[原创]拼音王９５试用版无期限制作-软件逆向-看雪-安全社区|安全招聘|kanxue.com

[原创]拼音王９５试用版无期限制作

发表于: 2005-6-28 09:38 3339

[原创]拼音王９５试用版无期限制作

空手剑客

2005-6-28 09:38

3339

今日整理文档时发现刚入门时写的东西，好像是未曾在这里发过。贴出来算是做个纪念，也算是在坛子里混个脸熟：）

拼音王９５支持整句输入，正确率很高，让人叫绝的是它有一个文风学习工具，对已有的文本进行学习后，更接近与你的输入习惯，正确率大大提高，理想时达到100%。不过时用一段时间后提示试用版快要到期，最后提示已经到期，无法使用。
用REGMON发现输入法在启动时读取注册表
[HKEY_LOCAL_MACHINE\Software\OAC\Windows\CurrentVersion\trial]
"timelimit"="20020531"    <-----------安装日期
最简单的方法就是在提示到期时删除“trial”主键，使程序在启动时认为是第一次运行，但是这样太麻烦了，干脆来个暴破，这是我的拿手好戏 :-)。

用W32DASM893黄金版打开PYW95.IME，查找字符串"您的拼音王试用版很快就要到期，请购买正版拼音王"
"您的拼音王试用版已经到期，请购买正版拼音王"。

* Possible StringData Ref from Data Obj ->"提醒"
                              |
:100017D6 6808E10010             push 1000E108

* Possible StringData Ref from Data Obj ->"内存不足，输入法连接失败，请退出并关闭一些程序"
                                    ->"再试一遍！"
                              |
:100017DB 68CCE00010             push 1000E0CC
:100017E0 6A00                   push 00000000
:100017E2 FFD6                   call esi
:100017E4 EB06                   jmp 100017EC　　<--------------转向时间比较，可以直接跳过

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:100017CC(C)
|

* Reference To: USER32.MessageBoxA, Ord:0188h
                              |
:100017E6 8B3528F40010          mov esi, dword ptr [1000F428]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:100017E4(U)
|
:100017EC E84F000000             call 10001840　<--------------是不是很面熟？进去看看
:100017F1 83F801                cmp eax, 00000001 <-------------EAX=1　表明快要到期，改为与０比较
:100017F4 7519                   jne 1000180F
:100017F6 6A00                   push 00000000

* Possible StringData Ref from Data Obj ->"警告"
                              |
:100017F8 68C4E00010             push 1000E0C4

* Possible StringData Ref from Data Obj ->"您的拼音王试用版很快就要到期，请购买正版拼音王"
                                    ->"，可以优惠。地址可看readme.txt"
                              |
:100017FD 6874E00010             push 1000E074
:10001802 6A00                   push 00000000
:10001804 FFD6                   call esi
:10001806 B801000000             mov eax, 00000001
:1000180B 5E                   pop esi
:1000180C C20C00                ret 000C

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:100017F4(C)
|
:1000180F 83F802                cmp eax, 00000002　<------------EAX=2　表明已经到期，改为与０比较
:10001812 751A                   jne 1000182E
:10001814 6A00                   push 00000000

* Possible StringData Ref from Data Obj ->"对不起"
                              |
:10001816 686CE00010             push 1000E06C

* Possible StringData Ref from Data Obj ->"您的拼音王试用版已经到期，请购买正版拼音王，可"
                                    ->"以优惠。地址可看readme.txt"
                              |
:1000181B 6820E00010             push 1000E020
:10001820 6A00                   push 00000000
:10001822 FFD6                   call esi
:10001824 C70574E3001000000000 mov dword ptr [1000E374], 00000000

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:10001798(C), :10001812(C)
|
:1000182E B801000000             mov eax, 00000001
:10001833 5E                   pop esi
:10001834 C20C00                ret 000C

<-----------进来看看-------------->
* Referenced by a CALL at Address:
|:100017EC
|
:10001840 81EC80000000          sub esp, 00000080
:10001846 8D442400             lea eax, dword ptr [esp]

* Possible StringData Ref from Data Obj ->"OAC"
                              |
:1000184A 6848E10010             push 1000E148

* Possible StringData Ref from Data Obj ->"SOFTWARE\%s\Windows\CurrentVersion\trial"
                              |
:1000184F 681CE10010             push 1000E11C
:10001854 50                   push eax

* Reference To: USER32.wsprintfA, Ord:0249h
                              |
:10001855 FF151CF40010          Call dword ptr [1000F41C]
:1000185B 8D4C240C             lea ecx, dword ptr [esp+0C]
:1000185F 83C40C                add esp, 0000000C

* Possible StringData Ref from Data Obj ->"timelimit"
                              |
:10001862 6810E10010             push 1000E110
:10001867 51                   push ecx
:10001868 E833000000             call 100018A0　<---------有问题，应该是读取键值和系统时间，看看
:1000186D 83C408                add esp, 00000008
:10001870 83F806                cmp eax, 00000006
:10001873 750C                   jne 10001881
:10001875 B801000000             mov eax, 00000001
:1000187A 81C480000000          add esp, 00000080
:10001880 C3                   ret

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10001873(C)
|
:10001881 83E805                sub eax, 00000005
:10001884 83F801                cmp eax, 00000001
:10001887 1BC0                   sbb eax, eax
:10001889 81C480000000          add esp, 00000080
:1000188F 83E002                and eax, 00000002
:10001892 C3                   ret

＜－－－－－怎么样，猜的没错吧，具体细节就不管了。－－－－－－－＞
* Referenced by a CALL at Address:
|:10001868
|
:100018A0 81ECF0000000          sub esp, 000000F0
:100018A6 8D442418             lea eax, dword ptr [esp+18]
:100018AA 56                   push esi
:100018AB 57                   push edi
:100018AC 50                   push eax

* Reference To: KERNEL32.GetLocalTime, Ord:00E2h
                              |
:100018AD FF1574F30010          Call dword ptr [1000F374]
:100018B3 8B4C2420             mov ecx, dword ptr [esp+20]
:100018B7 81E1FFFF0000          and ecx, 0000FFFF
:100018BD C1E102                shl ecx, 02
:100018C0 8D0489                lea eax, dword ptr [ecx+4*ecx]
:100018C3 8D0C80                lea ecx, dword ptr [eax+4*eax]
:100018C6 33C0                   xor eax, eax
:100018C8 668B442422             mov ax, word ptr [esp+22]
:100018CD 03C8                   add ecx, eax
:100018CF C1E102                shl ecx, 02
:100018D2 8D0489                lea eax, dword ptr [ecx+4*ecx]
:100018D5 8B8C24FC000000       mov ecx, dword ptr [esp+000000FC]
:100018DC 51                   push ecx
:100018DD 8D1480                lea edx, dword ptr [eax+4*eax]
:100018E0 33C0                   xor eax, eax

* Reference To: USER32.wsprintfA, Ord:0249h
                              |
:100018E2 8B3D1CF40010          mov edi, dword ptr [1000F41C]
:100018E8 668B44242A             mov ax, word ptr [esp+2A]
:100018ED 8D3402                lea esi, dword ptr [edx+eax]
:100018F0 8D442434             lea eax, dword ptr [esp+34]
:100018F4 50                   push eax
:100018F5 FFD7                   call edi
:100018F7 8B8C2408010000       mov ecx, dword ptr [esp+00000108]
:100018FE 8D84249C000000       lea eax, dword ptr [esp+0000009C]
:10001905 83C408                add esp, 00000008
:10001908 51                   push ecx
:10001909 50                   push eax
:1000190A FFD7                   call edi
:1000190C 8D4C2414             lea ecx, dword ptr [esp+14]
:10001910 8D542438             lea edx, dword ptr [esp+38]
:10001914 83C408                add esp, 00000008
:10001917 51                   push ecx
:10001918 6A01                   push 00000001
:1000191A 6A00                   push 00000000
:1000191C 52                   push edx
:1000191D 6802000080             push 80000002

* Reference To: ADVAPI32.RegOpenKeyExA, Ord:00D9h
                              |
:10001922 FF15C0F20010          Call dword ptr [1000F2C0]
:10001928 83F801                cmp eax, 00000001
:1000192B 1BC0                   sbb eax, eax
:1000192D 40                   inc eax
:1000192E 83F801                cmp eax, 00000001
:10001931 0F8586000000          jne 100019BD
:10001937 8D442408             lea eax, dword ptr [esp+08]
:1000193B 8D4C240C             lea ecx, dword ptr [esp+0C]
:1000193F C744240801000000       mov [esp+08], 00000001
:10001947 50                   push eax
:10001948 51                   push ecx
:10001949 8D542438             lea edx, dword ptr [esp+38]
:1000194D 6A00                   push 00000000
:1000194F 683F000F00             push 000F003F
:10001954 6A00                   push 00000000
:10001956 6A00                   push 00000000
:10001958 6A00                   push 00000000
:1000195A 52                   push edx
:1000195B 6802000080             push 80000002

* Reference To: ADVAPI32.RegCreateKeyExA, Ord:00C6h
                              |
:10001960 FF15B4F20010          Call dword ptr [1000F2B4]
:10001966 85C0                   test eax, eax
:10001968 740B                   je 10001975
:1000196A 33C0                   xor eax, eax
:1000196C 5F                   pop edi
:1000196D 5E                   pop esi
:1000196E 81C4F0000000          add esp, 000000F0
:10001974 C3                   ret

到这里就很容易破解了，将前面出现的两个比较改掉，改为与０比较就可以了，也可以跳过比较部分。由于不能对输入法进行调试，所以许多具体的细节还不能确定，还请高手指点一下如何调试输入法。

BF3 <--0
C11 <---0

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课

收藏・0

免费・0

支持