如何让crackcode变得具有粘贴功能
-
前言:
整个过程当成一个project(项目),真的可以过把瘾哦!:)
1、如何让crackcode变得具有粘贴功能的经过
当初豆豆虾修改成突破25位后,无意中看到一个贴,说到crackcode不具有粘贴
功能,使用起来特不方便的。豆豆虾想,嘿!还真的是挺实用的一个功能。开始琢磨如何
修改代码。这其中的过程,从琢磨、修改、调试自至成功。对于豆豆虾来说,充满乐趣
和熬夜。但我想,如果能把乐趣,与更多人来分享,那不是更快乐吗?!人生几何,自
己觉好的东东,暂且不论其好与坏,都可以拿出来与别人分享,也许希望能马上得到认
可,如果遭到冷嘲热讽后,而不继续前行,会觉很可惜。还是那一句老话--"走自己的
路,让别人说去吧!"时间可以证明一切( 呵呵~~~,两篇文章始终围绕这个中心思想
哦!如果能我有机会再碰到,从前教过我语文的老师,或许可以拿到个60分及格哦!哈
哈~~。我非常留念从前的老师、朋友、同学,如果有机会在一起的,多好,如今都各
奔东西。前几天电视采访大运大使杨澜时,她说常在梦中梦见最多的是,自己的校
园,每个角落,和同学们度过美好时光。珍惜在你自己周围的朋友、亲人吧!一份汗水、
一份喜悦;一份帮助,一份友情。
2、编写具有粘贴功能的程序
需要加入粘贴功能,必须得知道如何编写具有粘贴功能的程序,以及实现的原
理。
豆豆虾说“简单,在internet上,随时随地都能找到你需要的东西”,于是找到了如
下的程序:
how to place text on the clipboard
cstring source;
//put your text in source
if(openclipboard())
{
hglobal clipbuffer;
char * buffer;
emptyclipboard();
clipbuffer = globalalloc(gmem_ddeshare, source.getlength()+1);
buffer = (char*)globallock(clipbuffer);
strcpy(buffer, lpcstr(source));
globalunlock(clipbuffer);
setclipboarddata(cf_text,clipbuffer);
closeclipboard();
}
how to get text off of the clipboard
this is easy really but here it is for completeness
char * buffer;
if(openclipboard())
{
buffer = (char*)getclipboarddata(cf_text);
//do something with buffer here
//before it goes out of scope
}
closeclipboard();
对以上的代码作了小小的调整。如何使用这段代码?在vc中自动生成一个基于于对话框
程序,双击ok按钮,把以下程序粘贴过去,这样大功告成。运行程序,点击ok键,这样
在剪贴板中的内容就是“test for clipbroad!!”
void CClipbroadDlg::OnOK()
{
// TODO: Add extra validation here
CString source("test for clipbroad!!!"); //初始化source
//put your text in source
if(OpenClipboard()) //打开剪贴板
{
HGLOBAL clipbuffer;
char * buffer;
clipbuffer = GlobalAlloc(GMEM_DDESHARE, source.GetLength()+1);
//分配一段dde内存
EmptyClipboard(); //清空剪贴板
buffer = (char*)GlobalLock(clipbuffer); //锁定申请到的内存
strcpy(buffer, LPCSTR(source)); //复制字符串到内存
GlobalUnlock(clipbuffer); //解锁内存
SetClipboardData(CF_TEXT,clipbuffer); //设定剪贴板的内容
CloseClipboard(); } //关闭剪贴板
}
3、转换vc程序为汇编程序。
为什么要这样呢??原因有两点:一、对于CF_TEXT之类的宏,不知道到底是代表什么
值
二、汇编程序反编译可以非常简单的照搬到程序中。
我把iczelion的第一个masm的ok演示程序修改成如下:
.386
.model flat, stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
include \masm32\include\user32.inc
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
.data
MsgCaption db "Iczelion's tutorial no.2",0
MsgBoxText db "Win32 Assembly is Great!",0
.data?
hMemory HANDLE ?
pMemory DWORD ?
.code
start:
invoke OpenClipboard,NULL ;打开剪贴板
test eax,eax
je endpro
mov edi,offset MsgCaption ; 取得标题,把它当成剪贴板中的内容
or ecx,0FFFFFFFFh
xor eax,eax
repnz scasb
not ecx ;得到标题长度
sub edi,ecx
push ecx
push edi ;这两个push也许不需要。没有时间去尝试
inc ecx
invoke GlobalAlloc,GMEM_DDESHARE,ecx ;锁定申请到的内存
mov hMemory,eax
invoke EmptyClipboard ;/清空剪贴板
invoke GlobalLock,hMemory ;锁定申请到的内存
mov pMemory,eax
pop esi
pop ecx
mov edi,eax
rep movs byte ptr [edi],byte ptr [esi] ;/复制字符串到内存
invoke GlobalUnlock,pMemory ;解锁内存
invoke SetClipboardData,CF_TEXT,pMemory; ;设定剪贴板的内容
invoke CloseClipboard ;关闭剪贴板
endpro:
invoke MessageBox, NULL,addr MsgBoxText, addr MsgCaption, MB_OK
invoke ExitProcess,NULL
end start
4、再看看反编译的结果:(其中一个目的是想得到需要宏的数值,其实也有简单
的方法,就是查询windows.h)
//******************** Program Entry Point ********
:00401000 6A00 push 00000000
* Reference To: USER32.OpenClipboard, Ord:01D0h
|
:00401002 E88B000000 Call 00401092
:00401007 85C0 test eax, eax
:00401009 745B je 00401066
* Possible StringData Ref from Data Obj ->"Iczelion's tutorial no.2"
|
:0040100B BF00304000 mov edi, 00403000
:00401010 83C9FF or ecx, FFFFFFFF
:00401013 33C0 xor eax, eax
:00401015 F2 repnz
:00401016 AE scasb
:00401017 F7D1 not ecx
:00401019 2BF9 sub edi, ecx
:0040101B 51 push ecx
:0040101C 57 push edi
:0040101D 41 inc ecx
:0040101E 51 push ecx
:0040101F 6800200000 push 00002000 //,GMEM_DDESHARE
* Reference To: KERNEL32.GlobalAlloc, Ord:0168h
|
:00401024 E87B000000 Call 004010A4
:00401029 A334304000 mov dword ptr [00403034], eax
* Reference To: USER32.EmptyClipboard, Ord:00B3h
|
:0040102E E853000000 Call 00401086
:00401033 FF3534304000 push dword ptr [00403034]
* Reference To: KERNEL32.GlobalLock, Ord:0173h
|
:00401039 E86C000000 Call 004010AA
:0040103E A338304000 mov dword ptr [00403038], eax
:00401043 5E pop esi
:00401044 59 pop ecx
:00401045 8BF8 mov edi, eax
:00401047 F3 repz
:00401048 A4 movsb
:00401049 FF3538304000 push dword ptr [00403038]
* Reference To: KERNEL32.GlobalUnlock, Ord:017Ah
|
:0040104F E85C000000 Call 004010B0
:00401054 FF3538304000 push dword ptr [00403038]
:0040105A 6A01 push 00000001 //,CF_TEXT
* Reference To: USER32.SetClipboardData, Ord:021Fh
|
:0040105C E837000000 Call 00401098
* Reference To: USER32.CloseClipboard, Ord:003Bh
|
:00401061 E81A000000 Call 00401080
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401009(C)
|
:00401066 6A00 push 00000000
* Possible StringData Ref from Data Obj ->"Iczelion's tutorial no.2"
|
:00401068 6800304000 push 00403000
* Possible StringData Ref from Data Obj ->"Win32 Assembly is Great!"
|
:0040106D 6819304000 push 00403019
:00401072 6A00 push 00000000
* Reference To: USER32.MessageBoxA, Ord:01BBh
|
:00401074 E813000000 Call 0040108C
:00401079 6A00 push 00000000
* Reference To: KERNEL32.ExitProcess, Ord:0075h
|
:0040107B E81E000000 Call 0040109E
5、寻找空间插入代码
前面做了如此多的准备工作,都是为了这一步。正所谓,现实中机会是
很多,关键你的知识是否已经准备充足呢??:)
首先使用topo软件,进行测量crackcode中是否有空间插入代码。然后再使用
hiew进行静态的写入代码。运行前,需要把代码的SECTION属性,通过pebulid编辑
成可读可写的。
通过topo得到空间后,接下来你需要做一个小小的计划。
1、404400 ---插入代码的开始
2、404900 ---调用函数的地址
3、404A00---调用的函数名
同时,调用的函数入口,必须得通过getprocessaddress,getmodulehandled
得到。
以下是豆豆虾的笔记:
getprocessaddress call dword ptr [4050A8]
getmodulehandled call dword ptr [405038]
KERNEL32.DLL-------405530
USER32.DLL-----------40553d
plan :
1、404400---code
2、404900---address of function
3、404A00---function's name
404A00---function's name
▓ 00004A00: 4F 70 65 6E-43 6C 69 70-62 6F 61 72-64 00 90 90 OpenClipboard éé
▓ 00004A10: 45 6D 70 74-79 43 6C 69-70 62 6F 61-72 64 00 90 EmptyClipboard é
▓ 00004A20: 47 6C 6F 62-61 6C 41 6C-6C 6F 63 00-90 90 90 90 GlobalAlloc éééé
▓ 00004A30: 47 6C 6F 62-61 6C 4C 6F-63 6B 00 90-90 90 90 90 GlobalLock ééééé
▓ 00004A40: 47 6C 6F 62-61 6C 55 6E-6C 6F 63 6B-00 90 90 90 GlobalUnlock ééé
▓ 00004A50: 53 65 74 43-6C 69 70 62-6F 61 72 64-44 61 74 61 SetClipboardData
▓ 00004A60: 00 90 90 90-90 90 90 90-90 90 90 90-90 90 90 90 ééééééééééééééé
▓ 00004A70: 43 6C 6F 73-65 43 6C 69-70 62 6F 61-72 64 00 90 CloseClipboard é
404900---address of function
OpenClipboard = 404900 ---user32.dll
EmptyClipboard = 404904 ---user32.dll
GlobalAlloc = 404908 ---kernel32.dll
GlobalLock = 40490C ---kernel32.dll
GlobalUnlock = 404910 ---kernel32.dll
SetClipboardData = 404914 ---user32.dll
CloseClipboard = 404918 ---user32.dll
hmemory = 40491C var
pmemory = 404920 var
好了,有了如此之多的准备,该开始修改了,八年抗战该结束了
呵呵~~~
==========突破24位的修改=============
:00401448 BB4CA64000 mov ebx, 0040A64C
:0040144D B9CCA14000 mov ecx, 0040A1CC
:00401452 8A03 mov al, byte ptr [ebx]
:00401454 3CF5 cmp al, F5
:00401456 7426 je 0040147E
:00401458 83E904 sub ecx, 00000004
:0040145B 3CF0 cmp al, F0
:0040145D 741F je 0040147E
:0040145F 83E904 sub ecx, 00000004
:00401462 3CF1 cmp al, F1
:00401464 7418 je 0040147E
:00401466 83E904 sub ecx, 00000004
:00401469 3CF2 cmp al, F2
:0040146B 7411 je 0040147E
:0040146D 83E904 sub ecx, 00000004
:00401470 3CF3 cmp al, F3
:00401472 740A je 0040147E
:00401474 83E904 sub ecx, 00000004
:00401477 3C90 cmp al, 90
:00401479 7403 je 0040147E
:0040147B 83E904 sub ecx, 00000004
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00401456(C), :0040145D(C), :00401464(C), :0040146B(C), :00401472(C)
|:00401479(C)
|
:0040147E 6A00 push 00000000
:00401480 6A28 push 00000028
:00401482 68809B4000 push 00409B80
:00401487 FF31 push dword ptr [ecx]
:00401489 FF3510A44000 push dword ptr [0040A410]
* Reference To: KERNEL32.ReadProcessMemory, Ord:0000h
|
:0040148F FF1524504000 Call dword ptr [00405024]
:00401495 BB809B4000 mov ebx, 00409B80
:0040149A E9612F0000 jmp 00404400
+++++++++这句jmp到插入的代码处++++++++++++++++
:0040149F 90 nop
:004014A0 90 nop
:004014A1 90 nop
:004014A2 90 nop
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00404504(U)
|
:004014A3 53 push ebx
:004014A4 6A00 push 00000000
* Reference To: USER32.MessageBoxA, Ord:0000h
|
:004014A6 FF15C0504000 Call dword ptr [004050C0]
:004014AC E8BB040000 call 0040196C
=========突破24位的修改==============
=========增加粘贴功能===============
:00404400 6660 pusha
:00404402 669C pushf //保护寄存器
---------取得各个函数的入口------------
:00404404 683D554000 push 0040553D
* Reference To: KERNEL32.GetModuleHandleA, Ord:0000h
|
:00404409 FF1538504000 Call dword ptr [00405038]
:0040440F 8BF8 mov edi, eax
* Possible StringData Ref from Code Obj ->"OpenClipboard"
|
:00404411 68004A4000 push 00404A00
:00404416 57 push edi
* Reference To: KERNEL32.GetProcAddress, Ord:0000h
|
:00404417 FF15A8504000 Call dword ptr [004050A8]
:0040441D A300494000 mov dword ptr [00404900], eax
* Possible StringData Ref from Code Obj ->"EmptyClipboard"
|
:00404422 68104A4000 push 00404A10
:00404427 57 push edi
* Reference To: KERNEL32.GetProcAddress, Ord:0000h
|
:00404428 FF15A8504000 Call dword ptr [004050A8]
:0040442E A304494000 mov dword ptr [00404904], eax
* Possible StringData Ref from Code Obj ->"SetClipboardData"
|
:00404433 68504A4000 push 00404A50
:00404438 57 push edi
* Reference To: KERNEL32.GetProcAddress, Ord:0000h
|
:00404439 FF15A8504000 Call dword ptr [004050A8]
:0040443F A318494000 mov dword ptr [00404918], eax
* Possible StringData Ref from Code Obj ->"CloseClipboard"
|
:00404444 68704A4000 push 00404A70
:00404449 57 push edi
* Reference To: KERNEL32.GetProcAddress, Ord:0000h
|
:0040444A FF15A8504000 Call dword ptr [004050A8]
:00404450 A314494000 mov dword ptr [00404914], eax
:00404455 6830554000 push 00405530
* Reference To: KERNEL32.GetModuleHandleA, Ord:0000h
|
:0040445A FF1538504000 Call dword ptr [00405038]
:00404460 8BF8 mov edi, eax
* Possible StringData Ref from Code Obj ->"GlobalAlloc"
|
:00404462 68204A4000 push 00404A20
:00404467 57 push edi
* Reference To: KERNEL32.GetProcAddress, Ord:0000h
|
:00404468 FF15A8504000 Call dword ptr [004050A8]
:0040446E A308494000 mov dword ptr [00404908], eax
* Possible StringData Ref from Code Obj ->"GlobalLock"
|
:00404473 68304A4000 push 00404A30
:00404478 57 push edi
* Reference To: KERNEL32.GetProcAddress, Ord:0000h
|
:00404479 FF15A8504000 Call dword ptr [004050A8]
:0040447F A30C494000 mov dword ptr [0040490C], eax
* Possible StringData Ref from Code Obj ->"GlobalUnlock"
|
:00404484 68404A4000 push 00404A40
:00404489 57 push edi
* Reference To: KERNEL32.GetProcAddress, Ord:0000h
|
:0040448A FF15A8504000 Call dword ptr [004050A8]
:00404490 A310494000 mov dword ptr [00404910], eax
---以下为剪贴板调用(注意在程序中没有对错误的结果进行判断)------
:00404495 6A00 push 00000000
:00404497 FF1500494000 call dword ptr [00404900]
:0040449D FF1504494000 call dword ptr [00404904]
:004044A3 BF809B4000 mov edi, 00409B80
:004044A8 83C9FF or ecx, FFFFFFFF
:004044AB 33C0 xor eax, eax
:004044AD F2 repnz
:004044AE AE scasb
:004044AF F7D1 not ecx
:004044B1 2BF9 sub edi, ecx
:004044B3 57 push edi
:004044B4 51 push ecx
:004044B5 41 inc ecx
:004044B6 51 push ecx
:004044B7 6800200000 push 00002000
:004044BC FF1508494000 call dword ptr [00404908]
:004044C2 A31C494000 mov dword ptr [0040491C], eax
:004044C7 50 push eax
:004044C8 FF150C494000 call dword ptr [0040490C]
:004044CE A320494000 mov dword ptr [00404920], eax
:004044D3 59 pop ecx
:004044D4 5E pop esi
:004044D5 8BF8 mov edi, eax
:004044D7 F3 repz
:004044D8 A4 movsb
:004044D9 FF3520494000 push dword ptr [00404920]
:004044DF FF1510494000 call dword ptr [00404910]
:004044E5 FF3520494000 push dword ptr [00404920]
:004044EB 6A01 push 00000001
:004044ED FF1518494000 call dword ptr [00404918]
:004044F3 FF1514494000 call dword ptr [00404914]
-----------以下为恢复被覆盖的代码---------
:004044F9 669D popf
:004044FB 6661 popa
:004044FD 6A00 push 00000000
* Possible StringData Ref from Data Obj ->"Crackcode 2000 -- Author:Ru Feng "
->"(http:\\ocqpat.163.net)"
|
:004044FF 68AC624000 push 004062AC
:00404504 E99ACFFFFF jmp 004014A3
终于写完了,回头得让豆豆虾请我大餐不可!
相关视频
相关阅读 Windows错误代码大全 Windows错误代码查询激活windows有什么用Mac QQ和Windows QQ聊天记录怎么合并 Mac QQ和Windows QQ聊天记录Windows 10自动更新怎么关闭 如何关闭Windows 10自动更新windows 10 rs4快速预览版17017下载错误问题Win10秋季创意者更新16291更新了什么 win10 16291更新内容windows10秋季创意者更新时间 windows10秋季创意者更新内容kb3150513补丁更新了什么 Windows 10补丁kb3150513是什么
- 文章评论
-
热门文章
去除winrar注册框方法
最新文章
比特币病毒怎么破解 比去除winrar注册框方法
华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)通过Access破解MSSQL获得数据人气排行 华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)qq相册密码破解方法去除winrar注册框方法(适应任何版本)怎么用手机破解收费游戏华为无线猫HG522破解如何给软件脱壳基础教程
查看所有0条评论>>