pecompact1.50

标题：pecompact1.50破解过程（加入BCG的第一篇） (8千字)
作者：大老
时间：2001-6-28 16:10:08
链接：http://bbs.pediy.com

pecompact1.50破解过程（加入BCG的第一篇）

工具：TRW2000 W32DASM大老专版
破解人：大老
软件下载：www.exetools
第一步：先脱壳！
用trw2000载入下PNEWSEC后用PEDUMP 生成DUMP1.EXE用peditor--REBUILDER--文件
脱壳完成
第二部：破解天数限制！
用W32Dasm打开pecompact.exe
:00404D61 C8000000 enter 0000, 00
:00404D65 53 push ebx
:00404D66 57 push edi
:00404D67 56 push esi
:00404D68 817D0C10010000 cmp dword ptr [ebp+0C], 00000110
:00404D6F 0F8533010000 jne 00404EA8
:00404D75 6880000000 push 00000080
:00404D7A FF3560E14000 push dword ptr [0040E160]
:00404D80 E825510000 call 00409EAA
:00404D85 50 push eax
:00404D86 50 push eax
:00404D87 6A00 push 00000000
:00404D89 6880000000 push 00000080
:00404D8E FF7508 push [ebp+08]
:00404D91 E8EA500000 call 00409E80
:00404D96 58 pop eax
:00404D97 50 push eax
:00404D98 6A01 push 00000001
:00404D9A 6880000000 push 00000080
:00404D9F FF7508 push [ebp+08]
:00404DA2 E8D9500000 call 00409E80

* Possible StringData Ref from Code Obj ->"About PECompact"
|
:00404DA7 688ACA4000 push 0040CA8A
:00404DAC FF7508 push [ebp+08]
:00404DAF E8AE500000 call 00409E62
:00404DB4 6819F84000 push 0040F819
:00404DB9 E8B64E0000 call 00409C74
:00404DBE A119F84000 mov eax, dword ptr [0040F819]
:00404DC3 8B0D1DF84000 mov ecx, dword ptr [0040F81D]
:00404DC9 51 push ecx
:00404DCA 50 push eax

* Possible StringData Ref from Code Obj ->"JCALG1 version: %d.%d"
|
:00404DCB 68EAF74000 push 0040F7EA
:00404DD0 686AF74000 push 0040F76A
:00404DD5 E8D6500000 call 00409EB0
:00404DDA 83C410 add esp, 00000010
:00404DDD 686AF74000 push 0040F76A
:00404DE2 6872040000 push 00000472
:00404DE7 FF7508 push [ebp+08]
:00404DEA E885500000 call 00409E74
:00404DEF 6A32 push 00000032
:00404DF1 6A01 push 00000001

* Possible StringData Ref from Code Obj ->"PECompact version: %d.%d"
|
:00404DF3 6800F84000 push 0040F800
:00404DF8 686AF74000 push 0040F76A
:00404DFD E8AE500000 call 00409EB0
:00404E02 83C410 add esp, 00000010
:00404E05 686AF74000 push 0040F76A
:00404E0A 6873040000 push 00000473
:00404E0F FF7508 push [ebp+08]
:00404E12 E85D500000 call 00409E74
:00404E17 A1F1E14000 mov eax, dword ptr [0040E1F1]=》这个地址[可疑]
:00404E1C 83F800 cmp eax, 00000000 ====>注意如果EAX=0试用结束
:00404E1F 7F23 jg 00404E44 ===〉一般改法改成JMP即可！

* Possible StringData Ref from Code Obj ->"YOUR TRIAL PERIOD HAS ENDED!"
|
:00404E21 68E5EF4000 push 0040EFE5
:00404E26 6870040000 push 00000470
:00404E2B FF7508 push [ebp+08]
:00404E2E E841500000 call 00409E74

* Possible StringData Ref from Code Obj ->"Exit"
|
:00404E33 6802F04000 push 0040F002
:00404E38 6A01 push 00000001
:00404E3A FF7508 push [ebp+08]
:00404E3D E832500000 call 00409E74
:00404E42 EB25 jmp 00404E69
:00404E44 50 push eax

* Possible StringData Ref from Code Obj ->"You have %d days remaining of "
->"your trial."
|
:00404E45 68BBEF4000 push 0040EFBB
:00404E4A 6857EF4000 push 0040EF57
:00404E4F E85C500000 call 00409EB0
:00404E54 83C40C add esp, 0000000C
:00404E57 6857EF4000 push 0040EF57
:00404E5C 6870040000 push 00000470
:00404E61 FF7508 push [ebp+08]
:00404E64 E80B500000 call 00409E74

* Possible StringData Ref from Code Obj ->"
Licensed for 14-day evaluation. "
->"Registration is required for continued "
->"use."
|
:00404E69 6839DA4000 push 0040DA39
:00404E6E 680C040000 push 0000040C
:00404E73 FF7508 push [ebp+08]
:00404E76 E8F94F0000 call 00409E74

* Possible StringData Ref from Code Obj ->"PECompact v1.50, ?999-2001 by "
->"Jeremy Collake"
|
:00404E7B 680BDA4000 push 0040DA0B
:00404E80 6853040000 push 00000453
:00404E85 FF7508 push [ebp+08]
:00404E88 E8E74F0000 call 00409E74

* Possible StringData Ref from Code Obj ->"Unregistered!"
|
:00404E8D 689ACA4000 push 0040CA9A
:00404E92 6834040000 push 00000434
:00404E97 FF7508 push [ebp+08]
:00404E9A E8D54F0000 call 00409E74
:00404E9F 33C0 xor eax, eax
:00404EA1 5E pop esi
:00404EA2 5F pop edi
:00404EA3 5B pop ebx
:00404EA4 C9 leave
:00404EA5 C21000 ret 0010

:00404EA8 837D0C10 cmp dword ptr [ebp+0C], 00000010
:00404EAC 7443 je 00404EF1
:00404EAE 817D0C11010000 cmp dword ptr [ebp+0C], 00000111
:00404EB5 7531 jne 00404EE8
:00404EB7 837D1001 cmp dword ptr [ebp+10], 00000001
:00404EBB 7434 je 00404EF1
:00404EBD 817D1010040000 cmp dword ptr [ebp+10], 00000410
:00404EC4 7522 jne 00404EE8
:00404EC6 6A00 push 00000000
:00404EC8 6A00 push 00000000
:00404ECA 6A00 push 00000000

* Possible StringData Ref from Code Obj ->"http://www.collakesoftware.com"
|
:00404ECC 68A7D84000 push 0040D8A7
:00404ED1 6A00 push 00000000
:00404ED3 FF3564E14000 push dword ptr [0040E164]
:00404ED9 E85C500000 call 00409F3A
:00404EDE 33C0 xor eax, eax
:00404EE0 40 inc eax
:00404EE1 5E pop esi
:00404EE2 5F pop edi
:00404EE3 5B pop ebx
:00404EE4 C9 leave
:00404EE5 C21000 ret 0010
============================================================================
大家看到了！注意[0040E1F1]这个内存地址！咱们要做的就是找出往这个地址写天数的
那部分程序！OK!GOGO
:00404E17 mov eax, dword ptr [0040E1F1]=》还可使用的天数！
:00404E1C cmp eax, 00000000 ====>注意如果EAX=0试用结束
下断点！BPX 40E1F1 W 重新启动程序！
=============================================================================
拦截后！的关键核心部分！
:00404FCF 2BD0 sub edx, eax
:00404FD1 8B4B04 mov ecx, dword ptr [ebx+04]
:00404FD4 81F9000B0000 cmp ecx, 00000B00
:00404FDA 720A jb 00404FE6
:00404FDC 771F ja 00404FFD
:00404FDE 81FA0080C851 cmp edx, 51C88000
:00404FE4 7317 jnb 00404FFD
:00404FE6 33D2 xor edx, edx
:00404FE8 8BC1 mov eax, ecx
:00404FEA B98C000000 mov ecx, 0000008C
:00404FEF F7F1 div ecx
:00404FF1 8BC8 mov ecx, eax 以用天数
:00404FF3 B80E000000 mov eax, 0000000E 试用14天！
:00404FF8 2BC1 sub eax, ecx 还能用几天！
:00404FFA 8945F0 mov dword ptr [ebp-10], eax
:00404FFD 8B45F0 mov eax, dword ptr [ebp-10]
:00405000 C9 leave
:00405001 C3 ret
===============================================================
关键核心部分找到了改的话就好改了嘿嘿！
把这句的:00404FF8 2BC1 sub eax, ecx
(2BC1改成C390)
天数限制修改完成！

大老2001-6-28 14:42完成