【文章标题】: 韩国的某EDA软件菜鸟破解过程
【文章作者】: PENGRUBIN
【作者主页】: www.eplan-eb2.ys168.com
【软件名称】: CSIEDA5.4
【软件大小】: 353M
【下载地址】: http://download.csieda.com/INSTALL_V5/
【加壳方式】: 无
【保护方式】: 加密狗与授权文件
【编写语言】: Borland C++ 1999
【使用工具】: OllyICE,cxat2.5
【操作平台】: XP
【软件介绍】: PCB 行业软件,里面有个在PCB里插图功能对抄版好用
【作者声明】: 不只是感兴趣,但没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
我是菜鸟我怕谁?这个软件用的Sentinel Superpro 狗(这个可以从安装文看出来,里面有个SuperPro文件夹,里面的SETUP.EXE就是
Sentinel System Driver Installer 7.4.0 ,因为没有正版用户的支持,无法仿真,呵呵,有的话你就看不到这个文章咯!)
和授权文件来保护的(同样的,没有正版用户的支持,不知道授权文件长得什么样,呵呵)。
但里面那个可抄板功能我太爱了,我是菜鸟我怕谁!管它是否是狗加授权的高难度,我还是要看看是否可以破解它(事后证明
所有的美帝国主义都是纸老虎!)。
大老有说了,你破软件前得先了解下软件有什么样限制。大老的话能不听吗?当然不能,我听,我听,我听听听!
那如何知道该软件有什么限制呢?条条道路通我家:我想到的几条路是:
1:电话联系该软件的韩国公司,告诉他们我要破你的软件了,请把你们的加密限制告诉我好吗?谢谢!
2:问软件自己,就象看病那样,要它自己把问题告诉我。
3:亲自用用这个软件,看有没有什么提示。古人曰:求人不如求自。
这是个选择题,采取那个方案好呢?第一条是国际长途电话,贵!与我破解目的抵抗,况且就是不要电话费我也听不懂韩国话
啊,看来第一条不可行!那第二呢?我问了,TMD,软件不理我,KAO!那就有进行第三个计划了。说干就干(喂!不是干女人,不要乱想,
你的思想有问题。)
打开PEiD 0.94,看看有壳没有!Borland C++ 1999,这个好像不是壳,反正我没有听说过是壳。看官说了,那它如果是壳呢?
不管了,反正是壳我也脱不了,就只好当它不是壳了,呵呵,(我自己都有点屁扶我自己了,高,还真是高!
接下就是运行了,双击(不会?谁管你啊),软件运行了。慢!怎么除了:Close可以点击以外,都是灰的?汗!再汗!难到没有狗
和授权都进不了软件?看来收工,太难,我搞不了,关就关咯,考!
刚想放弃,突然发现上面有滚动字幕。看看!不是韩国字,应该可以看得懂!
CSiEDA5 User Environment... Please select user icon and click [Login] button.
If you new user, using [New] button to new user registration.
原来要搞个新用户再登录啊。笨!真笨!
好啦,CSIEDA5,新用户名出来了,点 [New] ,点[Login],
出来个对话:
No Hard Key License Client,Do you want to run in ealuation mode?
第一个限制出来了。
无奈,点:是
进入软件
打开,乱画,SAVE,
出来个对话:
The pin count over 256 can not be saved in evaluation mode.
第二个限制出来了。
我再试。再试,没有了,就这两个限制,目前来说.
好了,先看到这里吧,关闭软件。破解方案出来了:
1:就运行在试用模式下,把不能超过256个引脚不能保存的限制解除就可以用了。
2:破解狗和授权限制,使软件运行在正式版模式。
在我看来第一个比较好搞,第二个我可能搞不定(事后证明不是这样的,哈哈)
那先搞第一个方案好了,
打开CXAT2.5(没有听过?这是我搞汉化时用的了,有时查查非标字符用这个可以在很多文件中查找,刚来这个软件也有好多
个DLL.EXE.BPL这样的文件,这句话可能很多地方都有,
先用这个查看看拉!)点击搜索按钮,输入:The pin count over,再扫描安装文件里的全部文件,
结果出来了,真的有好多文件都有这句话。
记下来.
OD载入主程序:CSIEDA5.EXE,再查找ASCII,查找The pin count over,
有the pin count over %d can not save to file on evaluation mode.的全下断点,
同时再在PCBEesig和SCHDesig这两个里的有the pin count over %d can not save to file on evaluation mode.的全下断点,
042D8E0E FF51 FC call dword ptr [ecx-4]
042D8E11 66:C745 D0 0800 mov word ptr [ebp-30], 8
042D8E17 3B7D B8 cmp edi, dword ptr [ebp-48]
042D8E1A 0F8D 2B010000 jge 042D8F4B。。。。。。。。。。。。。。。。。。这里改JMP(其它模块改法类似_
042D8E20 807D BF 00 cmp byte ptr [ebp-41], 0
042D8E24 0F84 13010000 je 042D8F3D
042D8E2A 66:C745 D0 2000 mov word ptr [ebp-30], 20
042D8E30 33C0 xor eax, eax
042D8E32 BA 0A6C3A04 mov edx, 043A6C0A ; the pin count over %d can not save to file on evaluation mode.
042D8E37 8945 F4 mov dword ptr [ebp-C], eax
042D8E3A 8D45 F0 lea eax, dword ptr [ebp-10]
042D8E3D FF45 DC inc dword ptr [ebp-24]
042D8E40 66:C745 D0 2C00 mov word ptr [ebp-30], 2C
042D8E46 57 push edi
042D8E47 66:C745 D0 3800 mov word ptr [ebp-30], 38
042D8E4D E8 92BE0800 call 04364CE4
042D8E52 FF45 DC inc dword ptr [ebp-24]
042D8E55 33C9 xor ecx, ecx
改好后把全部断点都关了,F9运行,提示试用模式下试用,同意,进了软件,再试保存文件,哈哈,要你选择路径了,可以保存了,除了,有个试用提示,功能都全了。
用同样方法把其它模块都破了后,测试同样可以试用了。没有引脚限制了。
第一战到这就完成了,全胜!
用了两天,对那个No Hard Key License Client,Do you want to run in ealuation mode?的提示总是感觉不爽。
再来,把全部文件恢复到原版文件,再战!
查No Hard Key License Client,没有?汗。看来总是这个方法不行了。
下 BPX MESSAGEBOXA,拦截后回到主程序空间:
由出错那个CALL往上找到第一个可以跳过这个CALL的地方是:004D26F2
004D26EB . E8 4887FEFF call 004BAE38
004D26F0 . 84C0 test al, al
004D26F2 0F85 AD020000 jnz 004D29A5。。。。。。。。。。。。。。。。。。。。。。。这里改JMP,一定得跳
004D26F8 . 8B0D 103B6700 mov ecx, dword ptr [<&vcl60.Forms::Screen>] ; vcl60.Forms::Screen
004D26FE . 33D2 xor edx, edx
004D2700 . 8B01 mov eax, dword ptr [ecx]
004D2702 . E8 376C0F00 call <jmp.&vcl60.Forms::TScreen::SetCursor>
004D2707 . 66:C745 C0 14>mov word ptr [ebp-40], 14
004D270D . 8D96 CA010000 lea edx, dword ptr [esi+1CA]
004D2713 . 8D45 F4 lea eax, dword ptr [ebp-C]
004D2716 . E8 CDD90500 call 005300E8
004D271B . FF45 CC inc dword ptr [ebp-34]
004D271E . 8D4D F4 lea ecx, dword ptr [ebp-C]
004D2721 . 51 push ecx
004D2722 . 33C0 xor eax, eax
004D2724 . 8945 F8 mov dword ptr [ebp-8], eax
004D2727 . 8D55 F8 lea edx, dword ptr [ebp-8]
004D272A . 52 push edx
004D272B . FF45 CC inc dword ptr [ebp-34]
004D272E . E8 017F0F00 call <jmp.&CSIEDACommonPackage.GetExePath>
004D2733 . 59 pop ecx
004D2734 . 33D2 xor edx, edx
004D2736 . 8955 FC mov dword ptr [ebp-4], edx
004D2739 . 8D4D FC lea ecx, dword ptr [ebp-4]
004D273C . FF45 CC inc dword ptr [ebp-34]
004D273F . 8D45 F8 lea eax, dword ptr [ebp-8]
004D2742 . 5A pop edx
004D2743 . E8 44DD0500 call 0053048C
004D2748 . FF4D CC dec dword ptr [ebp-34]
004D274B . 8D45 F4 lea eax, dword ptr [ebp-C]
004D274E . BA 02000000 mov edx, 2
004D2753 . E8 DCDC0500 call 00530434
004D2758 . FF4D CC dec dword ptr [ebp-34]
004D275B . 8D45 F8 lea eax, dword ptr [ebp-8]
004D275E . BA 02000000 mov edx, 2
004D2763 . E8 CCDC0500 call 00530434
004D2768 . 66:C745 C0 08>mov word ptr [ebp-40], 8
004D276E . 8B45 FC mov eax, dword ptr [ebp-4]
004D2771 . E8 10740F00 call <jmp.&rtl60.Sysutils::FileExists>
004D2776 . 84C0 test al, al
004D2778 0F84 F5000000 je 004D2873
004D277E . 6A 00 push 0
004D2780 . 8D96 0C020000 lea edx, dword ptr [esi+20C]
004D2786 . 66:C745 C0 20>mov word ptr [ebp-40], 20
004D278C . 8D45 F0 lea eax, dword ptr [ebp-10]
004D278F . E8 54D90500 call 005300E8
004D2794 . FF45 CC inc dword ptr [ebp-34]
004D2797 . 8D55 EC lea edx, dword ptr [ebp-14]
004D279A . 8B08 mov ecx, dword ptr [eax]
004D279C . 33C0 xor eax, eax
004D279E . 51 push ecx
004D279F . 8945 EC mov dword ptr [ebp-14], eax
004D27A2 . 52 push edx
004D27A3 . FF45 CC inc dword ptr [ebp-34]
004D27A6 . E8 F5960F00 call <jmp.&CSIEDACommonPackage.GST>
004D27AB . 83C4 08 add esp, 8
004D27AE . 837D EC 00 cmp dword ptr [ebp-14], 0
004D27B2 . 74 05 je short 004D27B9
004D27B4 . 8B4D EC mov ecx, dword ptr [ebp-14]
004D27B7 . EB 06 jmp short 004D27BF
004D27B9 > 8D8E 15020000 lea ecx, dword ptr [esi+215]
004D27BF > 51 push ecx
004D27C0 . 8D96 E0010000 lea edx, dword ptr [esi+1E0]
004D27C6 . 8D45 E8 lea eax, dword ptr [ebp-18]
004D27C9 . E8 1AD90500 call 005300E8
004D27CE . FF45 CC inc dword ptr [ebp-34]
004D27D1 . 33D2 xor edx, edx
004D27D3 . 8B00 mov eax, dword ptr [eax]
004D27D5 . 8D4D E4 lea ecx, dword ptr [ebp-1C]
004D27D8 . 50 push eax
004D27D9 . 8955 E4 mov dword ptr [ebp-1C], edx
004D27DC . 51 push ecx
004D27DD . FF45 CC inc dword ptr [ebp-34]
004D27E0 . E8 BB960F00 call <jmp.&CSIEDACommonPackage.GST>
004D27E5 . 83C4 08 add esp, 8
004D27E8 . 837D E4 00 cmp dword ptr [ebp-1C], 0
004D27EC . 74 05 je short 004D27F3
004D27EE . 8B45 E4 mov eax, dword ptr [ebp-1C]
004D27F1 . EB 06 jmp short 004D27F9
004D27F3 > 8D86 14020000 lea eax, dword ptr [esi+214]
004D27F9 > 50 push eax
004D27FA . 8BC3 mov eax, ebx
004D27FC . E8 A56D0F00 call <jmp.&vcl60.Controls::TWinControl::GetHand>
004D2801 . 50 push eax ; |hOwner
004D2802 . E8 3BDB0F00 call <jmp.&USER32.MessageBoxA> ; \MessageBoxA
004D2807 . FF4D CC dec dword ptr [ebp-34]
004D280A . 8D45 E4 lea eax, dword ptr [ebp-1C]
004D280D . BA 02000000 mov edx, 2
004D2812 . E8 1DDC0500 call 00530434
004D2817 . FF4D CC dec dword ptr [ebp-34]
004D281A . 8D45 E8 lea eax, dword ptr [ebp-18]
004D281D . BA 02000000 mov edx, 2
004D2822 . E8 0DDC0500 call 00530434
004D2827 . FF4D CC dec dword ptr [ebp-34]
004D282A . 8D45 EC lea eax, dword ptr [ebp-14]
004D282D . BA 02000000 mov edx, 2
004D2832 . E8 FDDB0500 call 00530434
004D2837 . FF4D CC dec dword ptr [ebp-34]
004D283A . 8D45 F0 lea eax, dword ptr [ebp-10]
004D283D . BA 02000000 mov edx, 2
004D2842 . E8 EDDB0500 call 00530434
004D2847 . 33D2 xor edx, edx
004D2849 . 8B83 14030000 mov eax, dword ptr [ebx+314]
004D284F . E8 146A0F00 call <jmp.&vcl60.Extctrls::TTimer::SetEnabled>
004D2854 . FF4D CC dec dword ptr [ebp-34]
004D2857 . 8D45 FC lea eax, dword ptr [ebp-4]
004D285A . BA 02000000 mov edx, 2
004D285F . E8 D0DB0500 call 00530434
004D2864 . 8B4D B0 mov ecx, dword ptr [ebp-50]
004D2867 . 64:890D 00000>mov dword ptr fs:[0], ecx
004D286E . E9 94010000 jmp 004D2A07
004D2873 > 6A 04 push 4
004D2875 . 8D96 67020000 lea edx, dword ptr [esi+267]
004D287B . 66:C745 C0 2C>mov word ptr [ebp-40], 2C
004D2881 . 8D45 E0 lea eax, dword ptr [ebp-20]
004D2884 . E8 5FD80500 call 005300E8
004D2889 . FF45 CC inc dword ptr [ebp-34]
004D288C . 8D55 DC lea edx, dword ptr [ebp-24]
004D288F . 8B08 mov ecx, dword ptr [eax]
004D2891 . 33C0 xor eax, eax
004D2893 . 51 push ecx
004D2894 . 8945 DC mov dword ptr [ebp-24], eax
004D2897 . 52 push edx
004D2898 . FF45 CC inc dword ptr [ebp-34]
004D289B . E8 00960F00 call <jmp.&CSIEDACommonPackage.GST>
004D28A0 . 83C4 08 add esp, 8
004D28A3 . 837D DC 00 cmp dword ptr [ebp-24], 0
004D28A7 . 74 05 je short 004D28AE
004D28A9 . 8B4D DC mov ecx, dword ptr [ebp-24]
004D28AC . EB 06 jmp short 004D28B4
004D28AE > 8D8E 70020000 lea ecx, dword ptr [esi+270]
004D28B4 > 51 push ecx
004D28B5 . 8D96 16020000 lea edx, dword ptr [esi+216]
004D28BB . 8D45 D8 lea eax, dword ptr [ebp-28]
004D28BE . E8 25D80500 call 005300E8
004D28C3 . FF45 CC inc dword ptr [ebp-34]
004D28C6 . 33D2 xor edx, edx
004D28C8 . 8B00 mov eax, dword ptr [eax]
004D28CA . 8D4D D4 lea ecx, dword ptr [ebp-2C]
004D28CD . 50 push eax
004D28CE . 8955 D4 mov dword ptr [ebp-2C], edx
004D28D1 . 51 push ecx
004D28D2 . FF45 CC inc dword ptr [ebp-34]
004D28D5 . E8 C6950F00 call <jmp.&CSIEDACommonPackage.GST>
004D28DA . 83C4 08 add esp, 8
004D28DD . 837D D4 00 cmp dword ptr [ebp-2C], 0
004D28E1 . 74 05 je short 004D28E8
004D28E3 . 8B45 D4 mov eax, dword ptr [ebp-2C]
004D28E6 . EB 06 jmp short 004D28EE
004D28E8 > 8D86 6F020000 lea eax, dword ptr [esi+26F]
004D28EE > 50 push eax
004D28EF . 8BC3 mov eax, ebx
004D28F1 . E8 B06C0F00 call <jmp.&vcl60.Controls::TWinControl::GetHand>
004D28F6 . 50 push eax ; |hOwner
004D28F7 . E8 46DA0F00 call <jmp.&USER32.MessageBoxA> ; \MessageBoxA。。。。。。。。。。。。。程序断在这里,过了这个CALL就出那个对话了
004D28FC . 8BF0 mov esi, eax
004D28FE . FF4D CC dec dword ptr [ebp-34]
004D2901 . 8D45 D4 lea eax, dword ptr [ebp-2C]
004D2904 . BA 02000000 mov edx, 2
004D2909 . E8 26DB0500 call 00530434
004D290E . FF4D CC dec dword ptr [ebp-34]
004D2911 . 8D45 D8 lea eax, dword ptr [ebp-28]
004D2914 . BA 02000000 mov edx, 2
004D2919 . E8 16DB0500 call 00530434
004D291E . FF4D CC dec dword ptr [ebp-34]
004D2921 . 8D45 DC lea eax, dword ptr [ebp-24]
004D2924 . BA 02000000 mov edx, 2
004D2929 . E8 06DB0500 call 00530434
004D292E . FF4D CC dec dword ptr [ebp-34]
004D2931 . 8D45 E0 lea eax, dword ptr [ebp-20]
改了上面那个跳转后,程式没有No Hard Key License Client,Do you want to run in ealuation mode?的提示。
直接进到软件里了,但是,又有个:
Lost the Hard Key in your system,Please check your hare key and restart program,
大意是你把狗丢了,查看看你的狗并重启程序,
根据这个提示,跟到这里:
00415366 . 8D45 94 lea eax, dword ptr [ebp-6C]
00415369 . BA 02000000 mov edx, 2
0041536E . E8 C1B01100 call 00530434
00415373 . 59 pop ecx
00415374 . 84C9 test cl, cl
00415376 . 0F84 85000000 je 00415401...................................这里改JMP 就可以跳过了。
0041537C . 66:C743 10 B8>mov word ptr [ebx+10], 1B8
00415382 . BA F52E5D00 mov edx, 005D2EF5 ; lost the hard key in your system. please check your hard key and restart program.
00415387 . 8D45 90 lea eax, dword ptr [ebp-70]
0041538A . E8 59AD1100 call 005300E8
0041538F . FF43 1C inc dword ptr [ebx+1C]
00415392 . 8D55 8C lea edx, dword ptr [ebp-74]
00415395 . 8B08 mov ecx, dword ptr [eax]
保存改动,再运行,没有提示丢失狗也没有提示试用模式,可以什么都做不了,汗,查看授权,居然没有了,看来狗已经破了,只好破授权了。
以license查,看到这里是比较关键的,
004BAEC9 mov edx, 0061C265 \license\license.lic
004BB0FC mov edx, 0061C27B license error code
004BB126 mov edx, 0061C28E
004BB24B mov edx, 0061C290 evaluation
004BB2A7 mov edx, 0061C29B network
004BB499 mov edx, 0061C2A4 csieda epd designer license
004BB4F8 mov edx, 0061C2C0 csieda schematic pin design license
004BB551 mov edx, 0061C2E4 csieda schematic symbol design license
004BB5AA mov edx, 0061C30B csieda schematic part library license
004BB603 mov edx, 0061C331 csieda schematic capture license
004BB65C mov edx, 0061C352 csieda pcb padstack design license
004BB6B5 mov edx, 0061C375 csieda pcb library design license
004BB70E mov edx, 0061C397 csieda pcb design license (ent)
004BB767 mov edx, 0061C3B7 csieda pcb gerber viewer license
004BB7C0 mov edx, 0061C3D8 csieda pcb 3dviewer license
004BB819 mov edx, 0061C3F4 csieda script license
004BB872 mov edx, 0061C40A csieda simulation license
004BB9C1 mov edx, 0061C424 license error code
004BB9EB mov edx, 0061C437
004BBB0B mov edx, 0061C43A license error code
事后发现这里的授权才是单机的授权,上面的改了对单机没有用,好像是evaluation的授权。
把以下授权的前个跳转下断后,再重新运行,发现断下了
004BBB35 mov edx, 0061C44D
004BBC89 mov edx, 0061C44F csieda epd designer license
004BBD1D mov edx, 0061C46B csieda schematic pin design license
004BBDB1 mov edx, 0061C48F csieda schematic symbol design license
004BBE45 mov edx, 0061C4B6 csieda schematic part library license
004BBED9 mov edx, 0061C4DC csieda schematic capture license
004BBF6D mov edx, 0061C4FD csieda schematic capture educational license
004BC001 mov edx, 0061C52A csieda pcb padstack design license
004BC095 mov edx, 0061C54D csieda pcb library design license
004BC129 mov edx, 0061C56F csieda pcb design license (std)
004BC1BD mov edx, 0061C58F csieda pcb design license (pro)
004BC251 mov edx, 0061C5AF csieda pcb educational license
004BC2E5 mov edx, 0061C5CE csieda pcb design license (ent)
004BC37A mov edx, 0061C5EE csieda pcb gerber viewer license
004BC3EE mov edx, 0061C60F csieda pcb gerber editor license
004BC462 mov edx, 0061C630 csieda pcb 3dviewer license
004BC4D6 mov edx, 0061C64C csieda simulation license
004BC54A mov edx, 0061C666 csieda pcb si license
004BC5CE mov edx, 0061C67C csieda pdm link license
004BC642 mov edx, 0061C694 csieda.net express license
004BC6B6 mov edx, 0061C6AF csieda network lms license
004BC72A mov edx, 0061C6CA csieda network fms license
004BCF52 push 0061C9F4 %02x:%02x:%02x:%02x:%02x:%02x
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
发现有个图挡住了调试界面,把E:\CSiEDA5\Resource\StartUp\StartUp.bmp这个图改编为一个点才好做下面的,
004BBC6C |. E8 EB220000 call 004BDF5C
004BBC71 |. 84C0 test al, al
004BBC73 |. 74 0E je short 004BBC83..................断下,下面的类似这里,改NOP
004BBC75 |. B0 01 mov al, 1
004BBC77 |. 8B55 D8 mov edx, dword ptr [ebp-28]
004BBC7A |. 64:8915 00000>mov dword ptr fs:[0], edx
004BBC81 |. EB 68 jmp short 004BBCEB
004BBC83 |> 66:C745 E8 14>mov word ptr [ebp-18], 14
004BBC89 |. BA 4FC46100 mov edx, 0061C44F ; csieda epd designer license
004BBC8E |. 8D45 FC lea eax, dword ptr [ebp-4]
004BBD00 |. E8 57220000 call 004BDF5C
004BBD05 |. 84C0 test al, al
004BBD07 |. 74 0E je short 004BBD17..................断下,下面的类似这里,改NOP
004BBD09 |. B0 01 mov al, 1
004BBD0B |. 8B55 D8 mov edx, dword ptr [ebp-28]
004BBD0E |. 64:8915 00000>mov dword ptr fs:[0], edx
004BBD15 |. EB 68 jmp short 004BBD7F
004BBD17 |> 66:C745 E8 14>mov word ptr [ebp-18], 14
004BBD1D |. BA 6BC46100 mov edx, 0061C46B ; csieda schematic pin design license
004BBD94 |. E8 C3210000 call 004BDF5C
004BBD99 |. 84C0 test al, al
004BBD9B |. 74 0E je short 004BBDAB..................断下,下面的类似这里,改NOP
004BBD9D |. B0 01 mov al, 1
004BBD9F |. 8B55 D8 mov edx, dword ptr [ebp-28]
004BBDA2 |. 64:8915 00000>mov dword ptr fs:[0], edx
004BBDA9 |. EB 68 jmp short 004BBE13
004BBDAB |> 66:C745 E8 14>mov word ptr [ebp-18], 14
004BBDB1 |. BA 8FC46100 mov edx, 0061C48F ; csieda schematic symbol design license
004BBDB6 |. 8D45 FC lea eax, dword ptr [ebp-4]
004BBDB9 |. E8 2A430700 call 005300E8
其它的自己看,都这个样子的,呵呵,全改了就是了.改好后运行,可以编辑了,全部功能都可以用了,
打开个文件看看,呵呵。
恩!打开菜单用不了?
授权有问题吗?看授权列表,都有啊那里有问题?
好好看看刚改的上面第一个CALL
都是:
004BBD94 |. E8 C3210000 call 004BDF5C
这里有鬼吗?怎么都用到这个CALL?那是不是跟进改动这个CALL,使:
004BBD94 |. E8 C3210000 call 004BDF5C
004BBD99 |. 84C0 test al, al
004BBD9B |. 74 0E je short 004BBDAB
004BBD9B这里的JE自动就不跳转?那就改AL看看了,
跟进到这里:
004BDF5C /$ 55 push ebp
004BDF5D |. 8BEC mov ebp, esp
004BDF5F |. 83C4 D8 add esp, -28
004BDF62 |. B8 10DE6100 mov eax, 0061DE10
004BDF67 |. 53 push ebx
004BDF68 |. 56 push esi
004BDF69 |. 57 push edi
004BDF6A |. BF 98B96100 mov edi, 0061B998
004BDF6F |. BE 50B96100 mov esi, 0061B950
004BDF74 |. E8 4B1E0700 call 0052FDC4
004BDF79 |. 833D 48B96100>cmp dword ptr [61B948], 0
004BDF80 |. 75 36 jnz short 004BDFB8
004BDF82 |. 68 08040000 push 408
004BDF87 |. E8 54241100 call <jmp.&CC3260MT.@$bnew$qui>
004BDF8C |. 59 pop ecx
004BDF8D |. 8945 FC mov dword ptr [ebp-4], eax
004BDF90 |. 85C0 test eax, eax
004BDF92 |. 74 1B je short 004BDFAF
004BDF94 |. 66:C745 E8 14>mov word ptr [ebp-18], 14
004BDF9A |. 8B55 FC mov edx, dword ptr [ebp-4]
004BDF9D |. 52 push edx
004BDF9E |. E8 D5111100 call <jmp.&CSIRSACrypt.SupperProClass::SupperPr>
004BDFA3 |. 59 pop ecx
004BDFA4 |. 66:C745 E8 08>mov word ptr [ebp-18], 8
004BDFAA |. 8B4D FC mov ecx, dword ptr [ebp-4]
004BDFAD |. EB 03 jmp short 004BDFB2
004BDFAF |> 8B4D FC mov ecx, dword ptr [ebp-4]
004BDFB2 |> 890D 48B96100 mov dword ptr [61B948], ecx
004BDFB8 |> 833D 4CB96100>cmp dword ptr [61B94C], 0A
004BDFBF |. 75 11 jnz short 004BDFD2------------发现这里会跳走,NOP后应该AL就不同,呵呵试看看
004BDFC1 |. B0 01 mov al, 1
004BDFC3 |. 8B55 D8 mov edx, dword ptr [ebp-28]
004BDFC6 |. 64:8915 00000>mov dword ptr fs:[0], edx
004BDFCD |. E9 2E010000 jmp 004BE100
004BDFD2 |> 833D 4CB96100>cmp dword ptr [61B94C], 0
004BDFD9 |. 74 11 je short 004BDFEC
004BDFDB |. 33C0 xor eax, eax
004BDFDD |. 8B55 D8 mov edx, dword ptr [ebp-28]
004BDFE0 |. 64:8915 00000>mov dword ptr fs:[0], edx
004BDFE7 |. E9 14010000 jmp 004BE100
004BDFEC |> 833E 00 cmp dword ptr [esi], 0
004BDFEF |. 74 07 je short 004BDFF8
004BDFF1 |. 8B0E mov ecx, dword ptr [esi]
004BDFF3 |. 8B41 FC mov eax, dword ptr [ecx-4]
004BDFF6 |. EB 02 jmp short 004BDFFA
004BDFF8 |> 33C0 xor eax, eax
004BDFFA |> 85C0 test eax, eax
004BDFFC |. 75 2B jnz short 004BE029
004BDFFE |. 6A 00 push 0
004BE000 |. E8 83EEFFFF call 004BCE88
004BE005 |. 59 pop ecx
004BE006 |. 833E 00 cmp dword ptr [esi], 0
004BE009 |. 74 07 je short 004BE012
004BE00B |. 8B16 mov edx, dword ptr [esi]
004BE00D |. 8B4A FC mov ecx, dword ptr [edx-4]
004BE010 |. EB 02 jmp short 004BE014
004BE012 |> 33C9 xor ecx, ecx
004BE014 |> 85C9 test ecx, ecx
004BE016 |. 75 11 jnz short 004BE029
004BE018 |. 33C0 xor eax, eax
004BE01A |. 8B55 D8 mov edx, dword ptr [ebp-28]
004BE01D |. 64:8915 00000>mov dword ptr fs:[0], edx
004BE024 |. E9 D7000000 jmp 004BE100
004BE029 |> 33DB xor ebx, ebx
004BE02B |. E8 F8FEFFFF call 004BDF28
004BE030 |. 84C0 test al, al
004BE032 |. 74 02 je short 004BE036
004BE034 |. B3 01 mov bl, 1
004BE036 |> 84DB test bl, bl
004BE038 |. 75 25 jnz short 004BE05F
004BE03A |. 8D87 12110000 lea eax, dword ptr [edi+1112]
004BE040 |. 50 push eax
004BE041 |. 833E 00 cmp dword ptr [esi], 0
004BE044 |. 74 04 je short 004BE04A
004BE046 |. 8B16 mov edx, dword ptr [esi]
004BE048 |. EB 06 jmp short 004BE050
004BE04A |> 8D97 24110000 lea edx, dword ptr [edi+1124]
004BE050 |> 52 push edx ; |s1
004BE051 |. E8 DA241100 call <jmp.&CC3260MT._stricmp> ; \_stricmp
004BE056 |. 83C4 08 add esp, 8
004BE059 |. 85C0 test eax, eax
004BE05B |. 75 02 jnz short 004BE05F
004BE05D |. B3 01 mov bl, 1
004BE05F |> 84DB test bl, bl
004BE061 |. 75 25 jnz short 004BE088
004BE063 |. 8D87 25110000 lea eax, dword ptr [edi+1125]
004BE069 |. 50 push eax
004BE06A |. 833E 00 cmp dword ptr [esi], 0
004BE06D |. 74 04 je short 004BE073
004BE06F |. 8B16 mov edx, dword ptr [esi]
004BE071 |. EB 06 jmp short 004BE079
004BE073 |> 8D97 37110000 lea edx, dword ptr [edi+1137]
004BE079 |> 52 push edx ; |s1
004BE07A |. E8 B1241100 call <jmp.&CC3260MT._stricmp> ; \_stricmp
004BE07F |. 83C4 08 add esp, 8
004BE082 |. 85C0 test eax, eax
004BE084 |. 75 02 jnz short 004BE088
004BE086 |. B3 01 mov bl, 1
004BE088 |> 84DB test bl, bl
004BE08A |. 75 25 jnz short 004BE0B1
004BE08C |. 8D87 38110000 lea eax, dword ptr [edi+1138]
004BE092 |. 50 push eax
004BE093 |. 833E 00 cmp dword ptr [esi], 0
004BE096 |. 74 04 je short 004BE09C
004BE098 |. 8B16 mov edx, dword ptr [esi]
004BE09A |. EB 06 jmp short 004BE0A2
004BE09C |> 8D97 4A110000 lea edx, dword ptr [edi+114A]
004BE0A2 |> 52 push edx ; |s1
004BE0A3 |. E8 88241100 call <jmp.&CC3260MT._stricmp> ; \_stricmp
004BE0A8 |. 83C4 08 add esp, 8
004BE0AB |. 85C0 test eax, eax
004BE0AD |. 75 02 jnz short 004BE0B1
004BE0AF |. B3 01 mov bl, 1
004BE0B1 |> 84DB test bl, bl
004BE0B3 |. 75 25 jnz short 004BE0DA
004BE0B5 |. 8D87 4B110000 lea eax, dword ptr [edi+114B]
004BE0BB |. 50 push eax
004BE0BC |. 833E 00 cmp dword ptr [esi], 0
004BE0BF |. 74 04 je short 004BE0C5
004BE0C1 |. 8B16 mov edx, dword ptr [esi]
004BE0C3 |. EB 06 jmp short 004BE0CB
004BE0C5 |> 8D97 5D110000 lea edx, dword ptr [edi+115D]
004BE0CB |> 52 push edx ; |s1
004BE0CC |. E8 5F241100 call <jmp.&CC3260MT._stricmp> ; \_stricmp
004BE0D1 |. 83C4 08 add esp, 8
004BE0D4 |. 85C0 test eax, eax
004BE0D6 |. 75 02 jnz short 004BE0DA
004BE0D8 |. B3 01 mov bl, 1
004BE0DA |> 84DB test bl, bl
004BE0DC |. 74 0C je short 004BE0EA
004BE0DE |. C705 4CB96100>mov dword ptr [61B94C], 0A
004BE0E8 |. EB 0A jmp short 004BE0F4
004BE0EA |> C705 4CB96100>mov dword ptr [61B94C], -1
004BE0F4 |> 8BC3 mov eax, ebx
004BE0F6 |. 8B55 D8 mov edx, dword ptr [ebp-28]
004BE0F9 |. 64:8915 00000>mov dword ptr fs:[0], edx
004BE100 |> 5F pop edi
004BE101 |. 5E pop esi
004BE102 |. 5B pop ebx
004BE103 |. 8BE5 mov esp, ebp
004BE105 |. 5D pop ebp
004BE106 \. C3 retn
经过上面这样改后,程序就真的OK了,哈哈,完成了!
基于同样的想法,第一步的那个JMP也可以不改,进上面那个004D26EB . E8 4887FEFF call 004BAE38
CALL改al的值,不也是可以吗?
004D26EB . E8 4887FEFF call 004BAE38
004D26F0 . 84C0 test al, al
004D26F2 0F85 AD020000 jnz 004D29A5.........这里原来改JMP,也可以,
跟进到这里:
004BAE38 /$ 55 push ebp
004BAE39 |. 8BEC mov ebp, esp
004BAE3B |. 83C4 90 add esp, -70
004BAE3E |. 53 push ebx
004BAE3F |. 56 push esi
004BAE40 |. 8D5D 98 lea ebx, dword ptr [ebp-68]
004BAE43 |. BE 58B96100 mov esi, 0061B958
004BAE48 |. B8 8CCC6100 mov eax, 0061CC8C
004BAE4D |. E8 724F0700 call 0052FDC4
004BAE52 |. 8B06 mov eax, dword ptr [esi]
004BAE54 |. 85C0 test eax, eax
004BAE56 |. 74 23 je short 004BAE7B
004BAE58 |. 8945 F8 mov dword ptr [ebp-8], eax
004BAE5B |. 837D F8 00 cmp dword ptr [ebp-8], 0
004BAE5F |. 74 1A je short 004BAE7B
004BAE61 |. 66:C743 10 14>mov word ptr [ebx+10], 14
004BAE67 |. 6A 03 push 3
004BAE69 |. 8B55 F8 mov edx, dword ptr [ebp-8]
004BAE6C |. 52 push edx
004BAE6D |. E8 D0421100 call <jmp.&CSIRSACrypt.CSIEDALicenseControlClas>
004BAE72 |. 66:C743 10 08>mov word ptr [ebx+10], 8
004BAE78 |. 83C4 08 add esp, 8
004BAE7B |> 6A 50 push 50
004BAE7D |. E8 5E551100 call <jmp.&CC3260MT.@$bnew$qui>
004BAE82 |. 59 pop ecx
004BAE83 |. 8945 F4 mov dword ptr [ebp-C], eax
004BAE86 |. 85C0 test eax, eax
004BAE88 |. 74 1B je short 004BAEA5
004BAE8A |. 66:C743 10 2C>mov word ptr [ebx+10], 2C
004BAE90 |. 8B55 F4 mov edx, dword ptr [ebp-C]
004BAE93 |. 52 push edx
004BAE94 |. E8 A3421100 call <jmp.&CSIRSACrypt.CSIEDALicenseControlClas>
004BAE99 |. 59 pop ecx
004BAE9A |. 66:C743 10 20>mov word ptr [ebx+10], 20
004BAEA0 |. 8B4D F4 mov ecx, dword ptr [ebp-C]
004BAEA3 |. EB 03 jmp short 004BAEA8
004BAEA5 |> 8B4D F4 mov ecx, dword ptr [ebp-C]
004BAEA8 |> 890E mov dword ptr [esi], ecx
004BAEAA |. 803D 55B96100>cmp byte ptr [61B955], 1
004BAEB1 |. 75 10 jnz short 004BAEC3----------------------这里改74 10就可以了,哈哈
004BAEB3 |. B0 01 mov al, 1
004BAEB5 |. 8B13 mov edx, dword ptr [ebx]
004BAEB7 |. 64:8915 00000>mov dword ptr fs:[0], edx
004BAEBE |. E9 59030000 jmp 004BB21C
004BAEC3 |> 66:C743 10 44>mov word ptr [ebx+10], 44
004BAEC9 |. BA 65C26100 mov edx, 0061C265 ; \license\license.lic
004BAECE |. 8D45 EC lea eax, dword ptr [ebp-14]
004BAED1 |. E8 12520700 call 005300E8
004BAED6 |. FF43 1C inc dword ptr [ebx+1C]
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
上面讲得好乱,反正我再给出总结:
Breakpoints
地址 模块 激活 反汇编 注释
00415376 CSiEDA5 已禁止 jmp 00415401
004BA75D CSiEDA5 已禁止 je short 004BA76F
004BD86B CSiEDA5 已禁止 nop
提示:No Hard Key or License Client.Do you want to run in evaluation mode?
根据evaluation mode查字符,上看到这里。
004BAEB1 |. /74 10 je short 004BAEC3............................这里改74 10
004BAEB3 |. |B0 01 mov al, 1
004BAEB5 |. |8B13 mov edx, dword ptr [ebx]
004BAEB7 |. |64:8915 00000>mov dword ptr fs:[0], edx
004BAEBE |. |E9 59030000 jmp 004BB21C
004BAEC3 |> \66:C743 10 44>mov word ptr [ebx+10], 44
004BAEC9 |. BA 65C26100 mov edx, 0061C265 ; \license\license.lic查这个找75 10
004BAECE |. 8D45 EC lea eax, dword ptr [ebp-14]
得到全部授权
查:csieda epd designer license
有两个地方,连接两个CALL的才是,如下:
004BBC67 |. E8 58410700 call 0052FDC4........................有两个地方,连接两个CALL的才是,第二个CALL跟进,使
004BBC6C |. E8 EB220000 call 004BDF5C
004BBC71 |. 84C0 test al, al
004BBC73 |. 74 0E je short 004BBC83-----------------------这里自然跳,不能改JMP,
004BBC75 |. B0 01 mov al, 1
004BBC77 |. 8B55 D8 mov edx, dword ptr [ebp-28]
004BBC7A |. 64:8915 00000>mov dword ptr fs:[0], edx
004BBC81 |. EB 68 jmp short 004BBCEB
004BBC83 |> 66:C745 E8 14>mov word ptr [ebp-18], 14
004BBC89 |. BA 4FC46100 mov edx, 0061C44F ; csieda epd designer license
004BBC8E |. 8D45 FC lea eax, dword ptr [ebp-4]
004BD86B 75 11 jnz short 004BD87E................................................改 90 90
004BD86D |. B0 01 mov al, 1.........................................................使AL的值改变,
004BD86F |. 8B55 D8 mov edx, dword ptr [ebp-28]
004BD872 |. 64:8915 00000>mov dword ptr fs:[0], edx
004BD879 |. E9 05010000 jmp 004BD983
004BD87E |> 833D EC766100>cmp dword ptr [6176EC], 0
004BD885 |. 74 11 je short 004BD898
004BD887 |. 33C0 xor eax, eax
004BD889 |. 8B55 D8 mov edx, dword ptr [ebp-28]
004BD88C |. 64:8915 00000>mov dword ptr fs:[0], edx
004BD893 |. E9 EB000000 jmp 004BD983
004BD898 |> 833E 00 cmp dword ptr [esi], 0
004BD89B |. 74 07 je short 004BD8A4
提示没有狗,
0041536E . E8 ED741100 call 0052C860
00415373 . 59 pop ecx
00415374 . 84C9 test cl, cl
00415376 0F84 85000000 je 00415401...........................................................JMP 跳走
0041537C . 66:C743 10 B8>mov word ptr [ebx+1>
00415382 . BA F5EE5C00 mov edx, 005CEEF5 ; lost the hard key in your system. please check your hard key and restart program.
00415387 . 8D45 90 lea eax, dword ptr >
0041538A . E8 85711100 call 0052C514
0041538F . FF43 1C inc dword ptr [ebx+>
00415392 . 8D55 8C lea edx, dword ptr >
就改这几个地方这个软件就完全破了,其它地方恢复原版!
--------------------------------------------------------------------------------
【经验总结】
菜鸟破解本来没有经验总结的,不过有个项目我就说点不同的好了。
首先,我对破解基本上不懂,菜鸟都应该不算的。但我认为只要你去搞,总有你能破的,先不管软件有多难破,先试看看再
说。就好比这个软件,狗加授权文件,本来不是我能破的,但我还是试了才知道有时破解还真的不是我完全搞不了的。
我破解的几个软件都放在:
http://www.eplan-eb2.ys168.com/
共享,这里都有狗加密的,有狗和授权加密,但我好像都可以破解它。感觉不可想象!!!!!!!!!
也许都是国外行业知名软件吧,反正是加密不是很在乎,防的是君子,小人还可以给他当免费推销员!
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2008年11月29日 13:26:30
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课