阅读文章
灰鸽子VIP 2007 本地完美破解
栏目:技术文章 作者:东方标准 时间:2009-11-06 17:10:13
0056DD91 33C0 xor eax, eax
0056DD93 55 push ebp
0056DD94 68 96F45600 push 0056F496
0056DD99 64:FF30 push dword ptr fs:[eax]
0056DD9C 64:8920 mov dword ptr fs:[eax], esp
0056DD9F E9 9E000000 jmp 0056DE42
0056DDA4 33C9 xor ecx, ecx
0056DDA6 B2 01 mov dl, 1
0056DDA8 A1 28DD5500 mov eax, dword ptr [55DD28]
0056DDAD E8 3603FFFF call 0055E0E8
0056DDB2 8945 E4 mov dword ptr [ebp-1C], eax
0056DDB5 8B45 E4 mov eax, dword ptr [ebp-1C]
.
0056DE30 A1 F0FC5D00 mov eax, dword ptr [5DFCF0]
0056DE35 8B80 94030000 mov eax, dword ptr [eax+394]
0056DE3B 33D2 xor edx, edx
0056DE3D E8 0200FAFF call 0050DE44
0056DE42 8D85 74FAFFFF lea eax, dword ptr [ebp-58C]
0056DE48 E8 B7FEFFFF call 0056DD04
0056DE4D 8B95 74FAFFFF mov edx, dword ptr [ebp-58C]
0056DE53 8D46 40 lea eax, dword ptr [esi+40]
0056DE56 E8 256CE9FF call 00404A80
0056DE5B E9 1D010000 jmp 0056DF7D
0056DE60 90 nop
0056DE61 90 nop
0056DE62 90 nop
0056DE63 8B80 50030000 mov eax, dword ptr [eax+350]
0056DE69 E8 0280F5FF call 004C5E70
0056DE6E 8D55 DC lea edx, dword ptr [ebp-24]
0056DE71 A1 F0FC5D00 mov eax, dword ptr [5DFCF0]
0056DE76 8B80 58030000 mov eax, dword ptr [eax+358]
0056DE7C E8 93E0F8FF call 004FBF14
0056DE81 B2 01 mov dl, 1
0056DE83 A1 38BA5600 mov eax, dword ptr [56BA38]
.
0056DF5B E8 644BE9FF call 00402AC4
0056DF60 8D45 F0 lea eax, dword ptr [ebp-10]
0056DF63 E8 14F9FFFF call 0056D87C
0056DF68 8B45 F0 mov eax, dword ptr [ebp-10]
0056DF6B E8 7C6DE9FF call 00404CEC
0056DF70 50 push eax
0056DF71 8D45 F0 lea eax, dword ptr [ebp-10]
0056DF74 E8 CB6FE9FF call 00404F44
0056DF79 90 nop
0056DF7A 90 nop
0056DF7B 90 nop
0056DF7C 90 nop
0056DF7D B8 181B5D00 mov eax, 005D1B18
0056DF82 8945 E0 mov dword ptr [ebp-20], eax
0056DF85 8B45 E0 mov eax, dword ptr [ebp-20]
0056DF88 E8 5F6DE9FF call 00404CEC
0056DF8D 50 push eax
0056DF8E 8D45 E0 lea eax, dword ptr [ebp-20]
0056DF91 E8 AE6FE9FF call 00404F44
0056DF96 8D93 DA030000 lea edx, dword ptr [ebx+3DA]
0056DF9C 59 pop ecx
0056DF9D E8 224BE9FF call 00402AC4
0056DFA2 A1 F0FC5D00 mov eax, dword ptr [5DFCF0]
0056DFA7 8B80 F0030000 mov eax, dword ptr [eax+3F0]
.
0056E3D3 E8 C48BEFFF call 00466F9C
0056E3D8 8B45 F0 mov eax, dword ptr [ebp-10]
0056E3DB E8 0C69E9FF call 00404CEC
0056E3E0 50 push eax
0056E3E1 8D45 F0 lea eax, dword ptr [ebp-10]
0056E3E4 E8 5B6BE9FF call 00404F44
0056E3E9 8D93 BC030000 lea edx, dword ptr [ebx+3BC]
0056E3EF 59 pop ecx
0056E3F0 E8 CF46E9FF call 00402AC4
0056E3F5 90 nop
0056E3F6 8D8D 74FAFFFF lea ecx, dword ptr [ebp-58C]
0056E3FC BA ACF55600 mov edx, 0056F5AC ; ASCII "20050101"
0056E401 8B46 40 mov eax, dword ptr [esi+40]
0056E404 E8 3BC4FDFF call 0054A844
0056E409 8B85 74FAFFFF mov eax, dword ptr [ebp-58C]
0056E40F E8 D868E9FF call 00404CEC
0056E414 50 push eax
0056E415 8D85 74FAFFFF lea eax, dword ptr [ebp-58C]
0056E41B E8 246BE9FF call 00404F44
0056E420 8D15 8B1B5D00 lea edx, dword ptr [5D1B8B]
0056E426 59 pop ecx
0056E427 E8 9846E9FF call 00402AC4
0056E42C 90 nop
0056E42D B8 BB1B5D00 mov eax, 005D1BBB
0056E432 8945 EC mov dword ptr [ebp-14], eax
0056E435 8B45 EC mov eax, dword ptr [ebp-14]
0056E438 E8 AF68E9FF call 00404CEC
0056E43D 50 push eax
0056E43E 8D45 EC lea eax, dword ptr [ebp-14]
0056E441 E8 FE6AE9FF call 00404F44
0056E446 8D15 3CF31200 lea edx, dword ptr [12F33C]
0056E44C 59 pop ecx
0056E44D E8 7246E9FF call 00402AC4
0056E452 33C0 xor eax, eax
0056E454 55 push ebp
0056E455 68 24E85600 push 0056E824
0056E45A 64:FF30 push dword ptr fs:[eax]
0056E45D 64:8920 mov dword ptr fs:[eax], esp
0056E460 68 8B1B5D00 push 005D1B8B
0056E465 8D4D F0 lea ecx, dword ptr [ebp-10]
0056E468 BA 8B1B5D00 mov edx, 005D1B8B
0056E46D 8BC3 mov eax, ebx
0056E46F E8 D0C3FDFF call 0054A844
0056E474 FF75 F0 push dword ptr [ebp-10]
0056E477 8D45 F0 lea eax, dword ptr [ebp-10]
0056E47A BA 02000000 mov edx, 2
0056E47F E8 2869E9FF call 00404DAC
0056E484 EB 42 jmp short 0056E4C8
0056E486 90 nop
0056E487 90 nop
0056E488 90 nop
0056E489 90 nop
0056E48A 90 nop
0056E48B 90 nop
0056E48C 90 nop
0056E48D 90 nop
0056E48E 90 nop
0056E48F 8B80 1C040000 mov eax, dword ptr [eax+41C]
0056E495 80B8 F0020000>cmp byte ptr [eax+2F0], 0
0056E49C 74 16 je short 0056E4B4
0056E49E C645 CB 00 mov byte ptr [ebp-35], 0
0056E4A2 8D55 CB lea edx, dword ptr [ebp-35]
0056E4A5 B9 01000000 mov ecx, 1
0056E4AA 8B45 C4 mov eax, dword ptr [ebp-3C]
0056E4AD E8 CAF9EAFF call 0041DE7C
0056E4B2 EB 14 jmp short 0056E4C8
0056E4B4 C645 CB 01 mov byte ptr [ebp-35], 1
0056E4B8 8D55 CB lea edx, dword ptr [ebp-35]
0056E4BB B9 01000000 mov ecx, 1
0056E4C0 8B45 C4 mov eax, dword ptr [ebp-3C]
0056E4C3 E8 B4F9EAFF call 0041DE7C
.
0056E61B 68 BCF65600 push 0056F6BC ; ASCII CR,LF
0056E620 8D45 EC lea eax, dword ptr [ebp-14]
0056E623 BA 06000000 mov edx, 6
0056E628 E8 7F67E9FF call 00404DAC
0056E62D E9 C0020000 jmp 0056E8F2
0056E632 8B80 58040000 mov eax, dword ptr [eax+458]
0056E638 8B80 2C020000 mov eax, dword ptr [eax+22C]
0056E63E E8 AD2DEEFF call 004513F0
0056E643 85C0 test eax, eax
.
0056E8C7 ^\E9 1058E9FF jmp 004040DC
0056E8CC 8D8D 38FAFFFF lea ecx, dword ptr [ebp-5C8]
0056E8D2 BA ACF55600 mov edx, 0056F5AC ; ASCII "20050101"
0056E8D7 B8 2CF85600 mov eax, 0056F82C ; ASCII "8CBEBBFDA599FC841FBE789B04569EB2088ABF7C5A5F87CD"
0056E8DC E8 13C1FDFF call 0054A9F4
0056E8E1 8B95 38FAFFFF mov edx, dword ptr [ebp-5C8]
0056E8E7 A1 F0FC5D00 mov eax, dword ptr [5DFCF0]
0056E8EC 8B80 94030000 mov eax, dword ptr [eax+394]
0056E8F2 B2 01 mov dl, 1
0056E8F4 A1 808F4100 mov eax, dword ptr [418F80]
0056E8F9 E8 CE52E9FF call 00403BCC
0056E8FE 8BD8 mov ebx, eax
0056E900 8D95 58FAFFFF lea edx, dword ptr [ebp-5A8]
0056E906 33C0 xor eax, eax
0056E908 E8 E342E9FF call 00402BF0
0056E90D 8B85 58FAFFFF mov eax, dword ptr [ebp-5A8]
0056E913 8D95 5CFAFFFF lea edx, dword ptr [ebp-5A4]
0056E919 E8 0EB8E9FF call 0040A12C
0056E91E 8D85 5CFAFFFF lea eax, dword ptr [ebp-5A4]
0056E924 BA 291B5D00 mov edx, 005D1B29
0056E929 E8 C663E9FF call 00404CF4
0056E92E 8B95 5CFAFFFF mov edx, dword ptr [ebp-5A4]
0056E934 8BC3 mov eax, ebx
0056E936 E8 11FBEAFF call 0041E44C
0056E93B 6A 00 push 0
0056E93D 6A 00 push 0
0056E93F 8BC3 mov eax, ebx
0056E941 E8 F2F2EAFF call 0041DC38
0056E946 90 nop
0056E947 8D55 E0 lea edx, dword ptr [ebp-20]
0056E94A A1 F0FC5D00 mov eax, dword ptr [5DFCF0]
0056E94F 8B80 48030000 mov eax, dword ptr [eax+348]
0056E955 E8 1675F5FF call 004C5E70
0056E95A 8B55 E0 mov edx, dword ptr [ebp-20]
0056E95D 8BC3 mov eax, ebx
0056E95F E8 14FAEAFF call 0041E378
0056E964 8BC3 mov eax, ebx
0056E966 E8 9152E9FF call 00403BFC
0056E96B 90 nop
0056E96C B8 4E1B5D00 mov eax, 005D1B4E
0056E971 8945 E4 mov dword ptr [ebp-1C], eax
0056E974 8B55 E4 mov edx, dword ptr [ebp-1C]
0056E977 8D45 D4 lea eax, dword ptr [ebp-2C]
0056E97A E8 4561E9FF call 00404AC4
0056E97F 8B45 D4 mov eax, dword ptr [ebp-2C]
0056E982 BA 68F85600 mov edx, 0056F868 ; ASCII "PSWERROR"
0056E987 E8 AC64E9FF call 00404E38
0056E98C 75 4A jnz short 0056E9D8
0056E98E 8D8D 30FAFFFF lea ecx, dword ptr [ebp-5D0]
0056E994 BA ACF55600 mov edx, 0056F5AC ; ASCII "20050101"
0056E999 B8 7CF85600 mov eax, 0056F87C ; ASCII "A755332A1F64E4ED80FB2318698D5D2097EC778F549B6A921AA8EAD565490052299B92F0F92947AC"
.
0056EB71 8B85 1CFAFFFF mov eax, dword ptr [ebp-5E4]
0056EB77 8B56 40 mov edx, dword ptr [esi+40]
0056EB7A E8 B962E9FF call 00404E38
0056EB7F E9 0A010000 jmp 0056EC8E
0056EB84 90 nop
0056EB85 90 nop
0056EB86 90 nop
0056EB87 BA ACF55600 mov edx, 0056F5AC ; ASCII "20050101"
0056EB8C B8 A4FA5600 mov eax, 0056FAA4 ; ASCII "AE6C843B1906F159B99915B35B861A3B"
0056EB91 E8 5EBEFDFF call 0054A9F4
.
0056EC7F E8 BCE5F9FF call 0050D240
0056EC84 68 E8030000 push 3E8 ; /Timeout = 1000. ms
0056EC89 E8 3203EAFF call <jmp.&kernel32.Sleep> ; \Sleep
0056EC8E 8D8D 00FAFFFF lea ecx, dword ptr [ebp-600]
0056EC94 BA 00000000 mov edx, 0
0056EC99 8BC3 mov eax, ebx
0056EC9B 8B38 mov edi, dword ptr [eax]
0056EC9D FF57 0C call dword ptr [edi+C]
0056ECA0 8B95 00FAFFFF mov edx, dword ptr [ebp-600]
0056ECA6 A1 F0FC5D00 mov eax, dword ptr [5DFCF0]
0056ECAB 8B80 94030000 mov eax, dword ptr [eax+394]
0056ECB1 E8 8AE5F9FF call 0050D240
0056ECB6 6A 01 push 1 ; /Timeout = 1. ms
0056ECB8 90 nop
0056ECB9 90 nop
0056ECBA 90 nop
0056ECBB E8 0003EAFF call <jmp.&kernel32.Sleep> ; \Sleep
0056ECC0 E9 4A010000 jmp 0056EE0F
0056ECC5 90 nop
0056ECC6 90 nop
0056ECC7 E8 004FE9FF call 00403BCC
0056ECCC 8945 FC mov dword ptr [ebp-4], eax
0056ECCF B2 01 mov dl, 1
0056ECD1 A1 808F4100 mov eax, dword ptr [418F80]
.
0056EE7B 59 pop ecx
0056EE7C 59 pop ecx
0056EE7D 64:8910 mov dword ptr fs:[eax], edx
0056EE80 E9 85000000 jmp 0056EF0A
0056EE85 90 nop
0056EE86 90 nop
0056EE87 8D8D ECF9FFFF lea ecx, dword ptr [ebp-614]
0056EE8D BA ACF55600 mov edx, 0056F5AC ; ASCII "20050101"
0056EE92 B8 70FB5600 mov eax, 0056FB70 ; ASCII "D643789306B82EC46818067678D9E68BBE3F7EF1CD83378222507BC8C91DA4843C7CA27A23E4D8D6F06ACB50CF310327299B92F0F92947AC"
.
0056EF6A 64:8910 mov dword ptr fs:[eax], edx
0056EF6D E9 16010000 jmp 0056F088
0056EF72 90 nop
0056EF73 90 nop
0056EF74 8D8D E4F9FFFF lea ecx, dword ptr [ebp-61C]
0056EF7A BA ACF55600 mov edx, 0056F5AC ; ASCII "20050101"
0054A55F |. /0F84 07010000 je 0054A66C 将此句直接NOP 掉 (加密函数里的)
上面的代码 中用到的数据如下(请参照修改)
005D1B00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
005D1B10 FF FF FF FF 05 00 00 00 31 31 31 31 31 00 00 00 ...11111...
005D1B20 00 FF FF FF FF 0E 00 00 00 63 61 63 68 65 5C 32 . ...cache\2
005D1B30 30 30 37 2E 64 61 74 00 00 00 00 FF FF FF FF 08 007.dat....
005D1B40 00 00 00 FF FF FF FF E0 03 00 00 00 00 00 BB D2 ... ?.....灰
005D1B50 B8 EB D7 D3 5B 56 49 50 20 32 30 30 37 5D 20 43 鸽子[VIP 2007] C
005D1B60 72 65 61 6B 65 64 20 42 79 20 4C 69 61 6E 58 20 reaked By LianX
005D1B70 5B 32 30 30 38 2D 30 33 2D 32 39 5D 00 00 00 00 [2008-03-29]....
005D1B80 00 00 00 FF FF FF FF 20 00 00 00 00 00 00 00 00 ... ........
005D1B90 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
005D1BA0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
005D1BB0 00 00 00 FF FF FF FF 08 00 00 00 FF FF FF FF E0 ... ...
005D1BC0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ...............
005D1BD0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
005D1BE0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
005D1BF0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
复制下面的代码即可
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
FF FF FF FF 05 00 00 00 31 31 31 31 31 00 00 00
00 FF FF FF FF 0E 00 00 00 63 61 63 68 65 5C 32
30 30 37 2E 64 61 74 00 00 00 00 FF FF FF FF 08
00 00 00 FF FF FF FF E0 03 00 00 00 00 00 BB D2
B8 EB D7 D3 5B 56 49 50 20 32 30 30 37 5D 20 43
72 65 61 6B 65 64 20 42 79 20 4C 69 61 6E 58 20
5B 32 30 30 38 2D 30 33 2D 32 39 5D 00 00 00 00
00 00 00 FF FF FF FF 20 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 FF FF FF FF 08 00 00 00 FF FF FF FF E0
03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
服务端
清除专用上线功能
存为 cache\2007.dat 名子也可以改其它的
注意:
"cache\2007.dat " 的长度为14位,对应的十六进制为 0D ,而 0D+1=0E .即为"cache\2007.dat "二进制对应的 63 61 63 68 65 5C 32
前面的 FF FF FF FF 0E 中的 0E ,其限制了后面"cache\2007.dat " 的位数,若你要用的路径比原来的这个长的话,你就自己改成你所要的路径长度加一即可.
懒的计算的话,就直接把它改成最大值 "FF"