qyc 2007-5-21 04:23 PM
去掉PhotoZoomPro2 2.2.4 Photoshop插件Unlock注册按钮
1. [color=Red]PhotoZoomPro2 2.2.4 Photoshop插件成功破解![/color]
要把扩展名改为DLL ,用 Aspr2.XX_unpacker_v1.0 进行脱壳 (感谢 VolX ,你的脚本大强啦!)
破解过程跟破解主程序方法都差不多
以下数据可以帮你快速定位修改:
一处:
83 C4 10 84 C0 75 0C 46 3B 75 0C
二处:
83 C4 10 84 C0
2.[color=Red]目的:去掉PhotoZoomPro2 2.2.4 Photoshop插件Unlock注册按钮[/color]
[attach]1062[/attach]
看看软件,再与看看正式注册版,Unlock注册按钮,在注册后是会被移除的!
[attach]1063[/attach]
由于是PS插件,我们一般要中断PS加载了插件即可!
OD加载PS >> 运行 >> 打开一张图片
我先选 bp EnableWindow 下断
文件>> 导出 >> PhotoZoom Pro 2..
中断后取消断点,然后打开模块窗口,先择加载了的插件,进行插件领空!
bpx GetWindowTextA
315次F9后 (总共317次,也就是倒数第二次,你不得不按^_^),记得着看堆栈
0012DE88 00011276 |hWnd = 00011276 ('Unlock',class='Button',parent=00170D88)
0012DE8C 2360CEB4 |Buffer = 2360CEB4
0012DE90 00000007 \Count = 7
0012DE94 2360CC48
===============================================================================
232BDF84 FF15 D8253823 CALL DWORD PTR DS:[<&user32.GetWindowTex>; USER32.GetWindowTextA 这里开始F8
232BDF8A 8B4D E8 MOV ECX,DWORD PTR SS:[EBP-18]
232BDF8D E8 3E1DFDFF CALL 3.2328FCD0
232BDF92 5E POP ESI
232BDF93 8B4D F4 MOV ECX,DWORD PTR SS:[EBP-C]
232BDF96 8BC7 MOV EAX,EDI
232BDF98 5F POP EDI
232BDF99 64:890D 0000000>MOV DWORD PTR FS:[0],ECX
232BDFA0 C9 LEAVE
232BDFA1 C3 RETN--------->返回
一直F8到232D8D55:
===============================================================================
232D8CA4 5F POP EDI
232D8CA5 5E POP ESI
232D8CA6 8AC3 MOV AL,BL
232D8CA8 5B POP EBX
232D8CA9 64:890D 0000000>MOV DWORD PTR FS:[0],ECX----------->; 在这里下个断
232D8CB0 C9 LEAVE
232D8CB1 C2 2000 RETN 20 ----------->; 注意: 这里是最近一次退出,最后也是在这返回
232D8CB4 8B06 MOV EAX,DWORD PTR DS:[ESI]
232D8CB6 8D4D EC LEA ECX,DWORD PTR SS:[EBP-14]
232D8CB9 51 PUSH ECX
232D8CBA FF75 1C PUSH DWORD PTR SS:[EBP+1C]
232D8CBD 8BCE MOV ECX,ESI
232D8CBF FF90 38020000 CALL DWORD PTR DS:[EAX+238]
232D8CC5 53 PUSH EBX
232D8CC6 6A 0A PUSH 0A
232D8CC8 8D4D 10 LEA ECX,DWORD PTR SS:[EBP+10]
232D8CCB 8BF8 MOV EDI,EAX
232D8CCD E8 EE6CFBFF CALL 3.2328F9C0
232D8CD2 3B05 3C5A4123 CMP EAX,DWORD PTR DS:[23415A3C]
232D8CD8 74 06 JE SHORT 3.232D8CE0
232D8CDA 81CF 00200000 OR EDI,2000
232D8CE0 FF75 EC PUSH DWORD PTR SS:[EBP-14]
232D8CE3 8D45 10 LEA EAX,DWORD PTR SS:[EBP+10]
232D8CE6 50 PUSH EAX
232D8CE7 FF75 18 PUSH DWORD PTR SS:[EBP+18]
232D8CEA 8BCE MOV ECX,ESI
232D8CEC FF75 14 PUSH DWORD PTR SS:[EBP+14]
232D8CEF 57 PUSH EDI
232D8CF0 68 ACED4123 PUSH 3.2341EDAC ; ASCII "BUTTON"
232D8CF5 E8 7C9CFFFF CALL 3.232D2976
232D8CFA 8AD8 MOV BL,AL
232D8CFC ^ EB 97 JMP SHORT 3.232D8C95
232D8CFE B8 4B263723 MOV EAX,3.2337264B
232D8D03 E8 C8890500 CALL 3.233316D0
232D8D08 81EC 0C010000 SUB ESP,10C
232D8D0E 53 PUSH EBX
232D8D0F 56 PUSH ESI
232D8D10 8BF1 MOV ESI,ECX
232D8D12 57 PUSH EDI
232D8D13 56 PUSH ESI
232D8D14 8D8D E8FEFFFF LEA ECX,DWORD PTR SS:[EBP-118]
232D8D1A E8 3B1D0100 CALL 3.232EAA5A
232D8D1F 8D45 E4 LEA EAX,DWORD PTR SS:[EBP-1C]
232D8D22 33DB XOR EBX,EBX
232D8D24 50 PUSH EAX
232D8D25 8BCE MOV ECX,ESI
232D8D27 895D FC MOV DWORD PTR SS:[EBP-4],EBX
232D8D2A E8 21EAFEFF CALL 3.232C7750
232D8D2F 50 PUSH EAX
232D8D30 8D8D E8FEFFFF LEA ECX,DWORD PTR SS:[EBP-118]
232D8D36 C645 FC 01 MOV BYTE PTR SS:[EBP-4],1
232D8D3A E8 7C090100 CALL 3.232E96BB
232D8D3F 8D4D E4 LEA ECX,DWORD PTR SS:[EBP-1C]
232D8D42 885D FC MOV BYTE PTR SS:[EBP-4],BL
232D8D45 E8 315BFFFF CALL 3.232CE87B
232D8D4A 8B06 MOV EAX,DWORD PTR DS:[ESI]
232D8D4C 8D4D E8 LEA ECX,DWORD PTR SS:[EBP-18]
232D8D4F 51 PUSH ECX
232D8D50 8BCE MOV ECX,ESI
232D8D52 FF50 40 CALL DWORD PTR DS:[EAX+40]
232D8D55 50 PUSH EAX -----------> ; 返回这里,不想再按F8,就在上面下个断吧
232D8D56 8D45 E0 LEA EAX,DWORD PTR SS:[EBP-20]
232D8D59 50 PUSH EAX -----------> ; 这是我第一次,我当然是F8向下走啦...
232D8D5A C645 FC 02 MOV BYTE PTR SS:[EBP-4],2
232D8D5E E8 CBC4FEFF CALL 3.232C522E
232D8D63 59 POP ECX
232D8D64 59 POP ECX
下面略.....
............
===============================================
232D8CB1 C2 2000 RETN 20 返回再F8: 6次后
===============================================
231DAB3B 85F6 TEST ESI,ESI
231DAB3D C64424 40 13 MOV BYTE PTR SS:[ESP+40],13
231DAB42 0F84 82000000 JE 3.231DABCA ----------->; 呵呵.重要一跳,我们JMP保存
231DAB48 8B15 3C5A4123 MOV EDX,DWORD PTR DS:[23415A3C]
231DAB4E 52 PUSH EDX
231DAB4F 6A 00 PUSH 0
231DAB51 68 94CE4123 PUSH 3.2341CE94 ; ASCII "button"
231DAB56 8D4C24 58 LEA ECX,DWORD PTR SS:[ESP+58]
231DAB5A E8 21560B00 CALL 3.23290180
231DAB5F 83CB 20 OR EBX,20
231DAB62 68 CC6A3823 PUSH 3.23386ACC ; ASCII "Unlock"
231DAB67 C64424 44 14 MOV BYTE PTR SS:[ESP+44],14
231DAB6C 895C24 14 MOV DWORD PTR SS:[ESP+14],EBX
231DAB70 E8 EA920900 CALL 3.23273E5F
231DAB75 83C4 04 ADD ESP,4
231DAB78 85C0 TEST EAX,EAX
231DAB7A 75 05 JNZ SHORT 3.231DAB81
231DAB7C B8 F8323823 MOV EAX,3.233832F8
231DAB81 8B0D 3C5A4123 MOV ECX,DWORD PTR DS:[23415A3C]
231DAB87 51 PUSH ECX
231DAB88 6A 00 PUSH 0
231DAB8A 50 PUSH EAX
231DAB8B 8D4C24 54 LEA ECX,DWORD PTR SS:[ESP+54]
231DAB8F E8 EC550B00 CALL 3.23290180
231DAB94 8D5424 4C LEA EDX,DWORD PTR SS:[ESP+4C]
231DAB98 52 PUSH EDX
231DAB99 68 54E04B23 PUSH 3.234BE054
231DAB9E 6A 00 PUSH 0
231DABA0 68 08BF4823 PUSH 3.2348BF08
231DABA5 68 10BF4823 PUSH 3.2348BF10
231DABAA 8D4424 5C LEA EAX,DWORD PTR SS:[ESP+5C]
231DABAE 50 PUSH EAX
231DABAF 6A FF PUSH -1
231DABB1 83CB 40 OR EBX,40
231DABB4 55 PUSH EBP
231DABB5 8BCE MOV ECX,ESI
231DABB7 C74424 60 15000>MOV DWORD PTR SS:[ESP+60],15
231DABBF 895C24 30 MOV DWORD PTR SS:[ESP+30],EBX
231DABC3 E8 B8F4FFFF CALL 3.231DA080
231DABC8 EB 02 JMP SHORT 3.231DABCC ----------->; 最终返回在这里(目的地到啦)
231DABCA 33C0 XOR EAX,EAX
=================================================================================
OD 单独加载地址: 1000AB62 |. 68 CC6A1B10 PUSH 3.101B6ACC ; ASCII "Unlock"
A8 90 A8 80 A8 80 A8 80 A9 EF A6 EE
hnist 2007-10-12 09:09 PM
yct47 晕死!