如何让crackcode变得具有粘贴功能
如何让crackcode变得具有粘贴功能前言: 整个过程当成一个project(项目),真的可以过把瘾哦!:) 1、如何让crackcode变得具有粘贴功能的经过 当初豆豆虾修改成突破25位后,无意中看到一个贴,说到crackcode不具有粘贴 功能,使用起来特不方便的。豆豆虾想,嘿!还真的是挺实用的一个功能。开始琢磨如何 修改代码。这其中的过程,从琢磨、修改、调试自至成功。对于豆豆虾来说,充满乐趣 和熬夜。但我想,如果能把乐趣,与更多人来分享,那不是更快乐吗?!人生几何,自 己觉好的东东,暂且不论其好与坏,都可以拿出来与别人分享,也许希望能马上得到认 可,如果遭到冷嘲热讽后,而不继续前行,会觉很可惜。还是那一句老话--"走自己的 路,让别人说去吧!"时间可以证明一切( 呵呵~~~,两篇文章始终围绕这个中心思想 哦!如果能我有机会再碰到,从前教过我语文的老师,或许可以拿到个60分及格哦!哈 哈~~。我非常留念从前的老师、朋友、同学,如果有机会在一起的,多好,如今都各 奔东西。前几天电视采访大运大使杨澜时,她说常在梦中梦见最多的是,自己的校 园,每个角落,和同学们度过美好时光。珍惜在你自己周围的朋友、亲人吧!一份汗水、 一份喜悦;一份帮助,一份友情。 2、编写具有粘贴功能的程序 需要加入粘贴功能,必须得知道如何编写具有粘贴功能的程序,以及实现的原 理。 豆豆虾说“简单,在internet上,随时随地都能找到你需要的东西”,于是找到了如 下的程序: how to place text on the clipboard cstring source; //put your text in source if(openclipboard()) { hglobal clipbuffer; char * buffer; emptyclipboard(); clipbuffer = globalalloc(gmem_ddeshare, source.getlength()+1); buffer = (char*)globallock(clipbuffer); strcpy(buffer, lpcstr(source)); globalunlock(clipbuffer); setclipboarddata(cf_text,clipbuffer); closeclipboard(); } how to get text off of the clipboard this is easy really but here it is for completeness char * buffer; if(openclipboard()) { buffer = (char*)getclipboarddata(cf_text); //do something with buffer here //before it goes out of scope } closeclipboard(); 对以上的代码作了小小的调整。如何使用这段代码?在vc中自动生成一个基于于对话框 程序,双击ok按钮,把以下程序粘贴过去,这样大功告成。运行程序,点击ok键,这样 在剪贴板中的内容就是“test for clipbroad!!” void CClipbroadDlg::OnOK() { // TODO: Add extra validation here CString source("test for clipbroad!!!"); //初始化source //put your text in source if(OpenClipboard()) //打开剪贴板 { HGLOBAL clipbuffer; char * buffer; clipbuffer = GlobalAlloc(GMEM_DDESHARE, source.GetLength()+1); //分配一段dde内存 EmptyClipboard(); //清空剪贴板 buffer = (char*)GlobalLock(clipbuffer); //锁定申请到的内存 strcpy(buffer, LPCSTR(source)); //复制字符串到内存 GlobalUnlock(clipbuffer); //解锁内存 SetClipboardData(CF_TEXT,clipbuffer); //设定剪贴板的内容 CloseClipboard(); } //关闭剪贴板 } 3、转换vc程序为汇编程序。 为什么要这样呢??原因有两点:一、对于CF_TEXT之类的宏,不知道到底是代表什么 值 二、汇编程序反编译可以非常简单的照搬到程序中。 我把iczelion的第一个masm的ok演示程序修改成如下: .386 .model flat, stdcall option casemap:none include \masm32\include\windows.inc include \masm32\include\kernel32.inc include \masm32\include\user32.inc includelib \masm32\lib\user32.lib includelib \masm32\lib\kernel32.lib .data MsgCaption db Iczelion's tutorial no.2",0 MsgBoxText db Win32 Assembly is Great!",0 .data? hMemory HANDLE ? pMemory DWORD ? .code start: invoke OpenClipboard,NULL ;打开剪贴板 test eax,eax je endpro mov edi,offset MsgCaption ; 取得标题,把它当成剪贴板中的内容 or ecx,0FFFFFFFFh xor eax,eax repnz scasb not ecx ;得到标题长度 sub edi,ecx push ecx push edi ;这两个push也许不需要。没有时间去尝试 inc ecx invoke GlobalAlloc,GMEM_DDESHARE,ecx ;锁定申请到的内存 mov hMemory,eax invoke EmptyClipboard ;/清空剪贴板 invoke GlobalLock,hMemory ;锁定申请到的内存 mov pMemory,eax pop esi pop ecx mov edi,eax rep movs byte ptr [edi],byte ptr [esi] ;/复制字符串到内存 invoke GlobalUnlock,pMemory ;解锁内存 invoke SetClipboardData,CF_TEXT,pMemory; ;设定剪贴板的内容 invoke CloseClipboard ;关闭剪贴板 endpro: invoke MessageBox, NULL,addr MsgBoxText, addr MsgCaption, MB_OK invoke ExitProcess,NULL end start 4、再看看反编译的结果:(其中一个目的是想得到需要宏的数值,其实也有简单 的方法,就是查询windows.h) //******************** Program Entry Point ******** :00401000 6A00 push 00000000 * Reference To: USER32.OpenClipboard, Ord:01D0h | :00401002 E88B000000 Call 00401092 :00401007 85C0 test eax, eax :00401009 745B je 00401066 * Possible StringData Ref from Data Obj ->"Iczelion's tutorial no.2" | :0040100B BF00304000 mov edi, 00403000 :00401010 83C9FF or ecx, FFFFFFFF :00401013 33C0 xor eax, eax :00401015 F2 repnz :00401016 AE scasb :00401017 F7D1 not ecx :00401019 2BF9 sub edi, ecx :0040101B 51 push ecx :0040101C 57 push edi :0040101D 41 inc ecx :0040101E 51 push ecx :0040101F 6800200000 push 00002000 //,GMEM_DDESHARE * Reference To: KERNEL32.GlobalAlloc, Ord:0168h | :00401024 E87B000000 Call 004010A4 :00401029 A334304000 mov dword ptr [00403034], eax * Reference To: USER32.EmptyClipboard, Ord:00B3h | :0040102E E853000000 Call 00401086 :00401033 FF3534304000 push dword ptr [00403034] * Reference To: KERNEL32.GlobalLock, Ord:0173h | :00401039 E86C000000 Call 004010AA :0040103E A338304000 mov dword ptr [00403038], eax :00401043 5E pop esi :00401044 59 pop ecx :00401045 8BF8 mov edi, eax :00401047 F3 repz :00401048 A4 movsb :00401049 FF3538304000 push dword ptr [00403038] * Reference To: KERNEL32.GlobalUnlock, Ord:017Ah | :0040104F E85C000000 Call 004010B0 :00401054 FF3538304000 push dword ptr [00403038] :0040105A 6A01 push 00000001 //,CF_TEXT * Reference To: USER32.SetClipboardData, Ord:021Fh | :0040105C E837000000 Call 00401098 * Reference To: USER32.CloseClipboard, Ord:003Bh | :00401061 E81A000000 Call 00401080 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00401009(C) | :00401066 6A00 push 00000000 * Possible StringData Ref from Data Obj ->"Iczelion's tutorial no.2" | :00401068 6800304000 push 00403000 * Possible StringData Ref from Data Obj ->"Win32 Assembly is Great!" | :0040106D 6819304000 push 00403019 :00401072 6A00 push 00000000 * Reference To: USER32.MessageBoxA, Ord:01BBh | :00401074 E813000000 Call 0040108C :00401079 6A00 push 00000000 * Reference To: KERNEL32.ExitProcess, Ord:0075h | :0040107B E81E000000 Call 0040109E 5、寻找空间插入代码 前面做了如此多的准备工作,都是为了这一步。正所谓,现实中机会是 很多,关键你的知识是否已经准备充足呢??:) 首先使用topo软件,进行测量crackcode中是否有空间插入代码。然后再使用 hiew进行静态的写入代码。运行前,需要把代码的SECTION属性,通过pebulid编辑 成可读可写的。 通过topo得到空间后,接下来你需要做一个小小的计划。 1、404400 ---插入代码的开始 2、404900 ---调用函数的地址 3、404A00---调用的函数名 同时,调用的函数入口,必须得通过getprocessaddress,getmodulehandled 得到。 以下是豆豆虾的笔记: getprocessaddress call dword ptr [4050A8] getmodulehandled call dword ptr [405038] KERNEL32.DLL-------405530 USER32.DLL-----------40553d plan : 1、404400---code 2、404900---address of function 3、404A00---function's name 404A00---function's name ▓ 00004A00: 4F 70 65 6E-43 6C 69 70-62 6F 61 72-64 00 90 90 OpenClipboard éé ▓ 00004A10: 45 6D 70 74-79 43 6C 69-70 62 6F 61-72 64 00 90 EmptyClipboard é ▓ 00004A20: 47 6C 6F 62-61 6C 41 6C-6C 6F 63 00-90 90 90 90 GlobalAlloc éééé ▓ 00004A30: 47 6C 6F 62-61 6C 4C 6F-63 6B 00 90-90 90 90 90 GlobalLock ééééé ▓ 00004A40: 47 6C 6F 62-61 6C 55 6E-6C 6F 63 6B-00 90 90 90 GlobalUnlock ééé ▓ 00004A50: 53 65 74 43-6C 69 70 62-6F 61 72 64-44 61 74 61 SetClipboardData ▓ 00004A60: 00 90 90 90-90 90 90 90-90 90 90 90-90 90 90 90 ééééééééééééééé ▓ 00004A70: 43 6C 6F 73-65 43 6C 69-70 62 6F 61-72 64 00 90 CloseClipboard é 404900---address of function OpenClipboard = 404900 ---user32.dll EmptyClipboard = 404904 ---user32.dll GlobalAlloc = 404908 ---kernel32.dll GlobalLock = 40490C ---kernel32.dll GlobalUnlock = 404910 ---kernel32.dll SetClipboardData = 404914 ---user32.dll CloseClipboard = 404918 ---user32.dll hmemory = 40491C var pmemory = 404920 var 好了,有了如此之多的准备,该开始修改了,八年抗战该结束了 呵呵~~~ ==========突破24位的修改============= :00401448 BB4CA64000 mov ebx, 0040A64C :0040144D B9CCA14000 mov ecx, 0040A1CC :00401452 8A03 mov al, byte ptr [ebx] :00401454 3CF5 cmp al, F5 :00401456 7426 je 0040147E :00401458 83E904 sub ecx, 00000004 :0040145B 3CF0 cmp al, F0 :0040145D 741F je 0040147E :0040145F 83E904 sub ecx, 00000004 :00401462 3CF1 cmp al, F1 :00401464 7418 je 0040147E :00401466 83E904 sub ecx, 00000004 :00401469 3CF2 cmp al, F2 :0040146B 7411 je 0040147E :0040146D 83E904 sub ecx, 00000004 :00401470 3CF3 cmp al, F3 :00401472 740A je 0040147E :00401474 83E904 sub ecx, 00000004 :00401477 3C90 cmp al, 90 :00401479 7403 je 0040147E :0040147B 83E904 sub ecx, 00000004 * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:00401456(C), :0040145D(C), :00401464(C), :0040146B(C), :00401472(C) |:00401479(C) | :0040147E 6A00 push 00000000 :00401480 6A28 push 00000028 :00401482 68809B4000 push 00409B80 :00401487 FF31 push dword ptr [ecx] :00401489 FF3510A44000 push dword ptr [0040A410] * Reference To: KERNEL32.ReadProcessMemory, Ord:0000h | :0040148F FF1524504000 Call dword ptr [00405024] :00401495 BB809B4000 mov ebx, 00409B80 :0040149A E9612F0000 jmp 00404400 +++++++++这句jmp到插入的代码处++++++++++++++++ :0040149F 90 nop :004014A0 90 nop :004014A1 90 nop :004014A2 90 nop * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00404504(U) | :004014A3 53 push ebx :004014A4 6A00 push 00000000 * Reference To: USER32.MessageBoxA, Ord:0000h | :004014A6 FF15C0504000 Call dword ptr [004050C0] :004014AC E8BB040000 call 0040196C =========突破24位的修改============== =========增加粘贴功能=============== :00404400 6660 pusha :00404402 669C pushf //保护寄存器 ---------取得各个函数的入口------------ :00404404 683D554000 push 0040553D * Reference To: KERNEL32.GetModuleHandleA, Ord:0000h | :00404409 FF1538504000 Call dword ptr [00405038] :0040440F 8BF8 mov edi, eax * Possible StringData Ref from Code Obj ->"OpenClipboard" | :00404411 68004A4000 push 00404A00 :00404416 57 push edi * Reference To: KERNEL32.GetProcAddress, Ord:0000h | :00404417 FF15A8504000 Call dword ptr [004050A8] :0040441D A300494000 mov dword ptr [00404900], eax * Possible StringData Ref from Code Obj ->"EmptyClipboard" | :00404422 68104A4000 push 00404A10 :00404427 57 push edi * Reference To: KERNEL32.GetProcAddress, Ord:0000h | :00404428 FF15A8504000 Call dword ptr [004050A8] :0040442E A304494000 mov dword ptr [00404904], eax * Possible StringData Ref from Code Obj ->"SetClipboardData" | :00404433 68504A4000 push 00404A50 :00404438 57 push edi * Reference To: KERNEL32.GetProcAddress, Ord:0000h | :00404439 FF15A8504000 Call dword ptr [004050A8] :0040443F A318494000 mov dword ptr [00404918], eax * Possible StringData Ref from Code Obj ->"CloseClipboard" | :00404444 68704A4000 push 00404A70 :00404449 57 push edi * Reference To: KERNEL32.GetProcAddress, Ord:0000h | :0040444A FF15A8504000 Call dword ptr [004050A8] :00404450 A314494000 mov dword ptr [00404914], eax :00404455 6830554000 push 00405530 * Reference To: KERNEL32.GetModuleHandleA, Ord:0000h | :0040445A FF1538504000 Call dword ptr [00405038] :00404460 8BF8 mov edi, eax * Possible StringData Ref from Code Obj ->"GlobalAlloc" | :00404462 68204A4000 push 00404A20 :00404467 57 push edi * Reference To: KERNEL32.GetProcAddress, Ord:0000h | :00404468 FF15A8504000 Call dword ptr [004050A8] :0040446E A308494000 mov dword ptr [00404908], eax * Possible StringData Ref from Code Obj ->"GlobalLock" | :00404473 68304A4000 push 00404A30 :00404478 57 push edi * Reference To: KERNEL32.GetProcAddress, Ord:0000h | :00404479 FF15A8504000 Call dword ptr [004050A8] :0040447F A30C494000 mov dword ptr [0040490C], eax * Possible StringData Ref from Code Obj ->"GlobalUnlock" | :00404484 68404A4000 push 00404A40 :00404489 57 push edi * Reference To: KERNEL32.GetProcAddress, Ord:0000h | :0040448A FF15A8504000 Call dword ptr [004050A8] :00404490 A310494000 mov dword ptr [00404910], eax ---以下为剪贴板调用(注意在程序中没有对错误的结果进行判断)------ :00404495 6A00 push 00000000 :00404497 FF1500494000 call dword ptr [00404900] :0040449D FF1504494000 call dword ptr [00404904] :004044A3 BF809B4000 mov edi, 00409B80 :004044A8 83C9FF or ecx, FFFFFFFF :004044AB 33C0 xor eax, eax :004044AD F2 repnz :004044AE AE scasb :004044AF F7D1 not ecx :004044B1 2BF9 sub edi, ecx :004044B3 57 push edi :004044B4 51 push ecx :004044B5 41 inc ecx :004044B6 51 push ecx :004044B7 6800200000 push 00002000 :004044BC FF1508494000 call dword ptr [00404908] :004044C2 A31C494000 mov dword ptr [0040491C], eax :004044C7 50 push eax :004044C8 FF150C494000 call dword ptr [0040490C] :004044CE A320494000 mov dword ptr [00404920], eax :004044D3 59 pop ecx :004044D4 5E pop esi :004044D5 8BF8 mov edi, eax :004044D7 F3 repz :004044D8 A4 movsb :004044D9 FF3520494000 push dword ptr [00404920] :004044DF FF1510494000 call dword ptr [00404910] :004044E5 FF3520494000 push dword ptr [00404920] :004044EB 6A01 push 00000001 :004044ED FF1518494000 call dword ptr [00404918] :004044F3 FF1514494000 call dword ptr [00404914] -----------以下为恢复被覆盖的代码--------- :004044F9 669D popf :004044FB 6661 popa :004044FD 6A00 push 00000000 * Possible StringData Ref from Data Obj ->"Crackcode 2000 -- Author:Ru Feng ->"(http:\\ocqpat.163.net)" | :004044FF 68AC624000 push 004062AC :00404504 E99ACFFFFF jmp 004014A3 终于写完了,回头得让豆豆虾请我大餐不可!