完美破解winhex9.73的功能限制!
所用工具:trw2000国人的骄傲 w32dasm8.93破解利器
软件下载:www.pchome.net
破解人:大老
邮件:dalao@top86.com
破解目标:冲破 WinHex 不能编辑保存大于 250 KB 文件的限制
软件简介:一个很不错的16进制文件编辑与磁盘编辑软件。WinHex以文件小、速度快,功能不输其它的Hex十六进位编辑器工具得到了ZDNet SoftwareLibrary五颗星最高评价,可做Hex与ASCII码编辑修改,多文件寻替换功能,一般运算及逻辑运算,磁盘磁区编辑(支持FAT16、FAT32和NTFS)自动搜寻编辑,文件对比和分析等功能,另外8.3版新增了RAM编辑功能!
这个软件的作者很变态加了很多的标志来判断是否为真的注册版
而未注册版的判断则少了很多!注意:这就是漏洞!!xixi
进入正题:
先用w32dasm反编译winhex.exe 注意:以下汇编是我改过后的!
然后查找3DFA00会找到两次
第一次
:0041666D E8DEC1FEFF call
00402850
:00416672 3DFA000000 cmp eax,
000000FA ===》打开文件时比较文件是否大于250k (1)
:00416677 90
nop ====》这里一定不能跳!
:00416678 90
nop
:00416679 C644240201 mov [esp+02],
01
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0041664D(U), :00416662(C)
|
:0041667E 8D842404010000 lea eax, dword
ptr [esp+00000104]
:00416685 BAC5F84500 mov edx,
0045F8C5
第二次
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043153E(C)
|
:0043154A DF6D08
fild qword ptr [ebp+08]
:0043154D D80D88154300 fmul dword
ptr [00431588]
:00431553 E8F812FDFF call
00402850
:00431558 3DFA000000 cmp eax,
000000FA ====》比较文件是否大于250k (2)
:0043155D EB20
jmp 0043157F ====》这里一定要跳
:0043155F 803DAEF9450000 cmp byte ptr [0045F9AE],
00
:00431566 7517
jne 0043157F
:00431568 66B84F00
mov ax, 004F
:0043156C E87B77FDFF call
00408CEC
以上是准备工作
现在用调试工具trw2000来去掉250K的功能限制!
设断点bpx 431558
打开一个大于250K的文件随便改几处!点激save
短点拦截按一次F12一次F10
:00453154 E8DBE3FDFF call
00431534
:00453159 84C0
test al, al =====》我们将来到这
:0045315B 0F84CA010000 je 0045332B
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0045314C(C)
|
:00453161 803D7AF9450002 cmp byte ptr [0045F97A],
02
:00453168 750D
jne 00453177
:0045316A 80BE4721000000 cmp byte ptr [esi+00002147],
00
:00453171 0F84B4010000 je 0045332B
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00453168(C)
|
:00453177 8BC6
mov eax, esi
:00453179 E8AE3CFFFF call
00446E2C
:0045317E 84C0
test al, al
:00453180 0F84A5010000 je 0045332B
:00453186 837E2400
cmp dword ptr [esi+24], 00000000
:0045318A 7531
jne 004531BD
:0045318C 80BE4621000000 cmp byte ptr [esi+00002146],
00
:00453193 7528
jne 004531BD
:00453195 8B460C
mov eax, dword ptr [esi+0C]
:00453198 E81FA0FBFF call
0040D1BC
:0045319D 880424
mov byte ptr [esp], al
:004531A0 807E3203
cmp byte ptr [esi+32], 03
:004531A4 7417
je 004531BD
:004531A6 803C2400
cmp byte ptr [esp], 00
:004531AA 7511
jne 004531BD
:004531AC 8B560C
mov edx, dword ptr [esi+0C]
:004531AF 66B80A00
mov ax, 000A
:004531B3 E8806DFBFF call
00409F38
:004531B8 E96E010000 jmp 0045332B
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0045318A(C), :00453193(C), :004531A4(C), :004531AA(C)
|
:004531BD 807E3204
cmp byte ptr [esi+32], 04
:004531C1 7507
jne 004531CA
:004531C3 B301
mov bl, 01
:004531C5 E961010000 jmp 0045332B
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004531C1(C)
|
:004531CA 80BE4621000000 cmp byte ptr [esi+00002146],
00
:004531D1 7434
je 00453207
:004531D3 8A8646210000 mov al, byte
ptr [esi+00002146]
:004531D9 E872F7FBFF call
00412950
:004531DE 84C0
test al, al
:004531E0 0F8445010000 je 0045332B
:004531E6 8D4604
lea eax, dword ptr [esi+04]
:004531E9 E83A4CFCFF call
00417E28
:004531EE 84C0
test al, al
:004531F0 740E
je 00453200
:004531F2 B301
mov bl, 01
:004531F4 8BC6
mov eax, esi
:004531F6 E8ED38FFFF call
00446AE8
:004531FB E92B010000 jmp 0045332B
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004531F0(C)
|
:00453200 33DB
xor ebx, ebx
:00453202 E924010000 jmp 0045332B
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004531D1(C)
|
:00453207 DF6E10
fild qword ptr [esi+10]
:0045320A D81D34334500 fcomp dword
ptr [00453334]
:00453210 DFE0
fstsw ax
:00453212 9E
sahf
:00453213 EB0D
jmp 00453222 ======》判断是否为注册版这一定要跳
:00453215 803DAEF9450000 cmp byte ptr [0045F9AE],
00
:0045321C 0F8409010000 je 0045332B
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00453213(U)
|
:00453222 803D7AF9450000 cmp byte ptr [0045F97A],
00
:00453229 7521
jne 0045324C
:0045322B 803DDDF9450000 cmp byte ptr [0045F9DD],
00
:00453232 7518
jne 0045324C
:00453234 803C2400
cmp byte ptr [esp], 00
:00453238 7412
je 0045324C
:0045323A 8B460C
mov eax, dword ptr [esi+0C]
:0045323D B201
mov dl, 01
:0045323F E83091FBFF call
0040C374
:00453244 84C0
test al, al
:00453246 0F84DF000000 je 0045332B
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00453229(C), :00453232(C), :00453238(C)
|
:0045324C DF6E10
fild qword ptr [esi+10]
:0045324F D81D38334500 fcomp dword
ptr [00453338]
:00453255 DFE0
fstsw ax
:00453257 9E
sahf
:00453258 EB0D
jmp 00453267 ==============》还有这一定要跳
:0045325A 803DAEF9450000 cmp byte ptr [0045F9AE],
00
:00453261 0F84C4000000 je 0045332B
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00453258(U)
|
* Possible Reference to Menu: MenuID_0002
|
:00453267 6A02
push 00000002
:00453269 668B8620210000 mov ax, word ptr
[esi+00002120]
:00453270 E82FA1FBFF call
0040D3A4
:00453275 8BD0
mov edx, eax
:00453277 8B4E0C
mov ecx, dword ptr [esi+0C]
:0045327A 8D4604
lea eax, dword ptr [esi+04]
:0045327D E82E36FCFF call
004168B0 ==============》注意这个call控制写盘操作 (3)
:00453282 84C0
test al, al
:00453284 0F84A1000000 je 0045332B
:0045328A 807E3203
cmp byte ptr [esi+32], 03
:0045328E 750D
jne 0045329D
:00453290 A017EF4500 mov al,
byte ptr [0045EF17]
:00453295 888645210000 mov byte ptr
[esi+00002145], al
:0045329B EB26
jmp 004532C3
进入(3)的call
------------------------------------------------------------
:00416014 DB45D4
fild dword ptr [ebp-2C]
:00416017 DF6DE4
fild qword ptr [ebp-1C]
:0041601A DEC1
faddp st(1), st(0)
:0041601C DF7DE4
fistp qword ptr [ebp-1C]
:0041601F 9B
wait
:00416020 DF6DE4
fild qword ptr [ebp-1C]
:00416023 D81DB0614100 fcomp dword
ptr [004161B0]
:00416029 DFE0
fstsw ax
:0041602B 9E
sahf
:0041602C EB21
jmp 0041604F ================>>关键必须跳!不跳只能保存280K (4)
:0041602E DF6DE4
fild qword ptr [ebp-1C]
:00416031 D81DB4614100 fcomp dword
ptr [004161B4]
:00416037 DFE0
fstsw ax
:00416039 9E
sahf
:0041603A 7313
jnb 0041604F
-----------------------------------------------------------
这样 save的功能限制就解除了!
解除save as的功能限制和解除save的功能限制一样(设断点bpx 431558)
希望大家能举一反三!另外说一下!其中(4)的判断是winhex9.71版以后才加上的!请大家注意!
- 标 题:如何完美破解winhex9.73的功能限制! (8千字)
- 作 者:大老
- 时 间:2001-3-13 8:50:57
- 链 接:http://bbs.pediy.com