PE Explorer Version 1.40暴力破解提示
主要为帮助上面那位朋友解决汉化的障碍。
下载地址:
http://realdown.com/$www.winzheng.com$/system/PE.Explorer.v1.40.WinAll-BROKEN/bpx14001.zip
******************************************
经过追踪,可知以下跳转可解决时间过期问题:
:004DD547 A174C24F00 mov eax,
dword ptr [004FC274]
:004DD54C C7003F000000 mov dword ptr
[eax], 0000003F
:004DD552 833DB4B94F0000 cmp dword ptr [004FB9B4],
00000000
:004DD559 740D
je 004DD568 **不跳740D->9090**(1)
:004DD55B 833DB8B94F0000 cmp dword ptr [004FB9B8],
00000000
:004DD562 0F852B010000 jne 004DD693
**跳,0F852B010000->
E92C01000090**(2)
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004DD559(C)
|
:004DD568 8B45EC
mov eax, dword ptr [ebp-14]
:004DD56B E8689FF2FF call 004074D8
:004DD570 84C0
test al, al
:004DD572 0F84FB000000 je 004DD673
:004DD578 33C0
xor eax, eax
:004DD57A 55
push ebp
:004DD57B 6835D64D00 push 004DD635
:004DD580 64FF30
push dword ptr fs:[eax]
:004DD583 648920
mov dword ptr fs:[eax], esp
:004DD586 8B45F0
mov eax, dword ptr [ebp-10]
:004DD589 8B8030020000 mov eax, dword
ptr [eax+00000230]
:004DD58F 8B55EC
mov edx, dword ptr [ebp-14]
:004DD592 E8912DF3FF call 00410328
:004DD597 8B45F0
mov eax, dword ptr [ebp-10]
:004DD59A 83C028
add eax, 00000028
:004DD59D 33C9
xor ecx, ecx
:004DD59F BA00020000 mov edx,
00000200
:004DD5A4 E8E354F2FF call 00402A8C
:004DD5A9 8B45F0
mov eax, dword ptr [ebp-10]
:004DD5AC 8B8030020000 mov eax, dword
ptr [eax+00000230]
:004DD5B2 E81128F3FF call 0040FDC8
:004DD5B7 3D00020000 cmp eax,
00000200
:004DD5BC 753B
jne 004DD5F9
:004DD5BE 8B45F0
mov eax, dword ptr [ebp-10]
:004DD5C1 8B8030020000 mov eax, dword
ptr [eax+00000230]
:004DD5C7 33C9
xor ecx, ecx
:004DD5C9 33D2
xor edx, edx
:004DD5CB 8B18
mov ebx, dword ptr [eax]
:004DD5CD FF530C
call [ebx+0C]
:004DD5D0 8B45F0
mov eax, dword ptr [ebp-10]
:004DD5D3 8B9830020000 mov ebx, dword
ptr [eax+00000230]
:004DD5D9 8BC3
mov eax, ebx
:004DD5DB E8E827F3FF call 0040FDC8
:004DD5E0 8BC8
mov ecx, eax
:004DD5E2 8B45F0
mov eax, dword ptr [ebp-10]
:004DD5E5 8D5028
lea edx, dword ptr [eax+28]
:004DD5E8 8BC3
mov eax, ebx
:004DD5EA E81128F3FF call 0040FE00
:004DD5EF 8B45F0
mov eax, dword ptr [ebp-10]
:004DD5F2 E881F9FFFF call 004DCF78
:004DD5F7 EB32
jmp 004DD62B
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004DD5BC(C)
|
:004DD5F9 8B45F0
mov eax, dword ptr [ebp-10]
:004DD5FC 83C028
add eax, 00000028
:004DD5FF 33C9
xor ecx, ecx
:004DD601 BA00020000 mov edx,
00000200
:004DD606 E88154F2FF call 00402A8C
:004DD60B B8B4B94F00 mov eax,
004FB9B4
* Possible StringData Ref from Code Obj ->"trial version"
|
:004DD610 8B15CCB94F00 mov edx, dword
ptr [004FB9CC]
:004DD616 E89D63F2FF call 004039B8
:004DD61B B8B8B94F00 mov eax,
004FB9B8
* Possible StringData Ref from Code Obj ->"12345678FEDCBA98"
|
:004DD620 8B15D0B94F00 mov edx, dword
ptr [004FB9D0]
:004DD626 E88D63F2FF call 004039B8
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004DD5F7(U)
|
:004DD62B 33C0
xor eax, eax
:004DD62D 5A
pop edx
:004DD62E 59
pop ecx
:004DD62F 59
pop ecx
:004DD630 648910
mov dword ptr fs:[eax], edx
:004DD633 EB5E
jmp 004DD693
:004DD635 E94E5BF2FF jmp 00403188
:004DD63A 8B45F0
mov eax, dword ptr [ebp-10]
:004DD63D 83C028
add eax, 00000028
:004DD640 33C9
xor ecx, ecx
:004DD642 BA00020000 mov edx,
00000200
:004DD647 E84054F2FF call 00402A8C
:004DD64C B8B4B94F00 mov eax,
004FB9B4
* Possible StringData Ref from Code Obj ->"trial version"
|
:004DD651 8B15CCB94F00 mov edx, dword
ptr [004FB9CC]
:004DD657 E85C63F2FF call 004039B8
:004DD65C B8B8B94F00 mov eax,
004FB9B8
* Possible StringData Ref from Code Obj ->"12345678FEDCBA98"
|
:004DD661 8B15D0B94F00 mov edx, dword
ptr [004FB9D0]
:004DD667 E84C63F2FF call 004039B8
:004DD66C E8BB5DF2FF call 0040342C
:004DD671 EB20
jmp 004DD693
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004DD572(C)
|
:004DD673 B8B4B94F00 mov eax,
004FB9B4
* Possible StringData Ref from Code Obj ->"trial version"
|
:004DD678 8B15CCB94F00 mov edx, dword
ptr [004FB9CC]
:004DD67E E83563F2FF call 004039B8
:004DD683 B8B8B94F00 mov eax,
004FB9B8
* Possible StringData Ref from Code Obj ->"12345678FEDCBA98"
|
:004DD688 8B15D0B94F00 mov edx, dword
ptr [004FB9D0]
:004DD68E E82563F2FF call 004039B8
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004DD562(C), :004DD633(U), :004DD671(U)
|
:004DD693 8B45F0
mov eax, dword ptr [ebp-10]
:004DD696 80782401 cmp
byte ptr [eax+24], 01
:004DD69A 7508
jne 004DD6A4 **跳,75->EB**(3)
:004DD69C 8B45F0
mov eax, dword ptr [ebp-10]
:004DD69F E838F6FFFF call 004DCCDC
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004DD69A(C)
|
:004DD6A4 E817D9FFFF call 004DAFC0
:004DD6A9 8B45F0
mov eax, dword ptr [ebp-10]
:004DD6AC 80B85402000000 cmp byte ptr [eax+00000254],
00
:004DD6B3 0F85F5070000 jne 004DDEAE
**跳,0F85F5070000->
E9F607000090**(4)
:004DD6B9 8B45F0
mov eax, dword ptr [ebp-10]
:004DD6BC 8B9834020000 mov ebx, dword
ptr [eax+00000234]
:004DD6C2 83C305
add ebx, 00000005
:004DD6C5 8D95C8FCFFFF lea edx, dword
ptr [ebp+FFFFFCC8]
:004DD6CB 8BC3
mov eax, ebx
上面标号处修改,共4处。
************************************************
下面破除过期功能限制:
经调试可知,下面程序段为功能限制处(可设断destroywindow来捕获):
:004F6AAC 0B00
or eax, dword ptr [eax]
:004F6AAE 0000
add byte ptr [eax], al
:004F6AB0 27
daa
:004F6AB1 206E6F
and byte ptr [esi+6F], ch
:004F6AB4 7420
je 004F6AD6
:004F6AB6 666F
outsw
:004F6AB8 756E
jne 004F6B28
:004F6ABA 64000400 add
byte ptr fs:[eax+eax], al
:004F6ABE 0000
add byte ptr [eax], al
:004F6AC0 53
push ebx
:004F6AC1 8B15E8BD4F00 mov edx, dword
ptr [004FBDE8]
:004F6AC7 833A00
cmp dword ptr [edx], 00000000
:004F6ACA 740A
je 004F6AD6 **设断** (1)
:004F6ACC 8B1DE8BD4F00 mov ebx, dword
ptr [004FBDE8]
:004F6AD2 8B1B
mov ebx, dword ptr [ebx]
:004F6AD4 FFD3
call ebx
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004F6AB4(C), :004F6ACA(C)
|
:004F6AD6 5B
pop ebx
:004F6AD7 C3
ret
* Referenced by a CALL at Address:
|:004F7BF2
|
:004F6AD8 53
push ebx
:004F6AD9 8B1528BF4F00 mov edx, dword
ptr [004FBF28]
:004F6ADF 833A00
cmp dword ptr [edx], 00000000
:004F6AE2 740A
je 004F6AEE **设断** (2)
:004F6AE4 8B1D28BF4F00 mov ebx, dword
ptr [004FBF28]
:004F6AEA 8B1B
mov ebx, dword ptr [ebx]
:004F6AEC FFD3
call ebx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004F6AE2(C)
|
:004F6AEE 5B
pop ebx
:004F6AEF C3
ret
* Referenced by a CALL at Address:
|:004F7C12
|
:004F6AF0 53
push ebx
:004F6AF1 8B1578C14F00 mov edx, dword
ptr [004FC178]
:004F6AF7 833A00
cmp dword ptr [edx], 00000000
:004F6AFA 740A
je 004F6B06 **设断** (3)
:004F6AFC 8B1D78C14F00 mov ebx, dword
ptr [004FC178]
:004F6B02 8B1B
mov ebx, dword ptr [ebx]
:004F6B04 FFD3
call ebx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004F6AFA(C)
|
:004F6B06 5B
pop ebx
:004F6B07 C3
ret
* Referenced by a CALL at Address:
|:004F7C32
|
:004F6B08 53
push ebx
:004F6B09 8B15A0C04F00 mov edx, dword
ptr [004FC0A0]
:004F6B0F 833A00
cmp dword ptr [edx], 00000000
:004F6B12 740A
je 004F6B1E **设断** (4)
:004F6B14 8B1DA0C04F00 mov ebx, dword
ptr [004FC0A0]
:004F6B1A 8B1B
mov ebx, dword ptr [ebx]
:004F6B1C FFD3
call ebx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004F6B12(C)
|
:004F6B1E 5B
pop ebx
:004F6B1F C3
ret
* Referenced by a CALL at Address:
|:004F4F6E
|
:004F6B20 53
push ebx
:004F6B21 8B157CBC4F00 mov edx, dword
ptr [004FBC7C]
:004F6B27 833A00
cmp dword ptr [edx], 00000000
:004F6B2A 740A
je 004F6B36 **设断** (5)
:004F6B2C 8B1D7CBC4F00 mov ebx, dword
ptr [004FBC7C]
:004F6B32 8B1B
mov ebx, dword ptr [ebx]
:004F6B34 FFD3
call ebx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004F6B2A(C)
|
:004F6B36 5B
pop ebx
:004F6B37 C3
ret
:004F6B38 53
push ebx
:004F6B39 8B15E4BD4F00 mov edx, dword
ptr [004FBDE4]
:004F6B3F 833A00
cmp dword ptr [edx], 00000000
:004F6B42 740A
je 004F6B4E **设断** (6)
:004F6B44 8B1DE4BD4F00 mov ebx, dword
ptr [004FBDE4]
:004F6B4A 8B1B
mov ebx, dword ptr [ebx]
:004F6B4C FFD3
call ebx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004F6B42(C)
|
:004F6B4E 5B
pop ebx
:004F6B4F C3
ret
* Referenced by a CALL at Address:
|:004F7CC2
|
:004F6B50 53
push ebx
:004F6B51 A150BD4F00 mov eax,
dword ptr [004FBD50]
:004F6B56 833800
cmp dword ptr [eax], 00000000
:004F6B59 740C
je 004F6B67 **设断** (7)
:004F6B5B 8B1D50BD4F00 mov ebx, dword
ptr [004FBD50]
:004F6B61 8B1B
mov ebx, dword ptr [ebx]
:004F6B63 8BC2
mov eax, edx
:004F6B65 FFD3
call ebx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004F6B59(C)
|
:004F6B67 5B
pop ebx
:004F6B68 C3
ret
:004F6B69 8D4000
lea eax, dword ptr [eax+00]
:004F6B6C 55
push ebp
:004F6B6D 8BEC
mov ebp, esp
:004F6B6F 53
push ebx
:004F6B70 A144BE4F00 mov eax,
dword ptr [004FBE44]
:004F6B75 833800
cmp dword ptr [eax], 00000000
:004F6B78 7411
je 004F6B8B **设断** (8)
:004F6B7A 8B1D44BE4F00 mov ebx, dword
ptr [004FBE44]
:004F6B80 8B1B
mov ebx, dword ptr [ebx]
:004F6B82 8BC2
mov eax, edx
:004F6B84 8BD1
mov edx, ecx
:004F6B86 8A4D08
mov cl, byte ptr [ebp+08]
:004F6B89 FFD3
call ebx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004F6B78(C)
|
:004F6B8B 5B
pop ebx
:004F6B8C 5D
pop ebp
:004F6B8D C20400
ret 0004
:004F6B90 55
push ebp
:004F6B91 8BEC
mov ebp, esp
:004F6B93 53
push ebx
:004F6B94 A100C14F00 mov eax,
dword ptr [004FC100]
:004F6B99 833800
cmp dword ptr [eax], 00000000
:004F6B9C 7411
je 004F6BAF **设断** (9)
:004F6B9E 8B1D00C14F00 mov ebx, dword
ptr [004FC100]
:004F6BA4 8B1B
mov ebx, dword ptr [ebx]
:004F6BA6 8BC2
mov eax, edx
:004F6BA8 8BD1
mov edx, ecx
:004F6BAA 8A4D08
mov cl, byte ptr [ebp+08]
:004F6BAD FFD3
call ebx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004F6B9C(C)
|
:004F6BAF 5B
pop ebx
:004F6BB0 5D
pop ebp
:004F6BB1 C20400
ret 0004
:004F6BB4 55
push ebp
:004F6BB5 8BEC
mov ebp, esp
:004F6BB7 53
push ebx
:004F6BB8 A170BD4F00 mov eax,
dword ptr [004FBD70]
:004F6BBD 833800
cmp dword ptr [eax], 00000000
:004F6BC0 7411
je 004F6BD3 **设断** (10)
:004F6BC2 8B1D70BD4F00 mov ebx, dword
ptr [004FBD70]
:004F6BC8 8B1B
mov ebx, dword ptr [ebx]
:004F6BCA 8BC2
mov eax, edx
:004F6BCC 8BD1
mov edx, ecx
:004F6BCE 8A4D08
mov cl, byte ptr [ebp+08]
:004F6BD1 FFD3
call ebx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004F6BC0(C)
|
:004F6BD3 5B
pop ebx
:004F6BD4 5D
pop ebp
:004F6BD5 C20400
ret 0004
:004F6BD8 53
push ebx
:004F6BD9 A120C24F00 mov eax,
dword ptr [004FC220]
:004F6BDE 833800
cmp dword ptr [eax], 00000000
:004F6BE1 740C
je 004F6BEF **设断** (11)
:004F6BE3 8B1D20C24F00 mov ebx, dword
ptr [004FC220]
:004F6BE9 8B1B
mov ebx, dword ptr [ebx]
:004F6BEB 8BC2
mov eax, edx
:004F6BED FFD3
call ebx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004F6BE1(C)
|
:004F6BEF 5B
pop ebx
:004F6BF0 C3
ret
:004F6BF1 8D4000
lea eax, dword ptr [eax+00]
* Referenced by a CALL at Addresses:
|:004F7C56 , :004F7C7B , :004F7CA0
|
:004F6BF4 53
push ebx
:004F6BF5 A1FCBD4F00 mov eax,
dword ptr [004FBDFC]
:004F6BFA 833800
cmp dword ptr [eax], 00000000
:004F6BFD 740C
je 004F6C0B **设断** (12)
:004F6BFF 8B1DFCBD4F00 mov ebx, dword
ptr [004FBDFC]
:004F6C05 8B1B
mov ebx, dword ptr [ebx]
:004F6C07 8BC2
mov eax, edx
:004F6C09 FFD3
call ebx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004F6BFD(C)
|
:004F6C0B 5B
pop ebx
:004F6C0C C3
ret
:004F6C0D 8D4000
lea eax, dword ptr [eax+00]
* Referenced by a CALL at Addresses:
|:004CFBF4 , :004CFC31 , :004CFC6E , :004F7CE6 , :004F7D0B
|:004F7D30
|
:004F6C10 53
push ebx
:004F6C11 A108BF4F00 mov eax,
dword ptr [004FBF08]
:004F6C16 833800
cmp dword ptr [eax], 00000000
:004F6C19 740C
je 004F6C27 **设断** (13)
:004F6C1B 8B1D08BF4F00 mov ebx, dword
ptr [004FBF08]
:004F6C21 8B1B
mov ebx, dword ptr [ebx]
:004F6C23 8BC2
mov eax, edx
:004F6C25 FFD3
call ebx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004F6C19(C)
|
:004F6C27 5B
pop ebx
:004F6C28 C3
ret
:004F6C29 8D4000
lea eax, dword ptr [eax+00]
* Referenced by a CALL at Address:
|:004F4F82
|
:004F6C2C 53
push ebx
:004F6C2D A1CCBC4F00 mov eax,
dword ptr [004FBCCC]
:004F6C32 833800
cmp dword ptr [eax], 00000000
:004F6C35 740C
je 004F6C43 **设断** (14)
:004F6C37 8B1DCCBC4F00 mov ebx, dword
ptr [004FBCCC]
:004F6C3D 8B1B
mov ebx, dword ptr [ebx]
:004F6C3F 8BC2
mov eax, edx
:004F6C41 FFD3
call ebx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004F6C35(C)
|
:004F6C43 5B
pop ebx
:004F6C44 C3
ret
功能限制标号共有14处,下面以修改(1)处为例:
:004F6ABE 0000
add byte ptr [eax], al
:004F6AC0 53
push ebx
:004F6AC1 8B15E8BD4F00 mov edx, dword
ptr [004FBDE8]
:004F6AC7 833A00
cmp dword ptr [edx], 00000000
:004F6ACA 740A
je 004F6AD6 **设断** (1)
:004F6ACC 8B1DE8BD4F00 mov ebx, dword
ptr [004FBDE8]
:004F6AD2 8B1B
mov ebx, dword ptr [ebx]
:004F6AD4 FFD3
call ebx
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004F6AB4(C), :004F6ACA(C)
|
:004F6AD6 5B
pop ebx
:004F6AD7 C3
ret
在(1)设断拦住后,走到004F6AD4处,看ebx的值是多少(此处为4cbad8),记下后如下修改代码。
原代码:
:004F6ACA 740A
je 004F6AD6
:004F6ACC 8B1DE8BD4F00 mov ebx, dword
ptr [004FBDE8]
:004F6AD2 8B1B
mov ebx, dword ptr [ebx]
改为:
:004F6ACA BBD8BA4C00 mov ebx,4cbad8
-->追到的EBX的值
:004F6ACF 90
nop
:004F6AD0 90
nop
:004F6AD1 90
nop
:004F6AD2 90
nop
:004F6AD3 90
nop
其它13处设断追值修改法同上。下面列出修改后的代码:
(1) :004F6ACA-->BBD8BA4C009090909090
(2) :004F6AE2-->BBA0C44C009090909090
(3) :004F6AFA-->BB40C54C009090909090
(4) :004F6B12-->BB3CCF4C009090909090
(5) :004F6B2A-->BB4CD64C009090909090
(6) :004F6B42-->BBA8E64C009090909090
(7) :004F6B59-->BB08E94C009090909090
(8) :004F6B78-->BB40014D009090909090
(9) :004F6B9C-->BB34044D009090909090
(10):004F6BC0-->BBF8054D009090909090
(11):004F6BE1-->暂未找到,请有兴趣的朋友自行测试修改!
(12):004F6BFD-->BBD8EC4C009090909090
(13):004F6C19-->BBA4F54C009090909090
(14):004F6C35-->BBA8FC4C009090909090
至此基本修改完毕!
补丁下载地址:
http://user.7host.com/kanker/crack/pexplorer-crack.exe
<Cracked by KanKer>
有空的时候来坎坷亦乐园坐坐
http://kanker.ccoo.com
- 标 题:对不起,该软件未经测试便弄上来,让大家笑话了,下面是基本完整破解版。 (19千字)
- 作 者:KanKer
- 时 间:2001-8-17 1:34:00
- 链 接:http://bbs.pediy.com