【文章标题】: 某国产CAD时间限制的破解
【文章作者】: chinglq
【作者邮箱】: chinglq@sina.com
【作者主页】: http://lqcoolboy.xinwen365.com
【软件名称】: 某国产CAD软件
【软件大小】: 2448KB
【下载地址】: 自己搜索下载
【加壳方式】: N/A
【保护方式】: 加密狗+注册码+时间限制
【编写语言】: Microsoft Visual C++ 6.0
【使用工具】: OD、UltraEdit-32、PEiD
【操作平台】: 联想OEM WinXPsp2
【软件介绍】: 适合机械类专业使用的国产CAD软件。时间限制30天,试用期无限制,过期需要加密狗或注册码。
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!如果喜欢该软件,请支持正版!
--------------------------------------------------------------------------------
【详细过程】
1. 查壳:用PEiD检查,显示为Microsoft Visual C++ 6.0,无壳。省了不少事情,呵呵!
2. 调试:用OD装载,查API函数,下_COleDateTime断点,然后启动程序,断在下面这段程序:
--------------------------------------------------------
005B51E0 /$ 83EC 28 sub esp, 28
005B51E3 |. 53 push ebx
005B51E4 |. 8B5C24 30 mov ebx, dword ptr [esp+30]
005B51E8 |. 85DB test ebx, ebx
005B51EA |. 57 push edi
005B51EB |. 0F84 08010000 je 005B52F9
005B51F1 |. 8BFB mov edi, ebx
005B51F3 |. 83C9 FF or ecx, FFFFFFFF
005B51F6 |. 33C0 xor eax, eax
005B51F8 |. F2:AE repne scas byte ptr es:[edi]
005B51FA |. F7D1 not ecx
005B51FC |. 49 dec ecx
005B51FD |. 83F9 06 cmp ecx, 6
005B5200 |. 0F82 F3000000 jb 005B52F9
005B5206 |. 0FBE03 movsx eax, byte ptr [ebx]
005B5209 |. 99 cdq
005B520A |. 55 push ebp
005B520B |. 56 push esi
005B520C |. 8BF0 mov esi, eax
005B520E |. 0FBE43 01 movsx eax, byte ptr [ebx+1]
005B5212 |. 33F2 xor esi, edx
005B5214 |. 2BF2 sub esi, edx
005B5216 |. 99 cdq
005B5217 |. 8BF8 mov edi, eax
005B5219 |. 81C6 D2070000 add esi, 7D2
005B521F |. 0FBE43 02 movsx eax, byte ptr [ebx+2]
005B5223 |. 33FA xor edi, edx
005B5225 |. 2BFA sub edi, edx
005B5227 |. 99 cdq
005B5228 |. 8BE8 mov ebp, eax
005B522A |. 0FBE43 03 movsx eax, byte ptr [ebx+3]
005B522E |. 33EA xor ebp, edx
005B5230 |. 2BEA sub ebp, edx
005B5232 |. 99 cdq
005B5233 |. 8BC8 mov ecx, eax
005B5235 |. 0FBE43 04 movsx eax, byte ptr [ebx+4]
005B5239 |. 33CA xor ecx, edx
005B523B |. 2BCA sub ecx, edx
005B523D |. 99 cdq
005B523E |. 33C2 xor eax, edx
005B5240 |. 894C24 10 mov dword ptr [esp+10], ecx
005B5244 |. 2BC2 sub eax, edx
005B5246 |. 894424 3C mov dword ptr [esp+3C], eax
005B524A |. 0FBE43 05 movsx eax, byte ptr [ebx+5]
005B524E |. 99 cdq
005B524F |. 8BD8 mov ebx, eax
005B5251 |. 8B4424 40 mov eax, dword ptr [esp+40]
005B5255 |. 33DA xor ebx, edx
005B5257 |. 2BDA sub ebx, edx
005B5259 |. 85C0 test eax, eax
005B525B |. 74 2B je short 005B5288
005B525D |. 8B4424 3C mov eax, dword ptr [esp+3C]
005B5261 |. 53 push ebx
005B5262 |. 50 push eax
005B5263 |. 51 push ecx
005B5264 |. 55 push ebp
005B5265 |. 57 push edi
005B5266 |. 56 push esi
005B5267 |. 8D4C24 2C lea ecx, dword ptr [esp+2C]
005B526B |. E8 5C3A0100 call <jmp.&MFC42.#5933_COleDateTime::SetDateTime> ; 断在这里
005B5270 |. 8B4424 40 mov eax, dword ptr [esp+40]
005B5274 |. 8B4C24 14 mov ecx, dword ptr [esp+14]
005B5278 |. 8B5424 18 mov edx, dword ptr [esp+18]
005B527C |. 8908 mov dword ptr [eax], ecx
005B527E |. 8B4C24 1C mov ecx, dword ptr [esp+1C]
005B5282 |. 8950 04 mov dword ptr [eax+4], edx
005B5285 |. 8948 08 mov dword ptr [eax+8], ecx
005B5288 |> 8B4424 44 mov eax, dword ptr [esp+44]
005B528C |. 85C0 test eax, eax
005B528E |. 74 5D je short 005B52ED
005B5290 |. 6A 00 push 0
005B5292 |. 6A 00 push 0
005B5294 |. 6A 00 push 0
005B5296 |. 6A 01 push 1
005B5298 |. 6A 01 push 1
005B529A |. 68 D2070000 push 7D2
005B529F |. 8D4C24 2C lea ecx, dword ptr [esp+2C]
005B52A3 |. E8 243A0100 call <jmp.&MFC42.#5933_COleDateTime::SetDateTime>
005B52A8 |. 8B5424 3C mov edx, dword ptr [esp+3C]
005B52AC |. 8B4424 10 mov eax, dword ptr [esp+10]
005B52B0 |. 53 push ebx
005B52B1 |. 52 push edx
005B52B2 |. 50 push eax
005B52B3 |. 55 push ebp
005B52B4 |. 57 push edi
005B52B5 |. 56 push esi
005B52B6 |. 8D4C24 38 lea ecx, dword ptr [esp+38]
005B52BA |. E8 0D3A0100 call <jmp.&MFC42.#5933_COleDateTime::SetDateTime>
005B52BF |. 8D4C24 14 lea ecx, dword ptr [esp+14]
005B52C3 |. 8D5424 2C lea edx, dword ptr [esp+2C]
005B52C7 |. 51 push ecx
005B52C8 |. 52 push edx
005B52C9 |. 8D4C24 28 lea ecx, dword ptr [esp+28]
005B52CD |. E8 EE390100 call <jmp.&MFC42.#920_COleDateTime::operator->
005B52D2 |. DD4424 2C fld qword ptr [esp+2C]
005B52D6 |. DC0D 48F05D00 fmul qword ptr [5DF048]
005B52DC |. DC05 40F05D00 fadd qword ptr [5DF040]
005B52E2 |. E8 61DBFFFF call <jmp.&MSVCRT._ftol>
005B52E7 |. 8B4C24 44 mov ecx, dword ptr [esp+44]
005B52EB |. 8901 mov dword ptr [ecx], eax
005B52ED |> 5E pop esi
005B52EE |. 5D pop ebp
005B52EF |. 5F pop edi
005B52F0 |. B0 01 mov al, 1
005B52F2 |. 5B pop ebx
005B52F3 |. 83C4 28 add esp, 28
005B52F6 |. C2 0C00 retn 0C
005B52F9 |> 5F pop edi
005B52FA |. 32C0 xor al, al
005B52FC |. 5B pop ebx
005B52FD |. 83C4 28 add esp, 28
005B5300 \. C2 0C00 retn 0C
--------------------------------------------------------
上面这段程序的调用来自三个地方,查了下,全在下面这段程序里:
--------------------------------------------------------
005B4AB0 . 55 push ebp
005B4AB1 . 8BEC mov ebp, esp
005B4AB3 . 6A FF push -1
005B4AB5 . 68 53585D00 push 005D5853 ; SE 处理程序安装
005B4ABA . 64:A1 00000000 mov eax, dword ptr fs:[0]
005B4AC0 . 50 push eax
005B4AC1 . 64:8925 00000000 mov dword ptr fs:[0], esp
005B4AC8 . 81EC 54010000 sub esp, 154
005B4ACE . 53 push ebx
005B4ACF . 56 push esi
005B4AD0 . 8BD9 mov ebx, ecx
005B4AD2 . 57 push edi
005B4AD3 . 8D4D EC lea ecx, dword ptr [ebp-14]
005B4AD6 . 8965 F0 mov dword ptr [ebp-10], esp
005B4AD9 . E8 10D2FFFF call <jmp.&MFC42.#540_CString::CString>
005B4ADE . 68 02000080 push 80000002
005B4AE3 . 8D8D 74FFFFFF lea ecx, dword ptr [ebp-8C]
005B4AE9 . C745 FC 00000000 mov dword ptr [ebp-4], 0
005B4AF0 . E8 3B300000 call 005B7B30
005B4AF5 . 68 10266100 push 00612610 ; ASCII "SoftWare\Cassae\PicadV6\PicadConfigData"
005B4AFA . 68 01000080 push 80000001
005B4AFF . 8D8D 74FFFFFF lea ecx, dword ptr [ebp-8C]
005B4B05 . C645 FC 02 mov byte ptr [ebp-4], 2
005B4B09 . E8 12310000 call 005B7C20
005B4B0E . 85C0 test eax, eax
005B4B10 . 75 15 jnz short 005B4B27
005B4B12 . 8D45 B0 lea eax, dword ptr [ebp-50]
005B4B15 . 68 48005E00 push 005E0048
005B4B1A . 50 push eax
005B4B1B . C745 B0 FFFFFFFF mov dword ptr [ebp-50], -1
005B4B22 . E8 15E3FFFF call <jmp.&MSVCRT._CxxThrowException>
005B4B27 > 8D4D EC lea ecx, dword ptr [ebp-14]
005B4B2A . 51 push ecx ; /Arg2
005B4B2B . 68 00266100 push 00612600 ; |Arg1 = 00612600 ASCII "DWGFILEFMT14"
005B4B30 . 8D8D 74FFFFFF lea ecx, dword ptr [ebp-8C] ; |
005B4B36 . E8 C5310000 call 005B7D00 ; \Picad.005B7D00
005B4B3B . 8B7D EC mov edi, dword ptr [ebp-14]
005B4B3E . 83C9 FF or ecx, FFFFFFFF
005B4B41 . 33C0 xor eax, eax
005B4B43 . 8D95 A0FEFFFF lea edx, dword ptr [ebp-160]
005B4B49 . F2:AE repne scas byte ptr es:[edi]
005B4B4B . F7D1 not ecx
005B4B4D . 2BF9 sub edi, ecx
005B4B4F . 8BC1 mov eax, ecx
005B4B51 . 8BF7 mov esi, edi
005B4B53 . 8BFA mov edi, edx
005B4B55 . C1E9 02 shr ecx, 2
005B4B58 . F3:A5 rep movs dword ptr es:[edi], dword ptr [esi]
005B4B5A . 8BC8 mov ecx, eax
005B4B5C . 83E1 03 and ecx, 3
005B4B5F . F3:A4 rep movs byte ptr es:[edi], byte ptr [esi]
005B4B61 . 8D8D A0FEFFFF lea ecx, dword ptr [ebp-160]
005B4B67 . 51 push ecx
005B4B68 . E8 43F9FFFF call 005B44B0
005B4B6D . 8D95 A0FEFFFF lea edx, dword ptr [ebp-160]
005B4B73 . 8D85 A0FEFFFF lea eax, dword ptr [ebp-160]
005B4B79 . 52 push edx
005B4B7A . 50 push eax
005B4B7B . E8 90F8FFFF call 005B4410
005B4B80 . 83C4 0C add esp, 0C
005B4B83 . 8D4D E8 lea ecx, dword ptr [ebp-18]
005B4B86 . 8D43 0C lea eax, dword ptr [ebx+C]
005B4B89 . 8D95 A0FEFFFF lea edx, dword ptr [ebp-160]
005B4B8F . 51 push ecx ; /Arg3
005B4B90 . 50 push eax ; |Arg2
005B4B91 . 52 push edx ; |Arg1
005B4B92 . 8BCB mov ecx, ebx ; |
005B4B94 . E8 47060000 call 005B51E0 ; \Picad.005B51E0
005B4B99 . 84C0 test al, al
005B4B9B . 0F84 8D030000 je 005B4F2E
005B4BA1 . 8B45 E8 mov eax, dword ptr [ebp-18]
005B4BA4 . 85C0 test eax, eax
005B4BA6 . 0F84 82030000 je 005B4F2E
005B4BAC . 8D45 EC lea eax, dword ptr [ebp-14]
005B4BAF . 8D8D 74FFFFFF lea ecx, dword ptr [ebp-8C]
005B4BB5 . 50 push eax ; /Arg2
005B4BB6 . 68 F0256100 push 006125F0 ; |Arg1 = 006125F0 ASCII "DWGFILEFMT15"
005B4BBB . E8 40310000 call 005B7D00 ; \Picad.005B7D00
005B4BC0 . 8B7D EC mov edi, dword ptr [ebp-14]
005B4BC3 . 83C9 FF or ecx, FFFFFFFF
005B4BC6 . 33C0 xor eax, eax
005B4BC8 . 8D95 A0FEFFFF lea edx, dword ptr [ebp-160]
005B4BCE . F2:AE repne scas byte ptr es:[edi]
005B4BD0 . F7D1 not ecx
005B4BD2 . 2BF9 sub edi, ecx
005B4BD4 . 8BC1 mov eax, ecx
005B4BD6 . 8BF7 mov esi, edi
005B4BD8 . 8BFA mov edi, edx
005B4BDA . C1E9 02 shr ecx, 2
005B4BDD . F3:A5 rep movs dword ptr es:[edi], dword ptr [esi]
005B4BDF . 8BC8 mov ecx, eax
005B4BE1 . 83E1 03 and ecx, 3
005B4BE4 . F3:A4 rep movs byte ptr es:[edi], byte ptr [esi]
005B4BE6 . 8D8D A0FEFFFF lea ecx, dword ptr [ebp-160]
005B4BEC . 51 push ecx
005B4BED . E8 BEF8FFFF call 005B44B0
005B4BF2 . 8D95 A0FEFFFF lea edx, dword ptr [ebp-160]
005B4BF8 . 8D85 A0FEFFFF lea eax, dword ptr [ebp-160]
005B4BFE . 52 push edx
005B4BFF . 50 push eax
005B4C00 . E8 0BF8FFFF call 005B4410
005B4C05 . 83C4 0C add esp, 0C
005B4C08 . 8D4D E0 lea ecx, dword ptr [ebp-20]
005B4C0B . 8D95 A0FEFFFF lea edx, dword ptr [ebp-160]
005B4C11 . 51 push ecx ; /Arg3
005B4C12 . 6A 00 push 0 ; |Arg2 = 00000000
005B4C14 . 52 push edx ; |Arg1
005B4C15 . 8BCB mov ecx, ebx ; |
005B4C17 . E8 C4050000 call 005B51E0 ; \Picad.005B51E0
005B4C1C . 84C0 test al, al
005B4C1E . 0F84 F5020000 je 005B4F19
005B4C24 . 8B45 E0 mov eax, dword ptr [ebp-20]
005B4C27 . 85C0 test eax, eax
005B4C29 . 0F84 EA020000 je 005B4F19
005B4C2F . 8D45 EC lea eax, dword ptr [ebp-14]
005B4C32 . 8D8D 74FFFFFF lea ecx, dword ptr [ebp-8C]
005B4C38 . 50 push eax ; /Arg2
005B4C39 . 68 E0256100 push 006125E0 ; |Arg1 = 006125E0 ASCII "DWGFILEFMT16"
005B4C3E . E8 BD300000 call 005B7D00 ; \Picad.005B7D00
005B4C43 . 8B7D EC mov edi, dword ptr [ebp-14]
005B4C46 . 83C9 FF or ecx, FFFFFFFF
005B4C49 . 33C0 xor eax, eax
005B4C4B . 8D95 A0FEFFFF lea edx, dword ptr [ebp-160]
005B4C51 . F2:AE repne scas byte ptr es:[edi]
005B4C53 . F7D1 not ecx
005B4C55 . 2BF9 sub edi, ecx
005B4C57 . 8BC1 mov eax, ecx
005B4C59 . 8BF7 mov esi, edi
005B4C5B . 8BFA mov edi, edx
005B4C5D . C1E9 02 shr ecx, 2
005B4C60 . F3:A5 rep movs dword ptr es:[edi], dword ptr [esi]
005B4C62 . 8BC8 mov ecx, eax
005B4C64 . 83E1 03 and ecx, 3
005B4C67 . F3:A4 rep movs byte ptr es:[edi], byte ptr [esi]
005B4C69 . 8D8D A0FEFFFF lea ecx, dword ptr [ebp-160]
005B4C6F . 51 push ecx
005B4C70 . E8 3BF8FFFF call 005B44B0
005B4C75 . 8D95 A0FEFFFF lea edx, dword ptr [ebp-160]
005B4C7B . 8D85 A0FEFFFF lea eax, dword ptr [ebp-160]
005B4C81 . 52 push edx
005B4C82 . 50 push eax
005B4C83 . E8 88F7FFFF call 005B4410
005B4C88 . 83C4 0C add esp, 0C
005B4C8B . 8D4D E4 lea ecx, dword ptr [ebp-1C]
005B4C8E . 8D53 18 lea edx, dword ptr [ebx+18]
005B4C91 . 8D85 A0FEFFFF lea eax, dword ptr [ebp-160]
005B4C97 . 51 push ecx ; /Arg3
005B4C98 . 52 push edx ; |Arg2
005B4C99 . 50 push eax ; |Arg1
005B4C9A . 8BCB mov ecx, ebx ; |
005B4C9C . E8 3F050000 call 005B51E0 ; \Picad.005B51E0
005B4CA1 . 84C0 test al, al
005B4CA3 . 0F84 5B020000 je 005B4F04
005B4CA9 . 8B45 E4 mov eax, dword ptr [ebp-1C]
005B4CAC . 85C0 test eax, eax
005B4CAE . 0F84 50020000 je 005B4F04
005B4CB4 . 6A 00 push 0
005B4CB6 . 6A 00 push 0
005B4CB8 . 6A 00 push 0
005B4CBA . 6A 01 push 1
005B4CBC . 6A 01 push 1
005B4CBE . 68 D2070000 push 7D2
005B4CC3 . 8D4D D4 lea ecx, dword ptr [ebp-2C]
005B4CC6 . E8 01400100 call <jmp.&MFC42.#5933_COleDateTime::SetDateTime>
005B4CCB . 8D4D 90 lea ecx, dword ptr [ebp-70]
005B4CCE . 51 push ecx
005B4CCF . E8 F23F0100 call <jmp.&MFC42.#3810_COleDateTime::GetTickCount>
005B4CD4 . 8D55 D4 lea edx, dword ptr [ebp-2C]
005B4CD7 . 8D4D C8 lea ecx, dword ptr [ebp-38]
005B4CDA . 52 push edx
005B4CDB . 51 push ecx
005B4CDC . 8BC8 mov ecx, eax
005B4CDE . E8 DD3F0100 call <jmp.&MFC42.#920_COleDateTime::operator->
005B4CE3 . DD45 C8 fld qword ptr [ebp-38]
005B4CE6 . DC0D 48F05D00 fmul qword ptr [5DF048]
005B4CEC . DC05 40F05D00 fadd qword ptr [5DF040]
005B4CF2 . E8 51E1FFFF call <jmp.&MSVCRT._ftol>
005B4CF7 . 8B55 E0 mov edx, dword ptr [ebp-20]
005B4CFA . 8BF0 mov esi, eax
005B4CFC . 8B45 E8 mov eax, dword ptr [ebp-18]
005B4CFF . 3BC2 cmp eax, edx
005B4D01 . 0F8D E8010000 jge 005B4EEF
005B4D07 . 8B4D E4 mov ecx, dword ptr [ebp-1C]
005B4D0A . 3BC1 cmp eax, ecx
005B4D0C . 0F8D DD010000 jge 005B4EEF
005B4D12 . 3BC6 cmp eax, esi
005B4D14 . 0F8F D5010000 jg 005B4EEF
005B4D1A . 3BF1 cmp esi, ecx
005B4D1C . 0F8E CD010000 jle 005B4EEF
005B4D22 . 3BCA cmp ecx, edx
005B4D24 . 0F8F B0010000 jg 005B4EDA
005B4D2A . 3BF2 cmp esi, edx
005B4D2C . 0F8F A8010000 jg 005B4EDA
005B4D32 . 6A 02 push 2
005B4D34 . 6A 00 push 0
005B4D36 . 6A 00 push 0
005B4D38 . 6A 1F push 1F
005B4D3A . 8D4D D4 lea ecx, dword ptr [ebp-2C]
005B4D3D . E8 783F0100 call <jmp.&MFC42.#5934_COleDateTimeSpan::SetDateTimeSpan>
005B4D42 . 8D55 D4 lea edx, dword ptr [ebp-2C]
005B4D45 . 8D85 68FFFFFF lea eax, dword ptr [ebp-98]
005B4D4B . 52 push edx
005B4D4C . 50 push eax
005B4D4D . 8D4B 0C lea ecx, dword ptr [ebx+C]
005B4D50 . E8 5F3F0100 call <jmp.&MFC42.#928_COleDateTime::operator+>
005B4D55 . 6A 00 push 0
005B4D57 . 6A 00 push 0
005B4D59 . 6A 00 push 0
005B4D5B . 6A 01 push 1
005B4D5D . 6A 01 push 1
005B4D5F . 68 D2070000 push 7D2
005B4D64 . 8D4D D4 lea ecx, dword ptr [ebp-2C]
005B4D67 . E8 603F0100 call <jmp.&MFC42.#5933_COleDateTime::SetDateTime>
005B4D6C . 8D4D D4 lea ecx, dword ptr [ebp-2C]
005B4D6F . 8D55 90 lea edx, dword ptr [ebp-70]
005B4D72 . 51 push ecx
005B4D73 . 52 push edx
005B4D74 . 8D8D 68FFFFFF lea ecx, dword ptr [ebp-98]
005B4D7A . E8 413F0100 call <jmp.&MFC42.#920_COleDateTime::operator->
005B4D7F . 50 push eax
005B4D80 . 8D4D C8 lea ecx, dword ptr [ebp-38]
005B4D83 . E8 263F0100 call <jmp.&MFC42.#837_COleDateTimeSpan::operator=>
005B4D88 . DD45 C8 fld qword ptr [ebp-38]
005B4D8B . DC0D 48F05D00 fmul qword ptr [5DF048]
005B4D91 . DC05 40F05D00 fadd qword ptr [5DF040]
005B4D97 . E8 ACE0FFFF call <jmp.&MSVCRT._ftol>
005B4D9C . 3945 E8 cmp dword ptr [ebp-18], eax
005B4D9F . 0F8D 20010000 jge 005B4EC5
005B4DA5 . 3945 E4 cmp dword ptr [ebp-1C], eax
005B4DA8 . 0F8F 17010000 jg 005B4EC5
005B4DAE . 3BF0 cmp esi, eax
005B4DB0 . 0F8F 0F010000 jg 005B4EC5
005B4DB6 . 8D85 A0FEFFFF lea eax, dword ptr [ebp-160]
005B4DBC . 6A 18 push 18
005B4DBE . 50 push eax
005B4DBF . 8BCB mov ecx, ebx
005B4DC1 . E8 0A090000 call 005B56D0
005B4DC6 . 85C0 test eax, eax
005B4DC8 . 75 15 jnz short 005B4DDF
005B4DCA . 8D4D B4 lea ecx, dword ptr [ebp-4C]
005B4DCD . 68 48005E00 push 005E0048
005B4DD2 . 51 push ecx
005B4DD3 . C745 B4 01000000 mov dword ptr [ebp-4C], 1
005B4DDA . E8 5DE0FFFF call <jmp.&MSVCRT._CxxThrowException>
005B4DDF > 6A 00 push 0
005B4DE1 . 6A 00 push 0
005B4DE3 . 6A 00 push 0
005B4DE5 . 6A 01 push 1
005B4DE7 . 6A 01 push 1
005B4DE9 . 68 D2070000 push 7D2
005B4DEE . 8D4D D4 lea ecx, dword ptr [ebp-2C]
005B4DF1 . E8 D63E0100 call <jmp.&MFC42.#5933_COleDateTime::SetDateTime>
005B4DF6 . 8D55 D4 lea edx, dword ptr [ebp-2C]
005B4DF9 . 8D45 90 lea eax, dword ptr [ebp-70]
005B4DFC . 52 push edx
005B4DFD . 50 push eax
005B4DFE . 8D8D A0FEFFFF lea ecx, dword ptr [ebp-160]
005B4E04 . E8 B73E0100 call <jmp.&MFC42.#920_COleDateTime::operator->
005B4E09 . 50 push eax
005B4E0A . 8D4D C8 lea ecx, dword ptr [ebp-38]
005B4E0D . E8 9C3E0100 call <jmp.&MFC42.#837_COleDateTimeSpan::operator=>
005B4E12 . DD45 C8 fld qword ptr [ebp-38]
005B4E15 . DC0D 48F05D00 fmul qword ptr [5DF048]
005B4E1B . DC05 40F05D00 fadd qword ptr [5DF040]
005B4E21 . E8 22E0FFFF call <jmp.&MSVCRT._ftol>
005B4E26 . 6A 00 push 0
005B4E28 . 6A 00 push 0
005B4E2A . 6A 00 push 0
005B4E2C . 6A 01 push 1
005B4E2E . 6A 01 push 1
005B4E30 . 68 D2070000 push 7D2
005B4E35 . 8D4D D4 lea ecx, dword ptr [ebp-2C]
005B4E38 . 8945 E8 mov dword ptr [ebp-18], eax
005B4E3B . E8 8C3E0100 call <jmp.&MFC42.#5933_COleDateTime::SetDateTime>
005B4E40 . 8D4D D4 lea ecx, dword ptr [ebp-2C]
005B4E43 . 8D55 90 lea edx, dword ptr [ebp-70]
005B4E46 . 51 push ecx
005B4E47 . 52 push edx
005B4E48 . 8D8D ACFEFFFF lea ecx, dword ptr [ebp-154]
005B4E4E . E8 6D3E0100 call <jmp.&MFC42.#920_COleDateTime::operator->
005B4E53 . 50 push eax
005B4E54 . 8D4D C8 lea ecx, dword ptr [ebp-38]
005B4E57 . E8 523E0100 call <jmp.&MFC42.#837_COleDateTimeSpan::operator=>
005B4E5C . DD45 C8 fld qword ptr [ebp-38]
005B4E5F . DC0D 48F05D00 fmul qword ptr [5DF048]
005B4E65 . DC05 40F05D00 fadd qword ptr [5DF040]
005B4E6B . E8 D8DFFFFF call <jmp.&MSVCRT._ftol>
005B4E70 . 8B4D E8 mov ecx, dword ptr [ebp-18]
005B4E73 . 8B55 E0 mov edx, dword ptr [ebp-20]
005B4E76 . 3BCA cmp ecx, edx
005B4E78 . 8945 E4 mov dword ptr [ebp-1C], eax
005B4E7B . 7D 33 jge short 005B4EB0
005B4E7D . 3BC8 cmp ecx, eax
005B4E7F . 7D 2F jge short 005B4EB0
005B4E81 . 3BCE cmp ecx, esi
005B4E83 . 7F 2B jg short 005B4EB0
005B4E85 . 3BF0 cmp esi, eax
005B4E87 . 7E 27 jle short 005B4EB0
005B4E89 . 3BC2 cmp eax, edx
005B4E8B . 7F 0E jg short 005B4E9B
005B4E8D . 3BF2 cmp esi, edx
005B4E8F . 7F 0A jg short 005B4E9B
005B4E91 . B8 09000000 mov eax, 9
005B4E96 . E9 B8000000 jmp 005B4F53
005B4E9B > 8D45 AC lea eax, dword ptr [ebp-54]
005B4E9E . 68 48005E00 push 005E0048
005B4EA3 . 50 push eax
005B4EA4 . C745 AC 0C000000 mov dword ptr [ebp-54], 0C
005B4EAB . E8 8CDFFFFF call <jmp.&MSVCRT._CxxThrowException>
005B4EB0 > 8D4D A4 lea ecx, dword ptr [ebp-5C]
005B4EB3 . 68 48005E00 push 005E0048
005B4EB8 . 51 push ecx
005B4EB9 . C745 A4 0B000000 mov dword ptr [ebp-5C], 0B
005B4EC0 . E8 77DFFFFF call <jmp.&MSVCRT._CxxThrowException>
005B4EC5 > 8D55 B8 lea edx, dword ptr [ebp-48]
005B4EC8 . 68 48005E00 push 005E0048
005B4ECD . 52 push edx
005B4ECE . C745 B8 0C000000 mov dword ptr [ebp-48], 0C
005B4ED5 . E8 62DFFFFF call <jmp.&MSVCRT._CxxThrowException>
005B4EDA > 8D45 9C lea eax, dword ptr [ebp-64]
005B4EDD . 68 48005E00 push 005E0048
005B4EE2 . 50 push eax
005B4EE3 . C745 9C 0C000000 mov dword ptr [ebp-64], 0C
005B4EEA . E8 4DDFFFFF call <jmp.&MSVCRT._CxxThrowException>
005B4EEF > 8D4D C4 lea ecx, dword ptr [ebp-3C]
005B4EF2 . 68 48005E00 push 005E0048
005B4EF7 . 51 push ecx
005B4EF8 . C745 C4 0B000000 mov dword ptr [ebp-3C], 0B
005B4EFF . E8 38DFFFFF call <jmp.&MSVCRT._CxxThrowException>
005B4F04 > 8D55 A0 lea edx, dword ptr [ebp-60]
005B4F07 . 68 48005E00 push 005E0048
005B4F0C . 52 push edx
005B4F0D . C745 A0 01000000 mov dword ptr [ebp-60], 1
005B4F14 . E8 23DFFFFF call <jmp.&MSVCRT._CxxThrowException>
005B4F19 > 8D45 A8 lea eax, dword ptr [ebp-58]
005B4F1C . 68 48005E00 push 005E0048
005B4F21 . 50 push eax
005B4F22 . C745 A8 01000000 mov dword ptr [ebp-58], 1
005B4F29 . E8 0EDFFFFF call <jmp.&MSVCRT._CxxThrowException>
005B4F2E > 8D4D C0 lea ecx, dword ptr [ebp-40]
005B4F31 . 68 48005E00 push 005E0048
005B4F36 . 51 push ecx
005B4F37 . C745 C0 01000000 mov dword ptr [ebp-40], 1
005B4F3E . E8 F9DEFFFF call <jmp.&MSVCRT._CxxThrowException>
005B4F43 . C745 BC 0B000000 mov dword ptr [ebp-44], 0B
005B4F4A . B8 504F5B00 mov eax, 005B4F50
005B4F4F . C3 retn
005B4F50 . 8B45 BC mov eax, dword ptr [ebp-44]
005B4F53 > 83E8 09 sub eax, 9
005B4F56 . C745 FC 01000000 mov dword ptr [ebp-4], 1
005B4F5D . F7D8 neg eax
005B4F5F . 1BC0 sbb eax, eax
005B4F61 . 8D8D 74FFFFFF lea ecx, dword ptr [ebp-8C]
005B4F67 . 24 FE and al, 0FE
005B4F69 . C645 FC 00 mov byte ptr [ebp-4], 0
005B4F6D . 40 inc eax
005B4F6E . 8BF0 mov esi, eax
005B4F70 . E8 0B2C0000 call 005B7B80
005B4F75 . 8D4D EC lea ecx, dword ptr [ebp-14]
005B4F78 . C745 FC FFFFFFFF mov dword ptr [ebp-4], -1
005B4F7F . E8 52CDFFFF call <jmp.&MFC42.#800_CString::~CString>
005B4F84 . 8B4D F4 mov ecx, dword ptr [ebp-C]
005B4F87 . 8BC6 mov eax, esi ; ---> 8BF0 mov esi, eax
005B4F89 . 5F pop edi
005B4F8A . 5E pop esi
005B4F8B . 64:890D 00000000 mov dword ptr fs:[0], ecx
005B4F92 . 5B pop ebx
005B4F93 . 8BE5 mov esp, ebp
005B4F95 . 5D pop ebp
005B4F96 . C3 retn
--------------------------------------------------------
好家伙!十几个时间函数,还有一大堆跳转,看的人头昏眼花。先放下不管,往下继续。果然还有时间比较和判断:
--------------------------------------------------------
005B5680 > \83EC 18 sub esp, 18
005B5683 . 8D4424 00 lea eax, dword ptr [esp]
005B5687 . 56 push esi
005B5688 . 8BF1 mov esi, ecx
005B568A . 50 push eax
005B568B . E8 36360100 call <jmp.&MFC42.#3810_COleDateTime::GetTickCount>
005B5690 . 83C6 0C add esi, 0C
005B5693 . 8D4C24 10 lea ecx, dword ptr [esp+10]
005B5697 . 56 push esi
005B5698 51 push ecx ; ---> 50 push eax
005B5699 . 8D4C24 0C lea ecx, dword ptr [esp+C] ; 这时候eax= dword ptr [esp+C]
005B569D . E8 1E360100 call <jmp.&MFC42.#920_COleDateTime::operator->
005B56A2 . DD4424 10 fld qword ptr [esp+10]
005B56A6 . E8 9DD7FFFF call <jmp.&MSVCRT._ftol> ; eax=使用天数
005B56AB . B9 1E000000 mov ecx, 1E ; 试用期30天
005B56B0 . 5E pop esi
005B56B1 . 2BC8 sub ecx, eax ; 减去使用天数
005B56B3 . 83F9 FF cmp ecx, -1
005B56B6 . 7D 07 jge short 005B56BF ; 30天后over!
005B56B8 . 83C8 FF or eax, FFFFFFFF
005B56BB . 83C4 18 add esp, 18
005B56BE . C3 retn
005B56BF > 8BC1 mov eax, ecx
005B56C1 . 83C4 18 add esp, 18
005B56C4 . C3 retn
--------------------------------------------------------
通过对上面这段程序的分析,发现在005B5699处,eax= dword ptr [esp+C],ecx的新值与上句压栈的值不同,下面三句后eax=使用天数。
若005B5698压栈的值与005B5699处ecx的新值相等,则后面的使用天数可能会为零。在005B5698处改用eax压栈,调试后果然发现后面eax=0。这
样一来,试用天数就停留在30天上。系统时间后移三天,还是显示“还有30天试用时间”。呵呵!恐怕要成功了!嗯!再试试。将系统时间后
移三月,啊哟!过期对话框出现了!不好!一定还有其他关键地方没查到。下面可要好好查查了啊!
重新打开OD调试,发现在调用005B5680之前就已跳过去了。原来这段程序只是显示用的,叫人空欢喜一场!
再在功能限制处下断,往下走走。唉呀!怎么又到了005B4AB0这段令人头疼的程序了啊!而且还是隐式调用:
005B3C88 . /FF60 0C jmp dword ptr [eax+C] ; Picad.005B4AB0
看来这才是关键地方了,再头疼都得看。反复的读写注册表,有可能标志位存放在注册表中。不管它如何检测计算读写,先看看这个过程
的输出结果吧!005B4F87句的给eax传送数据的做法让人起疑,在此之前的eax值,肯定不能起控制作用。起控制作用的值在esi中,试用期内是
正确值,过期后就是错误值。它是这段程序的检测计算结果,在最后要传送给输出函数eax。让程序作者担心的,正是我们希望的。所以,我们
就反其道而行之,在此把数据反向传递,即:把eax的值传送给esi。这样一来,就有可能解除控制。修改后再试,呵呵!果然大功告成!OK!
好啦,记下地址,打开UltraEdit-32,改吧:
005B4F87 . 8BC6 mov eax, esi ; ---> 8BF0 mov esi, eax
005B5698 51 push ecx ; ---> 50 push eax
--------------------------------------------------------------------------------
【经验总结】
这是菜鸟成长的第二篇破文,破解费时半个月。主要浪费在那段令人头疼的程序上,整天在读写注册表上忙碌,让那些跳转把我转悠得晕
头转向,不知所措。后来,歇兵三日,静心思考,这才想起检查输出函数。这下,倒也轻松愉快,一帆风顺啊!
这个软件的时间限制分为两个地方,一处是显示,一处是限制。软件作者运用的比较巧妙,虽然改动起来,只有一个半字节,但要找出这
边两个地方,也确实不容易。尽管破解了软件,但对软件作者的加密方式十分佩服。这两个地方必须同时修改,若只改一个,过期后仍然启动
失败。管显示的同时管过期,管限制的同时也管过期。
解除时间限制美中不足的是仍然显示“试用版本”和“还有30天试用时间”,试用就试用吧,反正试用期是没有功能限制的,就让它试用
到永远吧!若有人嫌它不够完美,那就自己动手,很简单的啊!
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2007年10月30日 14:30
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
