2197F352|.8BCE MOV ECX,ESI
2197F354|.E8 AED9FFFF CALL XLUser.2197CD07
2197F359|>399E 64100000 CMP DWORD PTR DS:,EBX
2197F35F|.74 13 JE SHORT XLUser.2197F374
2197F361|.3BFB CMP EDI,EBX
2197F363|.75 0F JNZ SHORT XLUser.2197F374
2197F365|.399E A4000000 CMP DWORD PTR DS:,EBX
2197F36B|.75 07 JNZ SHORT XLUser.2197F374
2197F36D|.8BCE MOV ECX,ESI
2197F36F|.E8 C8D9FFFF CALL XLUser.2197CD3C
2197F374|>3BFB CMP EDI,EBX
2197F376|.8B86 24100000 MOV EAX,DWORD PTR DS:
2197F37C|.8986 28100000 MOV DWORD PTR DS:,EAX
2197F382|.8B45 0C MOV EAX,DWORD PTR SS:
2197F385|.89BE 24100000 MOV DWORD PTR DS:,EDI
2197F38B|.8986 2C100000 MOV DWORD PTR DS:,EAX
2197F391|.75 69 JNZ SHORT XLUser.2197F3FC
2197F393|.68 F0229921 PUSH XLUser.219922F0
2197F398|.8D8E F0060000 LEA ECX,DWORD PTR DS:
2197F39E|.889E FC050000 MOV BYTE PTR DS:,BL
2197F3A4|.FF15 E8209921 CALL DWORD PTR DS:[<&MSVCP71.std::basic_string<char,std>;
msvcp71.std::basic_string<char,std::char_traits<char>,std::allocator<char> >::operator=
2197F3AA|.68 484C9921 PUSH XLUser.21994C48 ;19000000
2197F3AF|.8D8E 3C060000 LEA ECX,DWORD PTR DS:
2197F3B5|.899E 34060000 MOV DWORD PTR DS:,EBX
2197F3BB|.899E 38060000 MOV DWORD PTR DS:,EBX
2197F3C1|.FF15 E8209921 CALL DWORD PTR DS:[<&MSVCP71.std::basic_string<char,std>;
msvcp71.std::basic_string<char,std::char_traits<char>,std::allocator<char> >::operator=
2197F3C7|.8D8E D4060000 LEA ECX,DWORD PTR DS:
2197F3CD|.899E 10060000 MOV DWORD PTR DS:,EBX
2197F3D3|.899E 14060000 MOV DWORD PTR DS:,EBX
2197F3D9|.899E 60060000 MOV DWORD PTR DS:,EBX
2197F3DF|.899E 1C060000 MOV DWORD PTR DS:,EBX
2197F3E5|.899E 18060000 MOV DWORD PTR DS:,EBX
2197F3EB|.899E 20060000 MOV DWORD PTR DS:,EBX
2197F3F1|.899E D0060000 MOV DWORD PTR DS:,EBX
2197F3F7|.E8 08F2FFFF CALL XLUser.2197E604
2197F3FC|>83BE 64100000>CMP DWORD PTR DS:,2
2197F403|.75 07 JNZ SHORT XLUser.2197F40C
2197F405|.8BCE MOV ECX,ESI
2197F407|.E8 41EDFFFF CALL XLUser.2197E14D ;这里是跳转语句上面的第一个call,我们F7
跟进去。
2197F40C|>83FF 02 CMP EDI,2
2197F40F|.75 14 JNZ SHORT XLUser.2197F425 ;子程序的最后一个跳转语句
2197F411|.53 PUSH EBX
2197F412|.53 PUSH EBX
2197F413|.8D46 10 LEA EAX,DWORD PTR DS:
2197F416|.8B08 MOV ECX,DWORD PTR DS:
2197F418|.6A 0F PUSH 0F
2197F41A|.50 PUSH EAX
2197F41B|.FF51 2C CALL DWORD PTR DS:
2197F41E|.8BCE MOV ECX,ESI
2197F420|.E8 65EAFFFF CALL XLUser.2197DE8A
2197F425|>FF75 FC PUSH DWORD PTR SS: ; /pCriticalSection
2197F428|>FF15 28209921 CALL DWORD PTR DS:[<&KERNEL32.LeaveCriticalSection>] ; \LeaveCriticalSection
2197F42E|.5F POP EDI
2197F42F|.5E POP ESI
2197F430|.5B POP EBX
2197F431|.C9 LEAVE
2197F432\.C2 0800 RETN 8 ;子程序的结尾处
————————————————————————————————————
“2197F407” F7跟进去后,来到下面
2197E14D/$B8 66FF9821 MOV EAX,XLUser.2198FF66
2197E152|.E8 79050100 CALL XLUser.2198E6D0
2197E157|.51 PUSH ECX
2197E158|.53 PUSH EBX
2197E159|.56 PUSH ESI
2197E15A|.8BF1 MOV ESI,ECX
2197E15C|.57 PUSH EDI
2197E15D|.8D86 98100000 LEA EAX,DWORD PTR DS:
2197E163|.50 PUSH EAX ; /pCriticalSection
2197E164|.FF15 24209921 CALL DWORD PTR DS:[<&KERNEL32.EnterCriticalSection>] ; \EnterCriticalSection
2197E16A|.8D86 7C100000 LEA EAX,DWORD PTR DS:
2197E170|.8945 F0 MOV DWORD PTR SS:,EAX
2197E173|.8D9E 6C100000 LEA EBX,DWORD PTR DS:
2197E179|.33FF XOR EDI,EDI
2197E17B|.8BCB MOV ECX,EBX
2197E17D|.897D FC MOV DWORD PTR SS:,EDI
2197E180|.E8 49D8FFFF CALL XLUser.2197B9CE
2197E185|.85C0 TEST EAX,EAX
2197E187|.76 2F JBE SHORT XLUser.2197E1B8
2197E189|>FFB6 2C100000 /PUSH DWORD PTR DS:
2197E18F|.8B86 70100000 |MOV EAX,DWORD PTR DS:
2197E195|.FFB6 28100000 |PUSH DWORD PTR DS:
2197E19B|.8D04B8 |LEA EAX,DWORD PTR DS:
2197E19E|.8B00 |MOV EAX,DWORD PTR DS:
2197E1A0|.FFB6 24100000 |PUSH DWORD PTR DS:
2197E1A6|.8B08 |MOV ECX,DWORD PTR DS:
2197E1A8|.50 |PUSH EAX
2197E1A9|.FF51 0C |CALL DWORD PTR DS: ;F7 跟进去
2197E1AC|.8BCB |MOV ECX,EBX
2197E1AE|.47 |INC EDI
2197E1AF|.E8 1AD8FFFF |CALL XLUser.2197B9CE
2197E1B4|.3BF8 |CMP EDI,EAX
2197E1B6|.^ 72 D1 \JB SHORT XLUser.2197E189
2197E1B8|>8B45 F0 MOV EAX,DWORD PTR SS:
2197E1BB|.83C0 1C ADD EAX,1C
2197E1BE|.50 PUSH EAX ; /pCriticalSection
2197E1BF|.FF15 28209921 CALL DWORD PTR DS:[<&KERNEL32.LeaveCriticalSection>] ; \LeaveCriticalSection
2197E1C5|.8B4D F4 MOV ECX,DWORD PTR SS:
2197E1C8|.5F POP EDI
2197E1C9|.5E POP ESI
2197E1CA|.5B POP EBX
2197E1CB|.64:890D 00000>MOV DWORD PTR FS:,ECX
2197E1D2|.C9 LEAVE
2197E1D3\.C3 RETN
————————————————————————————————————
“2197E1A9” F7跟进去后,来到下面,进入 “BaseCommunity.dll”领空
1000B9D0 .6A FF PUSH -1
1000B9D2 .68 F7030510 PUSH BaseComm.100503F7 ;SE 处理程序安装
1000B9D7 .64:A1 0000000>MOV EAX,DWORD PTR FS:
1000B9DD .50 PUSH EAX
1000B9DE .64:8925 00000>MOV DWORD PTR FS:,ESP
1000B9E5 .81EC 9C000000 SUB ESP,9C
1000B9EB .A1 C42D0810 MOV EAX,DWORD PTR DS:
1000B9F0 .33C4 XOR EAX,ESP
1000B9F2 .55 PUSH EBP
1000B9F3 .8BAC24 B80000>MOV EBP,DWORD PTR SS:
1000B9FA .57 PUSH EDI
1000B9FB .8BBC24 B80000>MOV EDI,DWORD PTR SS:
1000BA02 .3BFD CMP EDI,EBP
1000BA04 .898424 A00000>MOV DWORD PTR SS:,EAX
1000BA0B .0F84 1A030000 JE BaseComm.1000BD2B
1000BA11 .83FF 02 CMP EDI,2
1000BA14 .53 PUSH EBX
1000BA15 .56 PUSH ESI
1000BA16 .0F85 6C020000 JNZ BaseComm.1000BC88
1000BA1C .E8 AFA9FFFF CALL BaseComm.100063D0
1000BA21 .8BC8 MOV ECX,EAX
1000BA23 .E8 9865FFFF CALL BaseComm.10001FC0 ;F7跟进去
1000BA28 .85C0 TEST EAX,EAX
1000BA2A .8B35 54710610 MOV ESI,DWORD PTR DS:[<&KERNEL32.GetTickCount>] ;kernel32.GetTickCount
------------------------------------------
“1000BA23” F7跟进去后,来到下面
10001FC0/$51 PUSH ECX ;(Initial CPU selection)
10001FC1|.8B41 1C MOV EAX,DWORD PTR DS:
10001FC4|.85C0 TEST EAX,EAX
10001FC6|.74 17 JE SHORT BaseComm.10001FDF
10001FC8|.8D1424 LEA EDX,DWORD PTR SS:
10001FCB|.52 PUSH EDX
10001FCC|.C74424 04 000>MOV DWORD PTR SS:,0
10001FD4|.8B08 MOV ECX,DWORD PTR DS:
10001FD6|.50 PUSH EAX
10001FD7|.FF51 0C CALL DWORD PTR DS: ;F7跟进去
10001FDA|.8B0424 MOV EAX,DWORD PTR SS:
10001FDD|.59 POP ECX
10001FDE|.C3 RETN
10001FDF|>33C0 XOR EAX,EAX
10001FE1|.59 POP ECX
10001FE2\.C3 RETN
------------------------------------------
“10001FD7” F7跟进去后,来到下面,进入 “XLUser.dll”领空
2197A95B .8B4424 04 MOV EAX,DWORD PTR SS:
2197A95F .83B8 10100000>CMP DWORD PTR DS:,2
2197A966 .74 07 JE SHORT XLUser.2197A96F
2197A968 .B8 04400080 MOV EAX,80004004
2197A96D .EB 0F JMP SHORT XLUser.2197A97E
2197A96F >0FB680 E80500>MOVZX EAX,BYTE PTR DS: ;修改为 mov eax,1
2197A976 .8B4C24 08 MOV ECX,DWORD PTR SS:
2197A97A .8901 MOV DWORD PTR DS:,EAX
2197A97C .33C0 XOR EAX,EAX
2197A97E >C2 0800 RETN 8
在 2197A96F 打补丁,
MOVZX EAX,BYTE PTR DS: 修改为 mov eax,1
------------------------------------------
修改后,保存,即可,这样就是VIP用户了。
呵呵,赶快替换原有的“XLUser.dll”文件吧,体验一下不花一分钱的 VIP 用户的功能。
暂时看不懂
收藏了
留着研究 技术活,我搞不定。{:soso_e101:} 迷糊
看的天书一样
页:
[1]