📄 crack36.htm
字号:
<html>
<head>
<title>看雪学苑</title>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<style type="text/css">
<!--
.p8 { font-size: 8pt}
.p9 { font-size: 9pt}
a:hover { color: #00FF00}
a { text-decoration: none}
.p12 { font-size: 12pt; font-weight: bold; color: #FF3333}
-->
</style>
</head>
<body bgcolor="#FFFFFF">
<p><a href="index.htm" tppabs="http://toye.dihou.org/index.htm"><span class="p9">首页</span></a><span class="p9">>><a href="crack.htm" tppabs="http://toye.dihou.org/crack.htm">破解心得</a></span>
<br>
</p>
<table width="100%" cellspacing="0">
<tr>
<td>
<div align="center">
<div align="left">
<pre class="p8"> 再谈《超级解霸2000试用版的破解》
—*** 这是对《超级解霸2000试用版的破解》的修正版,介绍的较详细,很适合新手入门提高观摩 ***—
前面我写了《超级解霸2000试用版的破解》,觉得已经成功了,但后来在解“虚拟光驱2000”时,把
日期向后调了一个月,无意中运行超级解霸,讨厌的过期报错窗口又跳了出来,我靠!还有一个陷阱!!
于是又用W32asm详细分析了原代码,果然是三道关卡,嘿嘿,国产软件确也费尽心机。运行试用版,
先后要通过“BERUN”30次运行次数的检查、30天运行期限的检查和注册表64次运行次数的检查。你可以
用“串数据参考”查找串 "The Time is over !Please Get one Gold Version !"找到过期报错窗口代码,
如下:
———————————————————突破口————————————————————————
* Referenced by a CALL at Addresses:
|:00414782 , :004147E4 , :0041480F
|
:0040FAF0 81ECD4000000 sub esp, 000000D4
:0040FAF6 8D442454 lea eax, dword ptr [esp+54]
:0040FAFA 53 push ebx
:0040FAFB 56 push esi
:0040FAFC 8B0D9C874200 mov ecx, dword ptr [0042879C]
* Possible Reference to Dialog: DialogID_0080
|
:0040FB02 6880000000 push 00000080
* Reference To: USER32.LoadStringA, Ord:01A9h
|
:0040FB07 8B35D8084A00 mov esi, dword ptr [004A08D8]
:0040FB0D C744240CD2040000 mov [esp+0C], 000004D2
:0040FB15 50 push eax
* Possible Reference to String Resource ID=50061: "The Time is over !
Please Get one Gold
Version !"
|
:0040FB16 688DC30000 push 0000C38D
:0040FB1B 51 push ecx
:0040FB1C FFD6 call esi
———————————————————突破口————————————————————————
可以看到有三处00414782、004147E4、0041480F调用了这段代码,那么一切都昭然若解了。且看我沿
着程序流程娓娓道来:
———————————————————突破防线———————————————————————
:004146E8 8D442478 lea eax, dword ptr [esp+78] ;指定返回项字串的缓冲区
* Possible StringData Ref from Data Obj ->"STHVCD.INI" ;初始化文件的名字
|
:004146EC 6824674200 push 00426724
* Possible Reference to Dialog: DialogID_0080
|
:004146F1 6880000000 push 00000080 ;缓冲区的最大字符数量
:004146F6 50 push eax ;指定返回项字串的缓冲区
:004146F7 68D0664200 push 004266D0 ;指定的项没有找到时返回的默认值,此处为NULL
* Possible StringData Ref from Data Obj ->"SOURCEPATH"
|
:004146FC 68A48C4200 push 00428CA4 ;欲获取的项名
* Possible StringData Ref from Data Obj ->"INSTALL" ;欲在其中查找项的小节名称
|
:00414701 68D0694200 push 004269D0
* Reference To: KERNEL32.GetPrivateProfileStringA, Ord:019Fh
|
:00414706 FF1564064A00 Call dword ptr [004A0664]
:0041470C 85C0 test eax, eax
:0041470E 7422 je 00414732 ;复制到缓冲区的字节数量为0,即STHVCD.INI无该项
:00414710 0FBE442478 movsx eax, byte ptr [esp+78] ;复制缓冲区的第一个字节到EAX
:00414715 83F861 cmp eax, 00000061 ;和“A”比较
:00414718 7C05 jl 0041471F
:0041471A 83F87A cmp eax, 0000007A ;和“Z”比较
:0041471D 7E0D jle 0041472C
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00414718(C) ;猜测:如果从光盘安装解霸2000,
| ;SOURCEPATH的第一个字符被设置为
:0041471F 8A44247B mov al, byte ptr [esp+7B] ;小写字母,并且如果第四个字符为
:00414723 84C0 test al, al ;NULL(即根目录)时,如e: \,则跳
:00414725 B801000000 mov eax, 00000001 ;过BERUN值的检查,到日期检测处。
:0041472A 7402 je 0041472E ;如果从光盘安装,第一个字符被设
;置为大写,需检查BERUN值
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041471D(C)
|
:0041472C 33C0 xor eax, eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041472A(C)
|
:0041472E 85C0 test eax, eax
:00414730 7572 jne 004147A4 ;跳到到日期检测处————————————1.1
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041470E(C)
|
* Possible StringData Ref from Data Obj ->"STHVCD.INI"
|
:00414732 6824674200 push 00426724
:00414737 6A01 push 00000001
* Possible StringData Ref from Data Obj ->"BERUN"
|
:00414739 689C8C4200 push 00428C9C
* Possible StringData Ref from Data Obj ->"SETTING"
|
:0041473E 6810674200 push 00426710
* Reference To: KERNEL32.GetPrivateProfileIntA, Ord:0199h
|
:00414743 FF15F8064A00 Call dword ptr [004A06F8]
:00414749 8D5801 lea ebx, dword ptr [eax+01] ;将已使用次数加1,送入EBX
:0041474C 8D442478 lea eax, dword ptr [esp+78]
:00414750 53 push ebx
* Possible StringData Ref from Data Obj ->"%d"
|
:00414751 68F8664200 push 004266F8
:00414756 50 push eax
* Reference To: USER32.wsprintfA, Ord:029Fh
|
:00414757 FF15E4084A00 Call dword ptr [004A08E4]
:0041475D 8D842484000000 lea eax, dword ptr [esp+00000084]
:00414764 83C40C add esp, 0000000C
* Possible StringData Ref from Data Obj ->"STHVCD.INI"
|
:00414767 6824674200 push 00426724
:0041476C 50 push eax
* Possible StringData Ref from Data Obj ->"BERUN"
|
:0041476D 689C8C4200 push 00428C9C
* Possible StringData Ref from Data Obj ->"SETTING"
|
:00414772 6810674200 push 00426710
* Reference To: KERNEL32.WritePrivateProfileStringA, Ord:033Bh
|
:00414777 FF1570064A00 Call dword ptr [004A0670]
:0041477D 83FB1E cmp ebx, 0000001E
:00414780 7E22 jle 004147A4 ;不超过30次,则跳转到日期检测处—————1.2
:00414782 E869B3FFFF call 0040FAF0 ;否则弹出过期报错窗口
:00414787 A19C874200 mov eax, dword ptr [0042879C]
:0041478C 8B0D98874200 mov ecx, dword ptr [00428798]
:00414792 3BC1 cmp eax, ecx
:00414794 7407 je 0041479D
:00414796 50 push eax
* Reference To: KERNEL32.FreeLibrary, Ord:0133h
|
:00414797 FF15F0064A00 Call dword ptr [004A06F0]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00414794(C)
|
:0041479D 33C0 xor eax, eax
:0041479F E972070000 jmp 00414F16
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00414730(C), :00414780(C)
|
:004147A4 A160874200 mov eax, dword ptr [00428760] ;猜测:如果是正版安装,则变
:004147A9 85C0 test eax, eax ;量[00428760]=0,跳转到注册
:004147AB 7459 je 00414806 —————————————————————2.1
:004147AD 8D442468 lea eax, dword ptr [esp+68] ;表检查处;否则[00428760]存
:004147B1 50 push eax ;放有效期限信息
* Reference To: KERNEL32.GetSystemTime, Ord:01C6h
|
:004147B2 FF15AC064A00 Call dword ptr [004A06AC]
:004147B8 8B4C2468 mov ecx, dword ptr [esp+68] ;当前日期,以下代码为日期格式
:004147BC 33C0 xor eax, eax
:004147BE 668B44246A mov ax, word ptr [esp+6A]
:004147C3 81E1FFFF0000 and ecx, 0000FFFF
:004147C9 C1E104 shl ecx, 04
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -