系统提速精灵Crack教程(两种方法)〖破解疯狂模式功能〗 已补充第二种方法
方法1:载入OD后,F9运行.运行完毕后,点击设置--提速级别改为 疯狂模式 ,提示 未注册版不能使用疯狂模式提速,返回OD,点击暂停,Alt+K,在调用堆栈里面找到
[*]调用堆栈: 主线程, 条目 11
[*]地址=0012F0C0
[*]堆栈=0072979E
[*]函数过程 / 参数=? MSVBVM60.rtcMsgBox
[*]调用来自=SpeedupS.00729798
[*]结构=0012F0BC
[*]
复制代码
右击--显示调用,就会来到
[*]00729798 .FF15 94104000 call dword ptr ds:[<&MSVBVM60.#595>] ;msvbvm60.rtcMsgBox
[*]
复制代码
上面有三个跳转
[*]00729737 . /0F8D AA010000 jge SpeedupS.007298E7
[*]0072973D . |E9 96010000 jmp SpeedupS.007298D8
[*]00729742 > |E8 E91C0300 call SpeedupS.0075B430
[*]00729747 . |66:85C0 test ax,ax
[*]0072974A . |0F85 25010000 jnz SpeedupS.00729875
[*]00729750 . |B9 04000280 mov ecx,0x80020004
[*]00729755 . |B8 0A000000 mov eax,0xA
[*]0072975A . |894D AC mov dword ptr ss:,ecx
[*]0072975D . |894D BC mov dword ptr ss:,ecx
[*]00729760 . |894D CC mov dword ptr ss:,ecx
[*]00729763 . |8D55 94 lea edx,dword ptr ss:
[*]00729766 . |8D4D D4 lea ecx,dword ptr ss:
[*]00729769 . |8945 A4 mov dword ptr ss:,eax
[*]0072976C . |8945 B4 mov dword ptr ss:,eax
[*]0072976F . |8945 C4 mov dword ptr ss:,eax
[*]00729772 . |C745 9C 481B5>mov dword ptr ss:,SpeedupS.005>
[*]00729779 . |C745 94 08000>mov dword ptr ss:,0x8
[*]00729780 . |FF15 F8114000 call dword ptr ds:[<&MSVBVM60.__vbaVarDu>;msvbvm60.__vbaVarDup
[*]00729786 . |8D4D A4 lea ecx,dword ptr ss:
[*]00729789 . |8D55 B4 lea edx,dword ptr ss:
[*]0072978C . |51 push ecx
[*]0072978D . |8D45 C4 lea eax,dword ptr ss:
[*]00729790 . |52 push edx
[*]00729791 . |50 push eax
[*]00729792 . |8D4D D4 lea ecx,dword ptr ss:
[*]00729795 . |6A 40 push 0x40
[*]00729797 . |51 push ecx
[*]00729798 . |FF15 94104000 call dword ptr ds:[<&MSVBVM60.#595>] ;msvbvm60.rtcMsgBox
[*]
复制代码
然后把jnz改成je即可
若想把广告去了,把那些提示去了就可以了,
未注册版不能XXXX
方法二,破解注册:
载入OD--F9运行--点击注册--随便输入注册码--确定--提示错误后在OD点击暂停--调用堆栈
[*]调用堆栈: 主线程, 条目 11
[*]地址=0012EAEC
[*]堆栈=0073A5C0
[*]函数过程 / 参数=? MSVBVM60.rtcMsgBox
[*]调用来自=SpeedupS.0073A5BA
[*]结构=0012EAE8
[*]
复制代码
点击一下这个,右击--显示调用
[*]0073A56D . /E9 C9000000 jmp SpeedupS.0073A63B
[*]0073A572 > |B9 04000280 mov ecx,0x80020004
[*]0073A577 . |B8 0A000000 mov eax,0xA
[*]0073A57C . |894D 9C mov dword ptr ss:,ecx
[*]0073A57F . |894D AC mov dword ptr ss:,ecx
[*]0073A582 . |894D BC mov dword ptr ss:,ecx
[*]0073A585 . |8D55 84 lea edx,dword ptr ss:
[*]0073A588 . |8D4D C4 lea ecx,dword ptr ss:
[*]0073A58B . |8945 94 mov dword ptr ss:,eax
[*]0073A58E . |8945 A4 mov dword ptr ss:,eax
[*]0073A591 . |8945 B4 mov dword ptr ss:,eax
[*]0073A594 . |C745 8C AC2A5>mov dword ptr ss:,SpeedupS.005>
[*]0073A59B . |C745 84 08000>mov dword ptr ss:,0x8
[*]0073A5A2 . |FF15 F8114000 call dword ptr ds:[<&MSVBVM60.__vbaVarDu>;MSVBVM60.__vbaVarDup
[*]
复制代码
在关键跳的下面的一个MOV
[*]0073A572 > \B9 04000280 mov ecx,0x80020004
[*]
复制代码
在HEX数据下面的一个框框(不知道怎么说),右击-转到 je 来到 0073A391
http://fj.ikafan.com/attachment/forum/201207/06/1920543f5oobq865fu2ut3.jpg
就会来到这里
[*]0073A391 . /0F84 DB010000 je SpeedupS.0073A572
[*]0073A397 . |E8 040E0200 call SpeedupS.0075B1A0
[*]0073A39C . |8BD0 mov edx,eax
[*]0073A39E . |8D4D E8 lea ecx,dword ptr ss:
[*]0073A3A1 . |FFD6 call esi
[*]0073A3A3 . |50 push eax
[*]0073A3A4 . |FF15 A4114000 call dword ptr ds:[<&MSVBVM60.__vbaR8Str>;MSVBVM60.__vbaR8Str
[*]0073A3AA . |DC05 18134000 fadd qword ptr ds:
[*]0073A3B0 . |83EC 08 sub esp,0x8
[*]0073A3B3 . |DFE0 fstsw ax
[*]0073A3B5 . |A8 0D test al,0xD
[*]
复制代码
把je改成jnz即可
页:
[1]