看错了一个人,感慨,一个小小的能读mapinfo.txt的DBsrv还要加密才放出来,唉.算我没眼光.
l�)1ySX&BU I.
原理:跳过解密代码.
l�)1ySX&BU II.
正题:
l�)1ySX&BU ------------------------------------------------------------------
l�)1ySX&BU ◆A.!setup.txt 修改3个地方.
l�)1ySX&BU 1.
l�)1ySX&BU ------------------------------------------------------------------
l�)1ySX&BU :0048613E 8B45EC
mov eax,
dword ptr [
ebp-14]
l�)1ySX&BU :00486141 8B55E8
mov edx,
dword ptr [
ebp-18]
★
l�)1ySX&BU :00486144 80341004
xor byte ptr [
eax+
edx], 04
;这里解密
l�)1ySX&BU :00486148 FF45E8
inc [
ebp-18]
l�)1ySX&BU :0048614B 817DE8900A0000
cmp dword ptr [
ebp-18], 00000A90
l�)1ySX&BU :00486152 75EA
jne 0048613E
l�)1ySX&BU ●:00486154 8B45FC mov eax, dword ptr [ebp-04]
l�)1ySX&BU ------------------------------------------------------------------
l�)1ySX&BU 2.
l�)1ySX&BU ------------------------------------------------------------------
l�)1ySX&BU :0048623B 8B45EC
mov eax,
dword ptr [
ebp-14]
l�)1ySX&BU :0048623E 8B55E8
mov edx,
dword ptr [
ebp-18]
★
l�)1ySX&BU :00486241 80341004
xor byte ptr [
eax+
edx], 04
;这里解密
l�)1ySX&BU :00486245 FF45E8
inc [
ebp-18]
l�)1ySX&BU :00486248 817DE8900A0000
cmp dword ptr [
ebp-18], 00000A90
l�)1ySX&BU :0048624F 75EA
jne 0048623B
l�)1ySX&BU ●:00486251 8B55EC mov edx, dword ptr [ebp-14]
l�)1ySX&BU ------------------------------------------------------------------
l�)1ySX&BU 上面两个地方从★处开始汇编
l�)1ySX&BU Mov dword ptr[
ebp-18],0A90
;这里是以防万一
l�)1ySX&BU JMP ● ;这里JMP到各自的●处
l�)1ySX&BU ------------------------------------------------------------------
l�)1ySX&BU 以上修改可以统一修改如下:
l�)1ySX&BU 查找:8B45EC8B55E880341004FF45E8817DE8900A000075EA
l�)1ySX&BU 替换:8B45ECC745E8900A0000EB0A90817DE8900A000075EA
l�)1ySX&BU ------------------------------------------------------------------
l�)1ySX&BU 3.
l�)1ySX&BU -----------------------------------------------------------------
l�)1ySX&BU :004957BB 40
inc eax
l�)1ySX&BU :004957BC 8945E8
mov dword ptr [
ebp-18],
eax
l�)1ySX&BU :004957BF C745EC00000000
mov [
ebp-14], 00000000
★
l�)1ySX&BU :004957C6 8B45F8
mov eax,
dword ptr [
ebp-08]
l�)1ySX&BU :004957C9 8B55EC
mov edx,
dword ptr [
ebp-14]
l�)1ySX&BU :004957CC 80341004
xor byte ptr [
eax+
edx], 04
;保存之前的加密
l�)1ySX&BU :004957D0 FF45EC
inc [
ebp-14]
l�)1ySX&BU :004957D3 FF4DE8
dec [
ebp-18]
l�)1ySX&BU :004957D6 75EE
jne 004957C6
l�)1ySX&BU ●:004957D8 8A45F3 mov al, byte ptr [ebp-0D]
l�)1ySX&BU ----------------------------------------------------------------
l�)1ySX&BU 上面从★处汇编,直接跳到●处.
l�)1ySX&BU Mov dword ptr[
ebp-14],
eax ;这里以防万一
l�)1ySX&BU JMP ●
l�)1ySX&BU 十六进制的字符串替换如下:
l�)1ySX&BU 查找:408945E8C745EC000000008B45F88B55EC80341004FF45ECFF4DE875EE8A45F3
l�)1ySX&BU 替换:408945E88945ECEB14909090909090909090909090FF45ECFF4DE875EE8A45F3
l�)1ySX&BU ===============================================================
l�)1ySX&BU
l�)1ySX&BU ◆B.adminlist.txt
l�)1ySX&BU ---------------------------------------------------------------
l�)1ySX&BU :0045701A 8B5DF8
mov ebx,
dword ptr [
ebp-08]
l�)1ySX&BU :0045701D 8A4C19FF
mov cl,
byte ptr [
ecx+
ebx-01]
l�)1ySX&BU :00457021 80F107
xor cl, 07
;这里解密,NOP掉
l�)1ySX&BU :00457024 884C10FF
mov byte ptr [
eax+
edx-01],
cl
l�)1ySX&BU :00457028 FF45F8
inc [
ebp-08]
l�)1ySX&BU :0045702B FF4DF4
dec [
ebp-0C]
l�)1ySX&BU :0045702E 75DA
jne 0045700A
l�)1ySX&BU --------------------------------------------------------------
l�)1ySX&BU 因为adminlist.txt体积很小,所以NOP即可,不影响读取速度.
l�)1ySX&BU 查找:8B5DF88A4C19FF80F107884C10FF
l�)1ySX&BU 替换:8B5DF88A4C19FF909090884C10FF
l�)1ySX&BU =============================================================
l�)1ySX&BU ◆C:mapinfo.txt 和以及其他用同样方法加解密的文件
l�)1ySX&BU -------------------------------------------------------------
l�)1ySX&BU 1.
修改DBsrv.exe,使其能读取解密的mapinfo.txt 修改两处
l�)1ySX&BU -------------------------------------------------------------
l�)1ySX&BU :0040493B 83C41C
add esp, 0000001C
l�)1ySX&BU :0040493E 84C0
test al,
al ;这里,校验.
l�)1ySX&BU :00404940 750E
jne 00404950
;修改这里,无视校验.
l�)1ySX&BU :00404942 57
push edi
l�)1ySX&BU :00404943 E877770000
call 0040C0BF
l�)1ySX&BU :00404948 59
pop ecx
l�)1ySX&BU :00404949 32C0
xor al,
al
l�)1ySX&BU :0040494B E9E0000000
jmp 00404A30
l�)1ySX&BU :00404950 8D7708
lea esi,
dword ptr [
edi+08]
;修改这里,从$0开始读取
l�)1ySX&BU :00404953 85F6
test esi,
esi
l�)1ySX&BU :00404955 0F84D3000000
je 00404A2E
l�)1ySX&BU :0040495B 8D85F4FEFFFF
lea eax,
dword ptr [
ebp+FFFFFEF4]
l�)1ySX&BU -------------------------------------------------------------
l�)1ySX&BU DBsrv.exe
修改上面两处足够,无需其他修改.
l�)1ySX&BU ------------------------------------
l�)1ySX&BU :00404940
jmp 00404950
l�)1ySX&BU ------------------------------------
l�)1ySX&BU :00404950
lea esi,
dword ptr [
edi]
l�)1ySX&BU ------------------------------------
l�)1ySX&BU 统一一下:
l�)1ySX&BU 查找:83C41C84C0750E57E8777700005932C0E9E00000008D770885F60F84D30000008D85F4FEFFFF
l�)1ySX&BU 替换:83C41C84C0EB0E57E8777700005932C0E9E00000008D379085F60F84D30000008D85F4FEFFFF
l�)1ySX&BU -------------------------------------------------------------
l�)1ySX&BU 2.ei
主程序 修改两处.
l�)1ySX&BU -------------------------------------------------------------
l�)1ySX&BU :00534571 8B55EC
mov edx,
dword ptr [
ebp-14]
l�)1ySX&BU :00534574 8B45E4
mov eax,
dword ptr [
ebp-1C]
l�)1ySX&BU :00534577 E8F0FDFFFF
call 0053436C
;这里,校验解密,NOP!
l�)1ySX&BU :0053457C 8B45E4
mov eax,
dword ptr [
ebp-1C]
l�)1ySX&BU :0053457F 83C008
add eax, 00000008
;这里,文件读取起始,NOP!
l�)1ySX&BU :00534582 8945E0
mov dword ptr [
ebp-20],
eax
l�)1ySX&BU -------------------------------------------------------------
l�)1ySX&BU 综合一下,只要
l�)1ySX&BU 查找:8B55EC8B45E4E8F0FDFFFF8B45E483C0088945E0
l�)1ySX&BU 替换:8B55EC8B45E4EB099090909090909090908945E0
l�)1ySX&BU =============================================================
l�)1ySX&BU 还有3个数据库,算了吧,工具都不支持解密数据库.:)
l�)1ySX&BU 有兴趣的朋友自己就看一下吧,都是非常简单的加密解密.ENJOY.
l�)1ySX&BU tYRoPE 04-09-24
l�)1ySX&BU [此贴子已经被作者于2004-9-24 15:15:33编辑过]
