超级解霸2000试用版的破解
平常也不怎么看VCD,但买了电脑报2000年合订本,配套光盘里有超级解霸
2000试用版,就随手安装了,顺便练练手。
工具:WinIce4.05、W32DASM、Hiew6.4和一只笔、纸若干。
试用版在使用30次后会弹出过期报错窗口,运行次数记录在WINDOWS文件夹
下的STHSVCD.INI配置文件里,BERUN=运行次数。可以想象,每次启动STHSVCD,
它都先要读取BERUN项,和30比较,小于的话,则该项加1,写入STHSVCD.INI并
转入主程序执行,否则报错。那么可以下断GetPrivateProfileStringA或者下断
WritePrivateProfileStringA,考虑到STHSVCD启动时要设置多项参数,可能多
次调用GetPrivateProfileStringA可能多次被调用,不易追踪,最好利用
WritePrivateProfileStringA设断。
bpx writeprivateprofilestringa,
运行STHSVCD.EXE,果然...
按F12
00414767 push 00426724 ->"STHVCD.INI"
0041476C push eax
0041476D push 00428C9C ->"BERUN"
00414772 push 00426710 ->"SETTING"
00414777 call dword ptr [004A0670] 调用WritePrivateProfileStringA
0041477D cmp ebx, 0000001E <-中断返回此处,1E即30
00414780 jle 004147A4 不超过30次,则跳转,否则
00414782 call 0040FAF0 弹出过期报错窗口
向上看
00414732 push 00426724 ->"STHVCD.INI"
00414737 push 00000001
00414739 push 00428C9C ->"BERUN"
0041473E push 00426710 ->"SETTING"
00414743 Call dword ptr [004A06F8] 调用GetPrivateProfileIntA
00414749 lea ebx,[eax+1] 将已使用次数加1,送入EBX
0041474C lea eax, dword ptr [esp+78]
Crack方案有两个:
1、jle 004147A4 改为 jmp 004147A4;
2、取消EBX加1的操作,lea ebx,[eax+1]改为三个NOP。
具体修改过程就不用我再一一罗嗦了吧。
慢着,别以为万事大吉,还有一个陷阱呢!STHSVCD还在HKEY_LOCAL_MACHINE\
Software\Microsoft\Windows\CurrentVersion\Setup处设置键值RunTime,保存剩
余的运行次数,每次运行STHSVCD,RunTime减1,当RunTime为0时,报错。根据已
有的破解成果表明,将此值改为FFFFFFFF后,再运行STHSVCD该值将保持不变。确
实这里挺难追,用DialogBoxParamA、RegQueryValueExA等均未成功。最后只有请
出“依天宝剑”W32DASM,虽然反汇编时报错,但不睬它,继续,发现和读取
注册表有关的也就一个RegQueryValueExA,查找RegQueryValueExA字符串,在程序
中发现一处调用。
0040FBF9 call dword ptr [004A0590] 调用RegQueryValueExA
0040FBFF test eax, eax
0040FC01 je 0040FC28 返回值为0则跳转,出错
试着把je 0040FC28屏蔽(改为两个NOP,或者INC EAX,DEC EAX),OK!无论怎么
运行STHSVCD,RunTime将保持0x63即99不变,永远也不会过期了。
用同样的手段修改音频解霸。
好了,今天就说到这儿,还是让我们举起双手拥护正版吧!
南阳wxd 2001-1-5
E-mail:wxd125@163.net
Oicq:21331694
再谈《超级解霸2000试用版的破解》
*** 这是对《超级解霸2000试用版的破解》的修正版,介绍的较详细,很适合新手入门提高观摩 ***
前面我写了《超级解霸2000试用版的破解》,觉得已经成功了,但后来在解“虚拟光驱2000”时,把
日期向后调了一个月,无意中运行超级解霸,讨厌的过期报错窗口又跳了出来,我靠!还有一个陷阱!!
于是又用W32asm详细分析了原代码,果然是三道关卡,嘿嘿,国产软件确也费尽心机。运行试用版,
先后要通过“BERUN”30次运行次数的检查、30天运行期限的检查和注册表64次运行次数的检查。你可以
用“串数据参考”查找串 "The Time is over !Please Get one Gold Version !"找到过期报错窗口代码,
如下:
突破口
* Referenced by a CALL at Addresses:
|:00414782 , :004147E4 , :0041480F
|
:0040FAF0 81ECD4000000 sub esp, 000000D4
:0040FAF6 8D442454 lea eax, dword ptr [esp+54]
:0040FAFA 53 push ebx
:0040FAFB 56 push esi
:0040FAFC 8B0D9C874200 mov ecx, dword ptr [0042879C]
* Possible Reference to Dialog: DialogID_0080
|
:0040FB02 6880000000 push 00000080
* Reference To: USER32.LoadStringA, Ord:01A9h
|
:0040FB07 8B35D8084A00 mov esi, dword ptr [004A08D8]
:0040FB0D C744240CD2040000 mov [esp+0C], 000004D2
:0040FB15 50 push eax
* Possible Reference to String Resource ID=50061: "The Time is over !
Please Get one Gold
Version !"
|
:0040FB16 688DC30000 push 0000C38D
:0040FB1B 51 push ecx
:0040FB1C FFD6 call esi
突破口
可以看到有三处00414782、004147E4、0041480F调用了这段代码,那么一切都昭然若解了。且看我沿
着程序流程娓娓道来:
突破防线
:004146E8 8D442478 lea eax, dword ptr [esp+78] ;指定返回项字串的缓冲区
* Possible StringData Ref from Data Obj ->"STHVCD.INI" ;初始化文件的名字
|
:004146EC 6824674200 push 00426724
* Possible Reference to Dialog: DialogID_0080
|
:004146F1 6880000000 push 00000080 ;缓冲区的最大字符数量
:004146F6 50 push eax ;指定返回项字串的缓冲区
:004146F7 68D0664200 push 004266D0 ;指定的项没有找到时返回的默认值,此处为NULL
* Possible StringData Ref from Data Obj ->"SOURCEPATH"
|
:004146FC 68A48C4200 push 00428CA4 ;欲获取的项名
* Possible StringData Ref from Data Obj ->"INSTALL" ;欲在其中查找项的小节名称
|
:00414701 68D0694200 push 004269D0
* Reference To: KERNEL32.GetPrivateProfileStringA, Ord:019Fh
|
:00414706 FF1564064A00 Call dword ptr [004A0664]
:0041470C 85C0 test eax, eax
:0041470E 7422 je 00414732 ;复制到缓冲区的字节数量为0,即STHVCD.INI无该项
:00414710 0FBE442478 movsx eax, byte ptr [esp+78] ;复制缓冲区的第一个字节到EAX
:00414715 83F861 cmp eax, 00000061 ;和“A”比较
:00414718 7C05 jl 0041471F
:0041471A 83F87A cmp eax, 0000007A ;和“Z”比较
:0041471D 7E0D jle 0041472C
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00414718(C) ;猜测:如果从光盘安装解霸2000,
| ;SOURCEPATH的第一个字符被设置为
:0041471F 8A44247B mov al, byte ptr [esp+7B] ;小写字母,并且如果第四个字符为
:00414723 84C0 test al, al ;NULL(即根目录)时,如e: \,则跳
:00414725 B801000000 mov eax, 00000001 ;过BERUN值的检查,到日期检测处。
:0041472A 7402 je 0041472E ;如果从光盘安装,第一个字符被设
;置为大写,需检查BERUN值
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041471D(C)
|
:0041472C 33C0 xor eax, eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041472A(C)
|
:0041472E 85C0 test eax, eax
:00414730 7572 jne 004147A4 ;跳到到日期检测处1.1
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041470E(C)
|
* Possible StringData Ref from Data Obj ->"STHVCD.INI"
|
:00414732 6824674200 push 00426724
:00414737 6A01 push 00000001
* Possible StringData Ref from Data Obj ->"BERUN"
|
:00414739 689C8C4200 push 00428C9C
* Possible StringData Ref from Data Obj ->"SETTING"
|
:0041473E 6810674200 push 00426710
* Reference To: KERNEL32.GetPrivateProfileIntA, Ord:0199h
|
:00414743 FF15F8064A00 Call dword ptr [004A06F8]
:00414749 8D5801 lea ebx, dword ptr [eax+01] ;将已使用次数加1,送入EBX
:0041474C 8D442478 lea eax, dword ptr [esp+78]
:00414750 53 push ebx
* Possible StringData Ref from Data Obj ->"%d"
|
:00414751 68F8664200 push 004266F8
:00414756 50 push eax
* Reference To: USER32.wsprintfA, Ord:029Fh
|
:00414757 FF15E4084A00 Call dword ptr [004A08E4]
:0041475D 8D842484000000 lea eax, dword ptr [esp+00000084]
:00414764 83C40C add esp, 0000000C
* Possible StringData Ref from Data Obj ->"STHVCD.INI"
|
:00414767 6824674200 push 00426724
:0041476C 50 push eax
* Possible StringData Ref from Data Obj ->"BERUN"
|
:0041476D 689C8C4200 push 00428C9C
* Possible StringData Ref from Data Obj ->"SETTING"
|
:00414772 6810674200 push 00426710
* Reference To: KERNEL32.WritePrivateProfileStringA, Ord:033Bh
|
:00414777 FF1570064A00 Call dword ptr [004A0670]
:0041477D 83FB1E cmp ebx, 0000001E
:00414780 7E22 jle 004147A4 ;不超过30次,则跳转到日期检测处1.2
:00414782 E869B3FFFF call 0040FAF0 ;否则弹出过期报错窗口
:00414787 A19C874200 mov eax, dword ptr [0042879C]
:0041478C 8B0D98874200 mov ecx, dword ptr [00428798]
:00414792 3BC1 cmp eax, ecx
:00414794 7407 je 0041479D
:00414796 50 push eax
* Reference To: KERNEL32.FreeLibrary, Ord:0133h
|
:00414797 FF15F0064A00 Call dword ptr [004A06F0]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00414794(C)
|
:0041479D 33C0 xor eax, eax
:0041479F E972070000 jmp 00414F16
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00414730(C), :00414780(C)
|
:004147A4 A160874200 mov eax, dword ptr [00428760] ;猜测:如果是正版安装,则变
:004147A9 85C0 test eax, eax ;量[00428760]=0,跳转到注册
:004147AB 7459 je 00414806 2.1
:004147AD 8D442468 lea eax, dword ptr [esp+68] ;表检查处;否则[00428760]存
:004147B1 50 push eax ;放有效期限信息
* Reference To: KERNEL32.GetSystemTime, Ord:01C6h
|
:004147B2 FF15AC064A00 Call dword ptr [004A06AC]
:004147B8 8B4C2468 mov ecx, dword ptr [esp+68] ;当前日期,以下代码为日期格式
:004147BC 33C0 xor eax, eax
:004147BE 668B44246A mov ax, word ptr [esp+6A]
:004147C3 81E1FFFF0000 and ecx, 0000FFFF
:004147C9 C1E104 shl ecx, 04
:004147CC 8B1560874200 mov edx, dword ptr [00428760]
:004147D2 0BC8 or ecx, eax
:004147D4 33C0 xor eax, eax
:004147D6 C1E108 shl ecx, 08
:004147D9 668B44246E mov ax, word ptr [esp+6E]
:004147DE 0BC8 or ecx, eax
:004147E0 3BCA cmp ecx, edx ;和有效期限比较,
:004147E2 7622 jbe 00414806 ;未过期,跳到注册表RunTime键值的检查处2.2
:004147E4 E807B3FFFF call 0040FAF0 ;弹出过期报错窗口
:004147E9 A19C874200 mov eax, dword ptr [0042879C]
:004147EE 8B0D98874200 mov ecx, dword ptr [00428798]
:004147F4 3BC1 cmp eax, ecx
:004147F6 7407 je 004147FF
:004147F8 50 push eax
* Reference To: KERNEL32.FreeLibrary, Ord:0133h
|
:004147F9 FF15F0064A00 Call dword ptr [004A06F0]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004147F6(C)
|
:004147FF 33C0 xor eax, eax
:00414801 E910070000 jmp 00414F16
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004147AB(C), :004147E2(C)
|
:00414806 E875B3FFFF call 0040FB80 ;返回KEY_LOCAL_MACHINE\Software\Microsoft
:0041480B 85C0 test eax, eax ;\Windows\CurrentVersion\Setup键值RunTime
:0041480D 7522 jne 00414831 ;RunTime不为0,祝贺你能看VCD了!!3
:0041480F E8DCB2FFFF call 0040FAF0 ;弹出过期报错窗口
:00414814 8B0D9C874200 mov ecx, dword ptr [0042879C]
:0041481A A198874200 mov eax, dword ptr [00428798]
:0041481F 3BC8 cmp ecx, eax
:00414821 7407 je 0041482A
:00414823 51 push ecx
* Reference To: KERNEL32.FreeLibrary, Ord:0133h
|
:00414824 FF15F0064A00 Call dword ptr [004A06F0]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00414821(C)
|
:0041482A 33C0 xor eax, eax
:0041482C E9E5060000 jmp 00414F16
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041480D(C)
|
:00414831 33DB xor ebx, ebx ;精彩世界由此进入......
突破防线
对注册表的相关操作
* Referenced by a CALL at Address:
|:00414806
|
:0040FB80 83EC10 sub esp, 00000010
:0040FB83 8D442404 lea eax, dword ptr [esp+04]
:0040FB87 53 push ebx
:0040FB88 56 push esi
:0040FB89 50 push eax
:0040FB8A 681F000200 push 0002001F
:0040FB8F 6A00 push 00000000
* Possible StringData Ref from Data Obj ->"SOFTWARE\Microsoft\Windows\CurrentVersion\Setu"
->"p"
|
:0040FB91 689C7F4200 push 00427F9C
:0040FB96 6802000080 push 80000002
* Reference To: ADVAPI32.RegOpenKeyExA, Ord:00EFh
|
:0040FB9B FF1598054A00 Call dword ptr [004A0598]
:0040FBA1 85C0 test eax, eax
:0040FBA3 7424 je 0040FBC9 ;成功打开键,则跳,否则创建键
:0040FBA5 8D44240C lea eax, dword ptr [esp+0C]
:0040FBA9 50 push eax
* Possible StringData Ref from Data Obj ->"SOFTWARE\Microsoft\Windows\CurrentVersion\Setu"
->"p"
|
:0040FBAA 689C7F4200 push 00427F9C
:0040FBAF 6802000080 push 80000002
* Reference To: ADVAPI32.RegCreateKeyA, Ord:00DBh
|
:0040FBB4 FF1594054A00 Call dword ptr [004A0594]
:0040FBBA 85C0 test eax, eax
:0040FBBC 740B je 0040FBC9 ;成功创建键,则跳,否则EAX=FFFFFFFF,返回
:0040FBBE B8FFFFFFFF mov eax, FFFFFFFF
:0040FBC3 5E pop esi
:0040FBC4 5B pop ebx
:0040FBC5 83C410 add esp, 00000010
:0040FBC8 C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040FBA3(C), :0040FBBC(C)
|
:0040FBC9 BE04000000 mov esi, 00000004
:0040FBCE 8D442410 lea eax, dword ptr [esp+10]
:0040FBD2 8D4C2408 lea ecx, dword ptr [esp+08]
:0040FBD6 50 push eax
:0040FBD7 8D542418 lea edx, dword ptr [esp+18]
:0040FBDB 51 push ecx
:0040FBDC 8B442414 mov eax, dword ptr [esp+14]
:0040FBE0 52 push edx
:0040FBE1 8974241C mov dword ptr [esp+1C], esi
:0040FBE5 6A00 push 00000000
:0040FBE7 89742424 mov dword ptr [esp+24], esi
:0040FBEB 68947F4200 push 00427F94
:0040FBF0 C744241C00000000 mov [esp+1C], 00000000
:0040FBF8 50 push eax
* Reference To: ADVAPI32.RegQueryValueExA, Ord:00F7h
|
:0040FBF9 FF1590054A00 Call dword ptr [004A0590]
:0040FBFF 85C0 test eax, eax ;在这里我曾失误过,改为无条件跳转
:0040FC01 7425 je 0040FC28 ;成功读取键值,则跳,否则设置键值RunTime=64
:0040FC03 8D442408 lea eax, dword ptr [esp+08]
:0040FC07 56 push esi
:0040FC08 8B4C2410 mov ecx, dword ptr [esp+10]
:0040FC0C 50 push eax
:0040FC0D C744241064000000 mov [esp+10], 00000064
:0040FC15 56 push esi
:0040FC16 6A00 push 00000000
:0040FC18 68947F4200 push 00427F94
* Reference To: ADVAPI32.RegSetValueExA, Ord:0103h
|
:0040FC1D 8B359C054A00 mov esi, dword ptr [004A059C]
:0040FC23 51 push ecx
:0040FC24 FFD6 call esi
:0040FC26 EB06 jmp 0040FC2E
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040FC01(C)
|
* Reference To: ADVAPI32.RegSetValueExA, Ord:0103h
|
:0040FC28 8B359C054A00 mov esi, dword ptr [004A059C]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040FC26(U)
|
:0040FC2E 8B442408 mov eax, dword ptr [esp+08] ;RunTime键值->eax
:0040FC32 85C0 test eax, eax
:0040FC34 7421 je 0040FC57 ;为0则跳,表示已到期了
:0040FC36 83F8FF cmp eax, FFFFFFFF ;为FFFFFFFF则跳,为什么RunTime=FFFFFFFF
:0040FC39 741C je 0040FC57 ;永不过期,明白了吧!!
:0040FC3B 48 dec eax ;RunTime键值减1
:0040FC3C 6A04 push 00000004
:0040FC3E 8D4C240C lea ecx, dword ptr [esp+0C]
:0040FC42 8B542410 mov edx, dword ptr [esp+10]
:0040FC46 8944240C mov dword ptr [esp+0C], eax
:0040FC4A 51 push ecx
:0040FC4B 6A04 push 00000004
:0040FC4D 6A00 push 00000000
:0040FC4F 68947F4200 push 00427F94
:0040FC54 52 push edx
:0040FC55 FFD6 call esi
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040FC34(C), :0040FC39(C)
|
:0040FC57 8B44240C mov eax, dword ptr [esp+0C]
:0040FC5B 50 push eax
* Reference To: ADVAPI32.RegCloseKey, Ord:00D8h
|
:0040FC5C FF15A0054A00 Call dword ptr [004A05A0]
:0040FC62 8B442408 mov eax, dword ptr [esp+08] ;RunTime键值->eax
:0040FC66 5E pop esi
:0040FC67 5B pop ebx
:0040FC68 83C410 add esp, 00000010
:0040FC6B C3 ret
对注册表的相关操作
诸位,明白了么?什么,还没有?!#^$~&那就再好好看看看雪的教程吧!怎样打补丁就不用我多说了,
在1.1或1.2、2.1或2.2、3处改为无条件跳转就Ok。
--### 严正声名 ###--
以上内容只能用于经验交流领域,严禁商业用途,请维护正版利益!
版权所有,请保障文章的完整性!
woLONGwxd 2001-1-20
E-mail:wxdny@263.net
- 标 题:答复
- 作 者:kanxue
- 时 间:2011-01-09 10:05:10
- 链 接:http://bbs.pediy.com/showthread.php?t=127829