第一步 OD 载入大智慧7.7.0625版 查找字符 等待服务器应答…
找到后按下面四个修改,进行二进制修改。保存。
01182C5C . FF90 98000000 call dword ptr [eax+98]
01182C62 . 33DB xor ebx, ebx
01182C64 . 43 inc ebx
01182C65 . 3BC3 cmp eax, ebx
01182C67 0F85 9A010000 jnz 01182E07 ; nop掉 修改一
01182C6D . B8 01880000 mov eax, 8801
01182C72 . 66:8945 DC mov word ptr [ebp-24], ax
01182C76 . 8B45 08 mov eax, dword ptr [ebp+8]
01182C79 . 35 3EACD97C xor eax, 7CD9AC3E
01182C7E . 8945 E3 mov dword ptr [ebp-1D], eax
01182C81 . 8B45 0C mov eax, dword ptr [ebp+C]
01182C84 . 35 C9A975AD xor eax, AD75A9C9
01182C89 . 8945 E7 mov dword ptr [ebp-19], eax
01182C8C . 8B45 10 mov eax, dword ptr [ebp+10]
01182C8F . 35 A75B5D59 xor eax, 595D5BA7
01182C94 . 8945 EB mov dword ptr [ebp-15], eax
01182C97 . 8D86 02010000 lea eax, dword ptr [esi+102]
01182C9D . 6A 0C push 0C ; /n = C (12.)
01182C9F . 50 push eax ; |s2
01182CA0 . 8D45 E3 lea eax, dword ptr [ebp-1D] ; |
01182CA3 . 50 push eax ; |s1
01182CA4 . 885D DE mov byte ptr [ebp-22], bl ; |
01182CA7 . 895D DF mov dword ptr [ebp-21], ebx ; |
01182CAA . E8 6F914000 call <jmp.&MSVCR100.memcmp> ; \memcmp
01182CAF . 83C4 0C add esp, 0C
01182CB2 . 85C0 test eax, eax
01182CB4 0F84 18010000 je 01182DD2 ; jmp 修改二
01182CBA . 838E FE000000 FF or dword ptr [esi+FE], FFFFFFFF
01182CC1 . 6A 0C push 0C ; /n = C (12.)
01182CC3 . 8D86 02010000 lea eax, dword ptr [esi+102] ; |
01182CC9 . 57 push edi ; |c
01182CCA . 50 push eax ; |s
01182CCB . E8 828F4000 call <jmp.&MSVCR100.memset> ; \memset
01182CD0 . 6A 08 push 8 ; /n = 8
01182CD2 . 8D86 0E010000 lea eax, dword ptr [esi+10E] ; |
01182CD8 . 57 push edi ; |c
01182CD9 . 50 push eax ; |s
01182CDA . E8 738F4000 call <jmp.&MSVCR100.memset> ; \memset
01182CDF . 83C4 18 add esp, 18
01182CE2 . 6A 13 push 13
01182CE4 . 8D45 DC lea eax, dword ptr [ebp-24]
01182CE7 . 50 push eax
01182CE8 . FF96 CC000000 call dword ptr [esi+CC]
01182CEE . 57 push edi
01182CEF . 6A 30 push 30
01182CF1 . 68 60106201 push 01621060 ; 连接服务器
01182CF6 . 8D8D 8CFEFFFF lea ecx, dword ptr [ebp-174]
01182CFC . E8 61301800 call 01305D62
01182D01 . 57 push edi
01182D02 . 68 E1000000 push 0E1
01182D07 . 8D8D 8CFEFFFF lea ecx, dword ptr [ebp-174]
01182D0D . 897D FC mov dword ptr [ebp-4], edi
01182D10 . E8 995C4000 call <jmp.&mfc100.#2752>
01182D15 . 8B1D C8036001 mov ebx, dword ptr [<&KERNEL32.GetTi>; kernel32.GetTickCount
01182D1B . FFD3 call ebx ; [GetTickCount
01182D1D . 8945 CC mov dword ptr [ebp-34], eax
01182D20 . 897D D8 mov dword ptr [ebp-28], edi
01182D23 . EB 6C jmp short 01182D91
01182D25 > 83BE FE000000 FF cmp dword ptr [esi+FE], -1
01182D2C . 75 74 jnz short 01182DA2
01182D2E . 57 push edi
01182D2F . B9 D00C7A01 mov ecx, 017A0CD0
01182D34 . E8 C63C1D00 call 013569FF
01182D39 . FFD3 call ebx
01182D3B . 2B45 CC sub eax, dword ptr [ebp-34]
01182D3E . 8945 D0 mov dword ptr [ebp-30], eax
01182D41 . 3D 10270000 cmp eax, 2710
01182D46 . 7F 50 jg short 01182D98
01182D48 . 2B45 D8 sub eax, dword ptr [ebp-28]
01182D4B . 3D 58020000 cmp eax, 258
01182D50 . 7C 3F jl short 01182D91
01182D52 . 397D D8 cmp dword ptr [ebp-28], edi
01182D55 . 75 29 jnz short 01182D80
01182D57 . 57 push edi
01182D58 . 8D8D 8CFEFFFF lea ecx, dword ptr [ebp-174]
01182D5E . E8 315E4000 call <jmp.&mfc100.#2406>
01182D63 . 6A 05 push 5
01182D65 . 8D8D 8CFEFFFF lea ecx, dword ptr [ebp-174]
01182D6B . E8 F85C4000 call <jmp.&mfc100.#12962>
01182D70 . 68 4C106201 push 0162104C ; 等待服务器应答…
01182D75 . 8D8D 8CFEFFFF lea ecx, dword ptr [ebp-174]
01182D7B . E8 8B2D1800 call 01305B0B
01182D80 > 8D8D 8CFEFFFF lea ecx, dword ptr [ebp-174]
01182D86 . E8 FD2E1800 call 01305C88
01182D8B . 8B45 D0 mov eax, dword ptr [ebp-30]
01182D8E . 8945 D8 mov dword ptr [ebp-28], eax
01182D91 > 397D B8 cmp dword ptr [ebp-48], edi
01182D94 .^ 74 8F je short 01182D25
01182D96 . EB 0A jmp short 01182DA2
01182D98 > C786 FE000000 02000>mov dword ptr [esi+FE], 2
01182DA2 > 8D8D 8CFEFFFF lea ecx, dword ptr [ebp-174]
01182DA8 . E8 995A4000 call <jmp.&mfc100.#3484>
01182DAD . 397D B8 cmp dword ptr [ebp-48], edi
01182DB0 . 74 05 je short 01182DB7
01182DB2 . 897D D8 mov dword ptr [ebp-28], edi
01182DB5 . EB 09 jmp short 01182DC0
01182DB7 > 8B86 FE000000 mov eax, dword ptr [esi+FE]
01182DBD . 8945 D8 mov dword ptr [ebp-28], eax
01182DC0 > 834D FC FF or dword ptr [ebp-4], FFFFFFFF
01182DC4 . 8D8D 8CFEFFFF lea ecx, dword ptr [ebp-174]
01182DCA . E8 9767F0FF call 01089566
01182DCF . 33DB xor ebx, ebx
01182DD1 . 43 inc ebx
01182DD2 > 6A 0C push 0C ; /n = C (12.)
01182DD4 . 8D86 02010000 lea eax, dword ptr [esi+102] ; |
01182DDA . 50 push eax ; |s2
01182DDB . 8D45 E3 lea eax, dword ptr [ebp-1D] ; |
01182DDE . 50 push eax ; |s1
01182DDF . E8 3A904000 call <jmp.&MSVCR100.memcmp> ; \memcmp
01182DE4 . 83C4 0C add esp, 0C
01182DE7 . 85C0 test eax, eax
01182DE9 75 23 jnz short 01182E0E ; NOP 修改三
01182DEB . 6A 08 push 8 ; /n = 8
01182DED . 81C6 0E010000 add esi, 10E ; |
01182DF3 . 56 push esi ; |src
01182DF4 . FF75 C8 push dword ptr [ebp-38] ; |dest
01182DF7 . 897D D8 mov dword ptr [ebp-28], edi ; |
01182DFA . E8 598E4000 call <jmp.&MSVCR100.memcpy> ; \memcpy
01182DFF . 83C4 0C add esp, 0C
01182E02 . 895D D4 mov dword ptr [ebp-2C], ebx
01182E05 . EB 07 jmp short 01182E0E
01182E07 > C745 D8 04000000 mov dword ptr [ebp-28], 4
01182E0E > 397D D8 cmp dword ptr [ebp-28], edi
01182E11 7E 13 jle short 01182E26 ; jmp 修改四
01182E13 . 57 push edi
01182E14 . 57 push edi
01182E15 . FF75 D8 push dword ptr [ebp-28]
01182E18 . E8 C9C3FFFF call 0117F1E6
01182E1D . 83C4 04 add esp, 4
01182E20 . 50 push eax
01182E21 . E8 005C4000 call <jmp.&mfc100.#1982>
01182E26 > 8B45 D4 mov eax, dword ptr [ebp-2C]
01182E29 . E8 538D4000 call 0158BB81
01182E2E . C2 1000 retn 10
以上修改保存后,可以不连上大智慧服务器,甚至断网情况下也可以正常导入导出公式。
评论(0)